Intelligence¶

At Vulners we continuously collect and normalize vulnerability intelligence from 220+ upstream sources—vendor advisories, NVD/CVE, Linux distro feeds, package registries, exploit/PoC trackers, and government/ISAC alerts—into a single graph‑linked corpus. Every record is deduplicated, cross‑referenced (CVE↔advisory↔patch↔exploit), and time‑stamped with standard fields (e.g., CVSS vectors, CWE, affected products) in consistent JSON. Intelligence puts this corpus behind a high‑reliability API and adds real‑world risk signals (EPSS, KEV inclusion, exploit activity, and Vulners AI Risk indicators), so a single query returns the complete context for any CVE—ready for your UI, SIEM/SOAR, or ticketing.

Make Vulners Intelligence the context engine behind your risk decisions—without stitching feeds. This page gives you both the why and the how so you can call the API, wire up enrichment in tickets and dashboards, and start shipping improvements the same day.

Why this matters¶

Security teams don’t have time to stitch together partial signals. Vulners Intelligence delivers a single, normalized response per CVE — including CVSS (with vectors), EPSS, KEV status, CWE, patches, exploit references, and Vulners AI Risk indicators — so you can act on live attacker pressure, not guesswork.

What you get¶

• One API, complete context. Drop clean JSON straight into your UI, SIEM, SOAR, or ticketing.
• Prioritize like an attacker. Elevate items with active exploitation and KEV inclusion over quiet 10.0s.
• Built to ship. 99.9% SLA, consistent fields, graph-linked corpus — no parser babysitting.
• Plug in once, enrich everywhere. Inline enrichment for scanner results and asset inventories.

Architecture¶

At request time, Intelligence resolves a CVE (or search query) against the Vulners graph, aggregating official sources (NVD, CISA KEV, vendor advisories), exploit feeds (PoCs, GH issues, threat intel), and proprietary AI Risk signals. Results are normalized into a consistent schema with linked references and CPE configurations.

Quickstart¶

Two common ways to use Intelligence:

• Fetch by CVE ID when you know exactly what you need.
• Search by query when you want to discover related documents via Lucene syntax.

Retrieve Intelligence by CVE ID¶

Use‑case: You have a known CVE from a scanner or ticket and need the full, normalized context (risk, exploitation, KEV, references) to drive triage and prioritization.

Example: Retrieve by CVE ID¶

import requests
import json

API_KEY = "VULNERS_API_KEY"
CVE_LIST = ["CVE-2025-7775", "CVE-2025-10585"]

# Fetch vulnerability data from Vulners API
url = "https://vulners.com/api/v3/search/id"
headers = {"X-Api-Key": API_KEY, "Content-Type": "application/json"}
payload = {"id": CVE_LIST, "fields": ["*"], "references": True}

# Make API Request
data = requests.post(url, headers=headers, data=json.dumps(payload)).json()

# Save response to JSON file
output_filename = f"vulners_id_{CVE_LIST}.json"
with open(output_filename, 'w', encoding='utf-8') as f:
    json.dump(data, f, indent=2, ensure_ascii=False)

Sample output (summary)¶

The response structure contains two main sections:

• documents: Keyed by the requested ID (CVE in this example), each entry holds the full vulnerability record with timestamps, metrics, enrichments (exploitation status, dependencies, AI risk signals), CPE configurations from multiple sources, exploit references, and applicability data. Most fields are self-documenting.
• references: Keyed by the requested ID, groups related documents by family (e.g., githubexploit, circl, freebsd) — linking advisories, exploits, and threat intelligence that Vulners has correlated to the document.

The sample below shows key top-level fields; for a complete view of available data, inspect an actual response — the field names are descriptive and designed to be explored directly.

{
  "result": "OK",
  "data": {
    "documents": {
      "CVE-2025-10585": {
        "timestamps": {},
        "metrics": {},
        "enchantments": {
          "dependencies": {},
          "exploitation": {},
          "...": "and 5 more keys"
        },
        "cpeConfigurations": {
          "vulnersCpeConfiguration": {},
          "nvdCpeConfiguration": {},
          "...": "and 1 more keys"
        },
        "exploits": {},
        "webApplicability": {},
        "...": "and 37 more keys"
      },
      "CVE-2025-7775": {
        "timestamps": {},
        "metrics": {},
        "enchantments": {
          "dependencies": {},
          "exploitation": {},
          "...": "and 6 more keys"
        },
        "cpeConfigurations": {
          "nvdCpeConfiguration": {},
          "...": "and 1 more keys"
        },
        "exploits": {},
        "webApplicability": {},
        "...": "and 37 more keys"
      }
    },
    "references": {
      "CVE-2025-10585": {
        "githubexploit": [],
        "freebsd": [],
        "circl": [],
        "...": "and 25 more families"
      },
      "CVE-2025-7775": {
        "githubexploit": [],
        "circl": [],
        "cisa_kev": [],
        "...": "and 12 more families"
      }
    }
  }
}

Search Intelligence by Query String¶

Use‑case: You want to discover documents (e.g., CVEs) matching specific criteria — for alerts, coverage checks, or seeding backlogs. Criteria are expressed as Lucene queries, allowing you to construct complex searches using logical operations (AND, OR, NOT), text search, numeric ranges, and date intervals. For comprehensive query syntax and examples, see the Vulners documentation.

Example: Search by query¶

import vulners
import json

API_KEY = "VULNERS_API_KEY"
QUERY = "enchantments.exploitation.wildExploited:true"

v = vulners.VulnersApi(api_key=API_KEY)

# Make API Request
search_results = v.search.search_bulletins_all(query=QUERY, limit=10000, fields=["*"])
print(len(search_results))

# Save response to JSON file
with open(f'vulners_search_{QUERY}.json', 'w') as f:
    json.dump(search_results, f, indent=4)

Simplified output¶

[
  {
    "id": "CVE-2013-3918",
    "type": "cve",
    "...": "and 42 more keys"
  },
  {
    "id": "CVE-2017-1000353",
    "type": "cve",
    "...": "and 42 more keys"
  },
  {
    "id": "CVE-2014-6278",
    "type": "cve",
    "...": "and 42 more keys"
  },
  {
    "...": "and 2763 more records"
  }
]

Implementation patterns¶

• Inline enrichment for scanner findings before ticket creation.
• Risk-based prioritization rules that boost KEV-listed and actively exploited CVEs.
• Analyst drill-down: link out to references and PoCs directly from your UI.
• Asset impact mapping by intersecting CPEs with your inventory.

Practical details¶

• Auth: API key (header).
• Format: JSON over HTTPS.
• Rate limits: See your plan; batch CVE lookups where possible.
• SLA: 99.9%.

Example outputs¶

• CVE detail response includes metrics, enchantments.exploitation, cpeConfigurations, exploits, references and many more fields. You can request only the fields you need (e.g., fields=["id", "cvss", "enchantments"]) to reduce bandwidth and improve responsiveness. To familiarize yourself with the full document structure, use the JSON button on any bulletin page at vulners.com — most fields are self-documenting.
• Query search returns an array of document records with stable identifiers.

FAQ¶

Does Intelligence replace my feeds?

It consolidates them. You can keep your sources, but most customers point their workflows at Intelligence to avoid parser maintenance.

How often are signals updated?

Continuously; KEV and exploit indicators reflect new intelligence as we ingest and correlate sources.

Can I enrich non‑CVE data?

Primary keying is by CVE, but related advisories and references are linked in the response.

TL;DR¶

One API, complete CVE context with real‑world risk signals. Prioritize like an attacker. Ship faster with reliable, normalized JSON.