I spend a significant amount of my time thinking about EPSS, CVSS, and the inherent gaps in how we prioritize vulnerabilities. We all know the drill: a 9.8 CRITICAL that remains unexploited shouldn’t jump the line ahead of a 7.5 HIGH that is being actively used in the wild. Closing that gap between theoretical severity and actual exploitability is why I started RogoLabs and why I built cve.icu.
Today, I’m releasing an update to my CVE Intelligence TA for Splunk on Splunkbase. It is a free, open-source Splunk add-on designed to help security teams move past “CVSS-only” thinking.
What’s New in v2.0
The initial release handled basic ingestion, but the feedback I received over the past week was clear: you needed more than just a list of CVEs. You needed context, probability, and speed.
In v2.0, I’ve added three critical enrichment sources to the 327,000+ vulnerabilities in the database:
- EPSS (FIRST): Daily probability scores to help you forecast what will be exploited in the next 30 days.
- CISA KEV: If it’s in this catalog, it’s being exploited now. This is refreshed every 6 hours.
- CISA SSVC: Stakeholder-Specific Vulnerability Categorization data to align your priorities with CISA’s decision-making framework.
I’ve pre-joined these signals into a Risk Priority lookup. It loads instantly with no more waiting on expensive, complex searches to tell you what to patch first.
Dashboards for Practitioners
I’ve included four Dashboard Studio v2 views to help you visualize the landscape:
- CVE Explorer: Filter the full database by vendor, CWE, or keyword.
- Risk Priority: This is the core of the update. It ranks CVEs by actual risk, allowing you to filter by EPSS thresholds or KEV status immediately.
- Vulnerability Landscape: An executive-level view of posture, severity distribution, and KEV growth trends.
- Operational Health: A simple way to monitor the add-on’s baseline and incremental delta runs.
Zero Configuration (Really)
I heard you on the setup complexity of v1.x. For v2.0, I wanted a “drop-in” experience. There are no API keys to manage and no setup pages to click through. Once installed, the modular input pulls the baseline and starts hourly updates automatically.
Open Source and Building in Public
This update exists because of the bug reports and feature requests I received from the community over the last seven days. I’m a firm believer in building in public, and your feedback directly shaped the EPSS/KEV integration and the zero-config model.
CVE Intelligence for Splunk is available now on Splunkbase and is licensed under Apache 2.0.
- Download: Splunkbase
- Contribute: GitHub
If you have ideas for v3.0 or run into issues, open an issue on GitHub or reach out to me on X or LinkedIn.
