# Vulnerability & Threat Intel Feed (`thoob/threat-intel-feed`) Actor Live vulnerability intelligence from the official public sources (NIST NVD CVE, CISA KEV, GitHub Security Advisories), merged by CVE into one enriched record and billed only per record delivered. Incremental: a run with nothing new bills nothing. - **URL**: https://apify.com/thoob/threat-intel-feed.md - **Developed by:** [Pono Data](https://apify.com/thoob) (community) - **Categories:** Developer tools - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, 0 bookmarks - **User rating**: No ratings yet ## Pricing $3.00 / 1,000 vulnerability records This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## Threat Intel Feed (NVD, CISA KEV, GitHub Advisories) One clean, flat, deduplicated stream of vulnerability records merged from three official public sources: the NIST National Vulnerability Database (NVD), the CISA Known Exploited Vulnerabilities (KEV) catalog, and GitHub Security Advisories (GHSA). Run it on a schedule in incremental mode to get only what is new or changed since your account's last run. ### Input - **Sources**: any of `nvd`, `cisa-kev`, `ghsa` (default: all three). - **Lookback days**: how far back to pull on a first run (default 7). - **Minimum severity**: `low`, `medium`, `high`, `critical` (default `low`). - **Only known-exploited**: keep only records in the CISA KEV catalog. - **Max records**: cap on delivered, billed rows per run. - **NVD API key**, **GitHub token**: optional, raise the source rate limits; not required. ### Output One row per vulnerability, merged across feeds by CVE id: `id`, `source`, `sources` (every feed it appeared in), `cveId`, `ghsaId`, `title`, `description`, `severity`, `cvssScore`, `cvssVector`, `knownExploited`, `ransomwareUse`, `vendorProduct`, `published`, `lastModified`, `references`, plus provenance (`sourceUrl`, `retrievedAt`, `confidence`). ### How it works All three are official, public endpoints (NVD REST API, the CISA KEV JSON feed, the GitHub Advisories API). Every value is copied from the source response; nothing is inferred. `sourceUrl` is the canonical page for the record, so any row is verifiable against its origin. Records are merged so a CVE listed in more than one feed is one row that names all of its sources. A source that fails to fetch is skipped for that run and logged; the run continues on the others. A run that finds nothing new writes nothing and bills nothing. ### Billing Pay per delivered vulnerability record. Records below your severity filter, and anything past the per-run cap, go to a free, visible `rejected` dataset and are never billed. A quiet day costs nothing. ### Sample output A real run merging live vulnerability intel (CISA known-exploited shown here): | CVE | severity | known-exploited | title | | --- | --- | --- | --- | | CVE-2026-48907 | unknown | True | Widget Factory Joomla Content Editor Im… | | CVE-2026-54420 | unknown | True | LiteSpeed cPanel Plugin UNIX Symbolic L… | | CVE-2026-20262 | unknown | True | Cisco Catalyst SD-WAN Manager Directory… | | CVE-2026-35273 | unknown | True | Oracle PeopleSoft Enterprise PeopleTool… | Each row's `sourceUrl` is the feed it came from, for example `https://www.cisa.gov/known-exploited-vulnerabilities-catalog`. KEV records pass regardless of CVSS, because active exploitation outranks the score. ### See also More clean, pay-only-for-results data tools from Pono Data: - [Bulk DNS Lookup](https://apify.com/thoob/dns-bulk-lookup) - DNS records plus SPF, DMARC, and CAA - [Government Data-Rescue Retriever](https://apify.com/thoob/gov-data-rescue-retriever) - archived federal pages and datasets Full catalog: https://apify.com/thoob # Actor input Schema ## `sources` (type: `array`): Which feeds to pull. Valid values: nvd (NIST CVE), cisa-kev (CISA Known Exploited Vulnerabilities), ghsa (GitHub Security Advisories). Unknown values are ignored. ## `lookbackDays` (type: `integer`): How far back to pull on the first run, before the incremental cursor exists. Later runs only fetch what changed since the last run. ## `minSeverity` (type: `string`): Drop records below this CVSS severity. Known-exploited (CISA KEV) records always pass regardless, because active exploitation outranks the