apipick
[ blog · tutorial ]10 min read

Build a CVE & Vulnerability-Intelligence Agent: CISA KEV, NVD, EPSS & MITRE ATT&CK in One API

Sarah ChoyPublié le 16 juin 202610 min de lecture
Traduction pas encore disponible. Affichage de la version anglaise.
Build a CVE & Vulnerability-Intelligence Agent: CISA KEV, NVD, EPSS & MITRE ATT&CK in One API

Every security team drowns in CVEs. The signal isn't severity — it's whether a vuln is being exploited and how likely it is to be. Here's how to build an agent that fuses NVD, CISA KEV, EPSS, and ATT&CK to answer 'what do I patch first?'

L'essentiel

  • CVSS severity alone over-counts: most 'critical' CVEs are never exploited. Real prioritization needs CISA KEV (known-exploited) + EPSS (probability of exploitation) layered on top.
  • The four sources: NVD (CVE records + CVSS), CISA KEV (the authoritative exploited-in-the-wild list), EPSS (daily 0–1 exploit-probability score), MITRE ATT&CK (tactics/techniques for context).
  • API Pick Cybersecurity Search wraps all four behind one POST endpoint — 10 credits per call, only-on-success — so the agent gets fused vuln intel without four scrapers.
  • The agent pattern: pull the CVE, check KEV membership, read the EPSS score, map to ATT&CK techniques, then rank by exploited-first, then EPSS, then CVSS.
  • This is retrieval, not a scanner: it tells you what's known and likely about a vulnerability, to prioritize human triage — not to authorize automated action.

Severity is the wrong sort key

A vulnerability program that patches by CVSS score is busy and ineffective. The National Vulnerability Database lists tens of thousands of High and Critical CVEs; the overwhelming majority are never exploited. Meanwhile a "Medium" with a working exploit in the wild sits in the backlog. The question a security agent should answer isn't "how bad could this be" — it's "what should I patch first, today."

Answering that needs four data sources fused together. Each is free and public; each has its own format and update cadence.

The four sources

NVD — CVE records

NIST's National Vulnerability Database. The canonical CVE list with CVSS vectors, affected products (CPE), and references. The baseline "what is this vulnerability" layer. Strength: authoritative and complete. Weakness: CVSS alone over-counts severity.

CISA KEV

The Known Exploited Vulnerabilities catalog — CISA's authoritative list of CVEs confirmed exploited in the wild, with remediation due-dates for US federal agencies. If a CVE is on KEV, it jumps the queue. Strength: the single highest-signal flag in vuln management.

EPSS

FIRST.org's Exploit Prediction Scoring System: a daily 0–1 probability that a CVE will be exploited in the next 30 days. Turns "could be exploited" into "how likely." Strength: probabilistic ranking that maps to real attacker behavior.

MITRE ATT&CK

The adversary tactics-and-techniques knowledge base. Maps a vulnerability to its kill-chain role. Strength: turns a CVE into an operational story your detections and response plan can use.

One endpoint, fused intel

Cybersecurity Search wraps NVD, CISA KEV, EPSS, and MITRE ATT&CK behind one POST endpoint — 10 credits per call, only-on-success. Pass a CVE ID or a natural-language query; results come back fused and pre-shaped for an LLM. Pair it with Web Search for vendor advisories and Extract to pull a full advisory page.

import httpx, os
API, HEADERS = "https://api.apipick.com/v1", {"x-api-key": os.environ["APIPICK_KEY"]}

def vuln_intel(query: str):
    r = httpx.post(f"{API}/search/cybersecurity",
                   headers=HEADERS, json={"query": query})
    r.raise_for_status()
    return r.json()["results"]

# "what should I patch first across NVD + KEV + EPSS + ATT&CK?"
records = vuln_intel("actively exploited Apache and VMware vulnerabilities this month")

# Rank: KEV-listed first, then by EPSS, then CVSS. Feed the ranked,
# cited list to your LLM to summarize the worklist for an analyst.

Build vs. buy

Wire it yourselfAPI Pick
SourcesNVD + KEV + EPSS + ATT&CK, separatelyAll four, fused
Formats4 schemas + EPSS CSV1 JSON shape
FreshnessYou schedule 4 syncsLive per call
LLM-readyYou normalize eachPre-shaped + source URLs
CostInfra + maintenance10 credits/call, only on success

What you can build

Beyond a patch-prioritization assistant: a daily KEV-watch agent that alerts when a CVE in your stack lands on the exploited list; a triage bot that turns a scanner export into a ranked, cited worklist; an analyst copilot that explains a CVE's ATT&CK implications in plain language. Same pattern — fused retrieval, ranked by exploited-first, synthesized with sources attached. Grab a free key (100 credits, no card) and point your agent at it.

Questions fréquentes

Why isn't CVSS severity enough for patch prioritization?

Because severity measures potential impact, not likelihood of exploitation. Tens of thousands of CVEs are rated High or Critical, but only a small fraction are ever exploited in the wild. If you patch by CVSS alone you spend effort on vulnerabilities attackers never touch while missing the medium-rated one being actively exploited. The modern approach layers CISA KEV (is it known-exploited?) and EPSS (what's the probability it will be?) on top of CVSS to rank what actually matters.

What is EPSS and how do I use it?

EPSS (Exploit Prediction Scoring System), from FIRST.org, gives each CVE a daily-updated score from 0 to 1 estimating the probability it will be exploited in the next 30 days. A common policy: patch anything on CISA KEV immediately, then anything with EPSS above ~0.1 (or your risk-tuned threshold), then triage the rest by CVSS. Because EPSS updates daily, an agent should re-pull it rather than cache.

What does MITRE ATT&CK add?

Context. ATT&CK maps adversary tactics and techniques (initial access, privilege escalation, exfiltration, etc.). Tying a CVE to the techniques that exploit it helps an analyst understand the kill-chain implication — not just 'this is exploitable' but 'this enables lateral movement,' which changes how you prioritize and what detections you add.

Can the agent automatically apply patches or block traffic?

No — and you shouldn't wire it to. This is an intelligence-retrieval layer: it fuses what's known about a vulnerability to prioritize human triage. Automated remediation needs change control, testing, and a human owner. Use the agent to produce a ranked, cited worklist; let your patch/SOAR pipeline and an engineer execute.

How current is the data?

NVD and CISA KEV update continuously as CVEs are published and exploitation is confirmed; EPSS recalculates daily. The endpoint queries live sources, so an agent run reflects the current state. For an audit trail, store the EPSS score and KEV status with a timestamp at the moment of the decision.

APIs utilisées dans cet article

Recherche Cybersécurité
Recherchez les vulnérabilités activement exploitées CISA (KEV), les enregistrements CVE du NVD, les scores d'exploitation EPSS et les techniques MITRE ATT&CK. Pour le triage de vulnérabilités, le renseignement sur les menaces et les opérations de sécurité pilotées par IA.
Recherche web
Recherche web sémantique en temps réel pour le tool calling LLM. Renvoie titres, URLs et snippets propres classés, pré-formatés pour la consommation par agent. Filtres pays et date pris en charge.
Extraction de contenu URL
Extrait le contenu propre et lisible de jusqu'à 25 URLs par appel. Supprime publicités, navigation et boilerplate ; renvoie du texte façon markdown prêt pour l'ingestion LLM. 2 crédits par URL.
Sarah Choy
Écrit par
Sarah Choy
CEO, API Pick

Sarah Choy est CEO d'API Pick. Elle écrit sur la création d'APIs prêtes pour la production destinées aux agents IA et aux workflows LLM.