Threat Intel API
CVE Threat Intelligence API
The CVE data your detections, risk scores, and customer alerts rely on is too often wrong, late, or missing entirely. We rebuilt it from the ground up — corrected CVSS, full attack-graph evidence, verified product mapping, and exploit signals — structured for direct ingestion into your platform, SIEM, or SOAR.
Built for the vendors and providers whose customers depend on getting CVEs right.
If you ship a security product, your detections, risk scores, and customer alerts are only as good as the CVE data underneath them. That data almost always comes from the NVD, and the NVD is slow, partial, and frequently wrong. Roughly 80% of public CVSS analyses contain errors, affected-product coverage is full of gaps, and new CVEs sit for weeks without a usable score. Those gaps get inherited by your product, and your customers feel them. Some teams try to solve this in-house, but it tends to cost more than expected and is hard to keep current as CVE volume grows.
We built the Threat Intel API to remove that problem entirely. Every CVE is scored from an attack graph. We model the full attack surface, walk every viable path, and produce corrected CVSS 3.1 and 4.0 vectors with the graph as auditable JSON. Our methodology was presented at VulnCon26 by FIRST. Each response also includes verified affected products with semver version ranges (including software the NVD misses), exploit signals, and a structured executive summary ready to use as-is. New CVEs are enriched within minutes, not after the 84-day average the NVD has taken to enrich a record over the last two years.
The subscription includes our graph visualizer (see an example) so anyone on your team, or your customers under white-label, can open any CVE and see exactly what it does and how an attacker reaches it. JSON over HTTPS, slots into the pipeline you already have.
What does the API return for each CVE?
Corrected CVSS 3.1 and 4.0 vectors, the full attack-scenario graph as JSON, a risk score, exploit signals (EPSS, KEV, public PoC, in-the-wild), verified CPE matches, non-CPE affected products with semver version ranges and remediation, and a structured executive summary with title, description, impact, reproduction, and remediation.
What is the attack-graph JSON?
The evidence behind our CVSS vector. For each CVE we model every viable attack scenario as a graph and score each path individually. The JSON exposes every node, edge, and per-path sub-score. Use it to audit a score, feed a custom risk model, or branch SOAR decisions on scenario properties like network reachability or privilege required.
Why do you cover products without a CPE?
The NVD treats software as CPE-centric, but in practice that model doesn't hold. Most modern software either has no CPE, has the wrong one, or has several. We invert the problem: we identify the affected product first, then bind CPEs to it when they exist (and attach multiple when a product legitimately has more than one). Because the product is the source of truth, we can ship semver version ranges, remediation, default exposure, and usage data for every affected product, even the ones with no official CPE assigned yet.
How current is the data?
New CVEs are enriched within minutes of publication. For comparison, the NVD has taken an average of roughly 84 days to enrich a record over the last two years, meaning most pipelines that depend on it are working with a score that is months old, or no score at all.
How do we integrate it?
JSON over HTTPS. We offer our own API schema, designed to expose everything the platform produces, and an NVD-compatible schema for teams that want a faster integration starting point against code they already have. Both are included in the enterprise subscription, and you can mix them per endpoint. We will walk through your specific setup on a call.
How is it priced?
Annual or multi-year, scoped to your program and integrations. Rate and volume limits are discussable and set based on your use case.
What does the API return for each CVE?
Corrected CVSS 3.1 and 4.0 vectors, the full attack-scenario graph as JSON, a risk score, exploit signals (EPSS, KEV, public PoC, in-the-wild), verified CPE matches, non-CPE affected products with semver version ranges and remediation, and a structured executive summary with title, description, impact, reproduction, and remediation.
What is the attack-graph JSON?
The evidence behind our CVSS vector. For each CVE we model every viable attack scenario as a graph and score each path individually. The JSON exposes every node, edge, and per-path sub-score. Use it to audit a score, feed a custom risk model, or branch SOAR decisions on scenario properties like network reachability or privilege required.
Why do you cover products without a CPE?
The NVD treats software as CPE-centric, but in practice that model doesn't hold. Most modern software either has no CPE, has the wrong one, or has several. We invert the problem: we identify the affected product first, then bind CPEs to it when they exist (and attach multiple when a product legitimately has more than one). Because the product is the source of truth, we can ship semver version ranges, remediation, default exposure, and usage data for every affected product, even the ones with no official CPE assigned yet.
How current is the data?
New CVEs are enriched within minutes of publication. For comparison, the NVD has taken an average of roughly 84 days to enrich a record over the last two years, meaning most pipelines that depend on it are working with a score that is months old, or no score at all.
How do we integrate it?
JSON over HTTPS. We offer our own API schema, designed to expose everything the platform produces, and an NVD-compatible schema for teams that want a faster integration starting point against code they already have. Both are included in the enterprise subscription, and you can mix them per endpoint. We will walk through your specific setup on a call.
How is it priced?
Annual or multi-year, scoped to your program and integrations. Rate and volume limits are discussable and set based on your use case.