EDITION
iToverDose/Software· 18 MAY 2026 · 12:02

Automate CVE triage with sector-aware threat intelligence API

A new open-source API transforms the tedious daily task of sifting through hundreds of CVEs into a targeted, sector-specific feed. SOC teams can now cut triage time by focusing only on vulnerabilities that matter to their industry and stack.

DEV Community5 min read0 Comments

Security Operations Centers face the same challenge every morning: wading through a flood of CVEs to find the few that actually demand attention. A typical day brings 150 new entries across the National Vulnerability Database, CISA’s Known Exploited Vulnerabilities list, and GitHub Security Advisories. For a finance team, a critical flaw in a loan servicing module matters far more than a remote code execution bug in a Minecraft mod. Yet most SOCs apply the same manual triage process—skimming headlines and relying on tribal knowledge that varies between analysts and shifts.

That repetitive work now has a smarter alternative. The open-source threat-intel-api introduces a sector-aware vulnerability scoring system that filters and ranks CVEs based on what truly impacts your organization. Instead of drowning in noise, SOC teams receive a curated feed of relevant threats, complete with auditable scoring breakdowns.

Why manual CVE triage wastes time and resources

The triage process in most SOCs follows a familiar pattern. Analysts review three primary data sources each day:

  • The National Vulnerability Database (NVD), which catalogs all publicly disclosed vulnerabilities
  • CISA’s Known Exploited Vulnerabilities (KEV) feed, highlighting active threats
  • GitHub Security Advisories (GHSA), focusing on vulnerabilities in open-source packages

Each feed contains raw data, not tailored intelligence. A healthcare provider and a logistics company receive the same unfiltered stream, even though their critical systems and compliance requirements differ dramatically. The result is inefficient: analysts spend the first two hours of every shift manually filtering noise to identify the handful of CVEs that could potentially harm their environment.

This manual approach introduces inconsistencies. Different analysts interpret the same data differently. Priorities shift with personnel changes. Crucial context—such as whether a specific software library is used in production—often lives only in someone’s head, not in a rule or configuration file. The triage process repeats daily, with no memory or standardization.

How the threat-intel-api curates vulnerability intelligence

The threat-intel-api project solves this triage bottleneck by shifting the filtering logic from analysts’ heads into a machine-readable format. It ingests data from NVD, CISA KEV, and GHSA, merges duplicates, and scores each CVE against a customizable profile that reflects your organization’s sector and technology stack.

Six pre-built profiles cover common industries:

  • Finance
  • Healthcare
  • Industrial Control Systems (ICS)
  • Government
  • SaaS
  • E-commerce

Each profile is defined in a YAML configuration file. It includes keywords, technology identifiers, Common Weakness Enumeration (CWE) categories, and adjustable weights. For example, a finance profile might assign higher importance to CWEs related to authentication bypasses and financial data exposure, while an ICS profile prioritizes flaws that could disrupt industrial processes.

The scoring engine applies eleven additive rules to calculate a composite score. Each rule’s contribution is visible in a detailed breakdown, making it easy to justify why a CVE scored 78 versus 35. There are no hidden machine-learning models or proprietary algorithms—just transparent, configurable logic.

# Example finance profile snippet
weights:
  cwe_match: 20
  cvss_threshold: 15
  kev_bonus: 25
  technology_match: 10
  excluded_keywords:
    - minecraft
    - game
    - mod

Real-world API endpoints for instant integration

The public API runs at threat-intel-api-production.up.railway.app and requires no authentication for read-only access. Three primary endpoints serve different use cases:

Get top 24-hour threats for your sector

curl -s ' \
  | jq '.top_24h[:5] | .[] | {cve: .external_id, score, cvss: .cvss_score, title: .title[0:80]}'

Example response:

{
  "cve": "CVE-2026-7579",
  "score": 35.0,
  "cvss": 7.3,
  "title": "Hard-coded credentials in AstrBot dashboard auth (CWE-798)"
}

Subscribe your SIEM to a real-time RSS feed

curl '

This feed delivers only high-impact threats, filtered by sector and minimum score. Most SIEM platforms—including Splunk, Microsoft Sentinel, and Elastic—can ingest RSS feeds natively.

Inspect the scoring rationale for any CVE

curl -s ' \
  | jq '.top_24h[0].score_breakdown'

Example breakdown:

{
  "cwe_match": {"hit": true, "matched": ["CWE-798"], "points": 20},
  "cvss_threshold": {"hit": true, "threshold": 7.0, "points": 15},
  "kev": {"hit": false, "points": 0},
  "technology_match": {"hit": false, "matched": [], "points": 0}
}

This transparency empowers SOC leads to validate scores and adjust configurations without relying on external vendors.

Key benefits for SOC teams and security analysts

The threat-intel-api isn’t designed to replace commercial threat intelligence platforms like Recorded Future or Mandiant. Instead, it fills a gap for teams that need an open, self-hosted solution that aligns with their specific operational context. Here’s why it stands out:

  • Sector-focused by default: Generic vulnerability feeds are replaced with tailored intelligence. A finance profile ignores Minecraft-related CVEs, while an ICS profile prioritizes SCADA and PLC vulnerabilities.
  • Auditable scoring logic: Every score comes with a full breakdown of how it was calculated. There’s no black-box algorithm—just eleven clear rules and transparent configuration.
  • SIEM integration out of the box: RSS feeds and JSON dashboards plug directly into most security tools. Setting up a monitoring workflow takes minutes, not hours.
  • Maintainable and flexible: Sector profiles are defined in YAML and can be updated without touching code. Add new keywords, adjust weights, or create custom sectors as your environment evolves.
  • No vendor lock-in: Built on MIT-licensed open source, Docker containers, and PostgreSQL, the entire system can be deployed in under five minutes with a single command.

Deploy and customize in under five minutes

Getting started requires minimal setup. After cloning the repository, run:

git clone 
cd threat-intel-api
docker compose up -d

The system initializes with default profiles and is ready to serve requests. To customize scoring rules for your sector, edit the YAML file under profiles/your_sector.yml and hot-reload the configuration without restarting the service.

For SIEM integration, add the RSS feed URL as a data source. Configure the minimum score threshold to control notification volume. KEV-listed threats automatically receive a +25 bonus, so a threshold of 70 typically surfaces only actively exploited or stack-relevant vulnerabilities.

As your organization grows, you can extend the system by adding new sector profiles or refining the scoring weights. The transparent design ensures that every decision remains auditable and adaptable to future needs.

The future of CVE triage is sector-aware and machine-assisted. Tools like the threat-intel-api don’t replace human judgment—they elevate it, freeing analysts to focus on impactful response rather than manual filtering.

AI summary

Open-source threat-intel-api filters 150 daily CVEs into sector-aware feeds for finance, healthcare, ICS, and more. Deploy in 5 minutes with Docker and PostgreSQL.

Tags

#threat intelligence api#cve triage automation#sector-specific vulnerability scoring#open-source soc tools#nvd api integration#cisa kev rss feed#ics vulnerability management#siem vulnerability monitoring

Comments

00
LEAVE A COMMENT
ID #E3A8J2

0 / 1200 CHARACTERS

Human check

2 + 7 = ?

Will appear after editor review

Moderation · Spam protection active

No approved comments yet. Be first.

Related