We do a lot of our research into vulnerabilities. To aid this, we enrich CVEs using many remote sources of intelligence. Here is a walk-through showing how we connect CVEs to EPSS scores, CISA KEVs, MITRE ATT&CK, CWEs, and CAPECs.

Despite countless frameworks, best practices, blog posts... so many developers still hardcode credentials into their code.

The NVD are still struggling to keep up with the backlog of CVEs to be analysed. With 26,876 added since February, it is no surprise.

The CVE List was launched in September 1999, listing 321 CVE records. 25 years later there are 265,767 CVE records.

Follow along as I show you how to store 200,000 CVEs as STIX objects, then use CVSS, EPSS, CISA KEV and CPE data to search and filter them.

Developing on last weeks post, I show you how to construct STIX Patterns to automatically flag which products are affected by published CVEs.

I wanted to write detection rules to identify what products are vulnerable to a CVE. In this post I walk you through my research.