Vulnerability and Threat Intelligence Sources¶
This page lists the external data sources AccuKnox uses for vulnerability enrichment and threat intelligence. AccuKnox maintains a comprehensive, continuously updated Vulnerability Intelligence Database that aggregates and enriches CVE (Common Vulnerabilities and Exposures) data from the world's most authoritative and widely trusted threat intelligence sources. This ensures that every vulnerability finding surfaced by AccuKnox is accurate, contextually rich, and actionable.
Vulnerability Sources¶
AccuKnox ingests and correlates data from following primary threat intelligence sources, each providing a distinct and complementary dimension of vulnerability context:
National Vulnerability Database (NVD)¶
The National Vulnerability Database (NVD) feed provides standardized CVE records. The NVD, maintained by NIST (National Institute of Standards and Technology), is the U.S. government's official repository of standards-based vulnerability management data. AccuKnox performs an initial import of the full NVD historical dataset and continuously pulls new and updated CVE entries via the NVD v2 API. Every CVE record includes severity ratings (CVSS scores), affected product configurations (CPE), and vulnerability descriptions.
What it provides: Authoritative CVE definitions, CVSS severity scores, affected software and version ranges.
EPSS — Exploit Prediction Scoring System¶
EPSS is maintained by FIRST (Forum of Incident Response and Security Teams) and uses machine learning to estimate the probability that a given CVE will be exploited in the wild within the next 30 days. AccuKnox downloads the daily EPSS CSV feed and links each score to the corresponding CVE record in its database, enabling probability-based risk prioritization.
What it provides:* Data-driven exploit likelihood scores (0–100%) to help prioritize remediation efforts beyond CVSS severity alone.
CISA KEV — Known Exploited Vulnerabilities Catalog¶
The CISA (Cybersecurity and Infrastructure Security Agency) KEV catalog is a curated list of CVEs that have been confirmed as actively exploited in real-world attacks. AccuKnox fetches and processes this JSON catalog to flag CVEs with confirmed exploitation status, which is one of the strongest indicators of immediate risk.
What it provides: Confirmed active exploitation status — the highest-priority signal for remediation.
GitHub Proof-of-Concept (PoC) Repositories¶
AccuKnox scans two widely referenced community-maintained GitHub repositories — trickest/cve and nomi-sec/PoC-in-GitHub — to detect publicly available proof-of-concept exploit code for CVEs. When a PoC is found, the relevant CVE entry is enriched with a reference URL, making it easy to understand exploitability at a practical level.
What it provides: Public exploit code availability — indicating that an attacker could readily weaponize the vulnerability.
CWE — Common Weakness Enumeration¶
The CWE catalog, maintained by MITRE, classifies the underlying weakness types behind vulnerabilities (e.g., CWE-79: Cross-Site Scripting, CWE-89: SQL Injection). AccuKnox performs an initial import of the full CWE catalog and uses it to classify and enrich CVE records, enabling filtering and grouping of vulnerabilities by their root cause category.
What it provides: Weakness classification to identify patterns and systemic vulnerability types across your environment.
NVIDIA¶
NVIDIA security advisories covering GPU, driver, and platform vulnerabilities.
Microsoft MSRC¶
Microsoft Security Response Center (MSRC) security advisories for Windows and Microsoft products.
Linux Vulnerability DB System¶
A dedicated ingestion and enrichment system for Linux and OS-level vulnerabilities.
Key Capabilities¶
| Capability | Description |
|---|---|
| Centralized Data | Pulls CVEs from NVD and multiple threat intel feeds |
| Automatic Enrichment | Enriches CVEs with EPSS score, CISA KEV exploitation status, public PoC availability from GitHub, and CWE classification |
| API Access | Supports querying by CVE ID (e.g., CVE-2024-1234) or filtering by severity, keywords, exploit status (PoC or CISA KEV), and CWE IDs |
Update Frequency¶
AccuKnox refreshes its vulnerability intelligence database every 12 hours, ensuring that findings are always based on near-real-time threat data. Each update cycle runs four parallel, independently managed synchronization jobs:
| Source | Update Type | Frequency |
|---|---|---|
| NVD (National Vulnerability Database) | Incremental CVE updates via NVD v2 API | Every 12 hours |
| EPSS (Exploit Prediction Scoring System) | Daily exploit probability scores | Every 12 hours |
| CISA KEV (Known Exploited Vulnerabilities) | Full catalog refresh | Every 12 hours |
| GitHub PoC Repositories | Commit-level diff scraping for new PoC references | Every 12 hours |
Each sync job operates independently, so a failure in one source does not delay or block updates from the others. The system includes built-in retry logic and error handling to ensure maximum data freshness and reliability.
Runtime Verified Flag¶
Knowing that a vulnerability exists in a software package is only half the story. In cloud-native environments, many packages are installed but never actually loaded into memory or executed — meaning that a vulnerability in such a package poses no real risk at runtime even if it appears in a software bill of materials (SBOM) or static scan.
AccuKnox addresses this critical gap with its Runtime Verified flag.
Key capabilities of AccuKnox Runtime verification:
- AccuKnox holds a patent for optimized in-kernel aggregation of runtime telemetry. Pushing every kernel event containing File/Process/Network action to userspace is a non-optimized strategy and a sure way to overwhelm the telemetry pipelines at even smaller scales. Also the CPU utilization drastically increases with every kernelspace to userspace context-switch.
- AccuKnox supports scanning the images in runtime environments such as virtual machines, bare-metals, kubernetes clusters, or even for images deployed directly on virtual machines using dockers.
- AccuKnox also supports agentless scanning of images for virtual machines hosted in AWS/GCP/Azure environments.
Info
AccuKnox uses eBPF to aggregate the events in kernel and output it to userspace only after a specific aggregation period. This reduces the CPU utilization by >95% and reduces the telemetry events >90%.
Threat Intelligence Sources¶
Telemetry and Alerts received to AccuKnox SIEM is enriched using these Threat Intelligence sources.
IP2Location¶
IP2Location provides IP reputation and geolocation intelligence used for context and risk scoring. By integrating IP2Location, AccuKnox:
- Identify the geographic origin of network traffic
- Detect anomalous or suspicious regions of access
- Enforce geo-based security policies and compliance controls
- Correlate events with ISP, ASN, and network attributes
- Enhance incident investigation with location context
OTX AlienVault¶
AlienVault OTX is a global, community-driven threat intelligence platform where security researchers and organizations share real-time information about cyber threats, including malicious IPs, domains, URLs, file hashes, and attacker tactics.
By integrating OTX, AccuKnox:
- Enrich telemetry with known Indicators of Compromise (IoCs)
- Detect communications with malicious infrastructure
- Correlate runtime events with global threat campaigns
- Improve incident investigation and response
- Automatically stay updated with emerging threats
OTX’s “Pulses” provide curated threat data tied to specific attacks or malware families, enabling security systems to identify whether an environment is exposed.
AccuKnox combines its runtime security telemetry with OTX’s global threat intelligence to deliver context-aware, proactive defense against known adversaries.
Info
AccuKnox aggregates authoritative vulnerability data and live threat intelligence to maintain accurate, enriched security insights across all supported sources.