Vulnerability Intelligence: CISA KEV and NVD, Interpreted by AI
Threat intelligence platforms are good at answering one question: where is the attack traffic coming from? Block the IP, revoke the route, fire the webhook. That half of the problem is largely solved.
The other half — why are those attackers targeting specific infrastructure, and which software vulnerabilities are they actively exploiting — lives in a separate workflow. Security teams bounce between the firewall event log and the NVD CVE search, manually correlating "we're seeing a spike in traffic on port 8080" with "oh, there's a new Apache Tomcat deserialization CVE." SATIS now closes that gap.
The CISA KEV Catalog
The CISA Known Exploited Vulnerabilities catalog is the most actionable vulnerability list that exists. It does not attempt to catalog every CVE — there are over 200,000 of those. It tracks roughly 1,100 CVEs that meet a single criterion: confirmed active exploitation in the wild. When CISA adds a CVE to the KEV list, it means real attackers are using it against real targets right now, not in a research lab and not theoretically.
KEV entries have mandatory remediation deadlines for federal agencies under BOD 22-01, but the list is public and applicable to any organization. It is consistently the highest signal-to-noise vulnerability list available.
SATIS ingests the full KEV catalog and checks for updates daily. New additions surface immediately in the advisory feed.
NVD: The Broader Context
The National Vulnerability Database provides CVSS scores, affected product lists, and publication metadata for CVEs across the full spectrum. Where KEV answers "what are attackers exploiting today," NVD answers "what's the technical severity and blast radius."
SATIS pulls the last 7 days of NVD publications on each daily ingest cycle. This captures newly disclosed CVEs — including high-CVSS vulnerabilities that may not yet have KEV status but warrant attention based on affected products and severity score.
The two feeds are combined into a single advisory stream. A CVE that appears in both — high CVSS from NVD plus confirmed exploitation from KEV — is flagged as the highest-priority class.
Plain-English Interpretation via Claude Haiku
NVD descriptions are written for a database, not for a network operator making a patching decision under time pressure. A typical NVD description reads: "A deserialization of untrusted data vulnerability in the com.example.framework.serializer package prior to version 3.2.1 allows remote attackers to achieve arbitrary code execution via a crafted serialized object."
Technically accurate. Not immediately actionable.
SATIS runs each advisory through Claude Haiku to generate a single plain-English sentence focused on operational impact: what does this vulnerability mean for your network, stated in terms of what an attacker can do and what you should do about it. The output is terse and direct:
"Attackers are actively exploiting this Apache Log4j flaw to execute arbitrary commands on any internet-facing server running the vulnerable version — patch immediately or block outbound JNDI lookups at your perimeter."
"This unauthenticated RCE in Fortinet SSL-VPN is being used to deploy ransomware; if you're running an unpatched FortiOS gateway, treat it as compromised and patch before bringing it back online."
"High-severity privilege escalation in the Windows Print Spooler — not yet in KEV but CVSS 8.8, affects all supported Windows versions, patch in your next maintenance window."
The interpretation is generated once per advisory and cached. It is not regenerated on every API call. The intent is a human-readable summary for the analyst who needs to make a triage decision in 10 seconds, not a replacement for reading the full CVE entry.
The Dashboard Ticker
The /dashboard page now includes a scrolling advisory strip at the top of the threat panel. Each entry shows the CVE ID, a KEV badge if applicable, the CVSS score, the affected product or vendor, and the Haiku-generated interpretation.
The strip runs continuously without requiring page interaction. KEV entries are visually distinguished — they are the ones that require immediate attention, not background reading. High-CVSS non-KEV entries follow. The strip gives a security analyst opening the dashboard an immediate read on what vulnerabilities are relevant today, without leaving the page.
The API
Advisory data is available programmatically:
GET /api/v1/advisories— full advisory list, filterable bysource(cisa-kev, nvd),kev=trueto return only KEV entries, andmin_cvssfor a CVSS floor. Returns CVE ID, CVSS score, KEV status, affected products, publication date, and the AI-generated interpretation.GET /api/v1/advisories/{cve_id}— full detail for a specific CVE, including the raw NVD description alongside the interpreted summary.GET /api/v1/advisories/correlation— the correlation endpoint. This cross-references active SATIS threats with the advisory database using keyword matching on affected products and threat metadata. If your threat feed shows 400 active blocks targeting port 80 from known bad actors, and a current KEV entry affects Apache HTTP Server, the correlation endpoint surfaces that relationship explicitly. It connects indicators of attack to the likely exploitation vector in a single API call.
The correlation endpoint is not magic — it uses keyword and product-category matching, not deep semantic analysis. But in practice, it closes the most common gap: the one where two different teams are looking at two different dashboards and neither one has connected the spike in honeypot traffic to the CVE that was added to KEV three days ago.
Why This Belongs in a Threat Intelligence Platform
The boundary between "indicators of compromise" (IPs, domains, hashes) and "vulnerability intelligence" (CVEs, CVSS, affected software) has historically been maintained by organizational structure as much as technical necessity. The SOC watches the SIEM; the vulnerability management team watches Tenable or Qualys. Neither has a complete picture.
SATIS now holds both sides. Active threats — blockchain-attested, real-time, multi-source — alongside the CVE advisories that explain what attackers are doing with those threats. On the same dashboard, with explicit correlation between them. The gap that requires two tools is now a single API call.
Availability
Advisory intelligence is included on all plans — Community through Enterprise — at no additional cost. The CISA KEV catalog and NVD feed update daily. The correlation endpoint requires an API key. The dashboard ticker is available to all authenticated users.
See the API documentation for full endpoint details.
Back to Blog