score. ## `onlyKnownExploited` (type: `boolean`): Return only vulnerabilities CISA lists as actively exploited in the wild. High-signal, low-volume. ## `maxRecords` (type: `integer`): Safety cap on billed records per run. Anything beyond it is written to the free 'rejected' dataset, never billed, so nothing is lost. ## `nvdApiKey` (type: `string`): A free NIST NVD API key raises the rate limit (50 vs 5 requests / 30s) and makes large first runs much faster. Not required. ## `githubToken` (type: `string`): A GitHub token raises the advisories rate limit (5000 vs 60 requests/hour). Not required for small runs. ## Actor input object example ```json { "sources": [ "nvd", "cisa-kev", "ghsa" ], "lookbackDays": 7, "minSeverity": "low", "onlyKnownExploited": false, "maxRecords": 5000 } ```` # Actor output Schema ## `vulnerabilities` (type: `string`): One row per vulnerability, merged across feeds. # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "sources": [ "nvd", "cisa-kev", "ghsa" ] }; // Run the Actor and wait for it to finish const run = await client.actor("thoob/threat-intel-feed").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "sources": [ "nvd", "cisa-kev", "ghsa", ] } # Run the Actor and wait for it to finish run = client.actor("thoob/threat-intel-feed").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "sources": [ "nvd", "cisa-kev", "ghsa" ] }' | apify call thoob/threat-intel-feed --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=thoob/threat-intel-feed", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "Vulnerability & Threat Intel Feed", "description": "Live vulnerability intelligence from the official public sources (NIST NVD CVE, CISA KEV, GitHub Security Advisories), merged by CVE into one enriched record and billed only per record delivered. Incremental: a run with nothing new bills nothing.", "version": "0.0", "x-build-id": "xD3uyouYH4DrjM0XJ" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/thoob~threat-intel-feed/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-thoob-threat-intel-feed", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/thoob~threat-intel-feed/runs": { "post": { "operationId": "runs-sync-thoob-threat-intel-feed", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/thoob~threat-intel-feed/run-sync": { "post": { "operationId": "run-sync-thoob-threat-intel-feed", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "properties": { "sources": { "title": "Sources", "type": "array", "description": "Which feeds to pull. Valid values: nvd (NIST CVE), cisa-kev (CISA Known Exploited Vulnerabilities), ghsa (GitHub Security Advisories). Unknown values are ignored.", "default": [ "nvd", "cisa-kev", "ghsa" ], "items": { "type": "string" } }, "lookbackDays": { "title": "Lookback (days) on first run", "minimum": 1, "maximum": 120, "type": "integer", "description": "How far back to pull on the first run, before the incremental cursor exists. Later runs only fetch what changed since the last run.", "default": 7 }, "minSeverity": { "title": "Minimum severity", "enum": [ "none", "low", "medium", "high", "critical" ], "type": "string", "description": "Drop records below this CVSS severity. Known-exploited (CISA KEV) records always pass regardless, because active exploitation outranks the score.", "default": "low" }, "onlyKnownExploited": { "title": "Only known-exploited (CISA KEV)", "type": "boolean", "description": "Return only vulnerabilities CISA lists as actively exploited in the wild. High-signal, low-volume.", "default": false }, "maxRecords": { "title": "Max records per run", "minimum": 1, "maximum": 50000, "type": "integer", "description": "Safety cap on billed records per run. Anything beyond it is written to the free 'rejected' dataset, never billed, so nothing is lost.", "default": 5000 }, "nvdApiKey": { "title": "Your NVD API key (optional)", "type": "string", "description": "A free NIST NVD API key raises the rate limit (50 vs 5 requests / 30s) and makes large first runs much faster. Not required." }, "githubToken": { "title": "Your GitHub token (optional)", "type": "string", "description": "A GitHub token raises the advisories rate limit (5000 vs 60 requests/hour). Not required for small runs." } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```