A modular Python-based threat intelligence project centered around the CISA Known Exploited Vulnerabilities (KEV) catalog. The goal is to create an extensible system for tracking, enriching, and acting on KEV data for defenders, CTI analysts, and researchers.
This project is divided into multiple sub-projects/modules.
A monitoring module that detects when new entries appear in the CISA KEV catalog and notifies via webhook.
- 🛡️ Detects new KEV entries automatically
- 🔔 Sends alerts to Slack or other webhook-compatible services
- ⏱️ Supports both cron and manual execution
- 🧠 Designed for future enrichment and integration with threat intelligence workflows
- Python 3.6+
- Required libraries:
requests,rich,tabulate
Install requirements manually (if not using editable install):
pip install -r requirements.txtThe simplest form of a CISA KEV Watcher: it fetches the latest KEV list, detects new entries, and sends alerts to configured webhooks.
If you don't need all the extra features, this version is designed for quick integration into automation and monitoring workflows.
Its independent script, can be run standalone.
simple/cisa_kev_watcher.py
Webhook configuration is required for notifications. Add webhook URLs.
simple/config/webhook.conf
Slack=https://hooks.slack.com/services/XXX/YYY/ZZZ
TeamsA=https://your-teamsa-webhook-url
TeamsB=https://your-teamsb-webhook-url
Set up a cronjob to monitor new KEVs regularly.
Example: run every hour
0 * * * * /usr/bin/python3 /opt/cisakev/simple/cisa_kev_watcher.pyWarning
Use full path for python3 in your project directory to avoid environment issues with cron.
Tip
Added Product Blacklist Support:
- You can now filter out products you don't want to receive notifications.
- Edit the file at
simple/config/product_blacklist.txtand list vendor-project or product or combinations of both.- e.g.,
AppleorfortinetfortiosorColdFusionone per line.
- e.g.,
- The system defaults to
blacklistmode. You can also switch towhitelistif needed.
-
Clone the repository:
git clone https://github.com/zen29d/cisakev.git cd cisakev -
(Optional) Create and activate a virtual environment:
python3 -m venv pycisa source pycisa/bin/activate -
Install the package locally:
pip install .
Run CLI directly from the shell after installing:
cisakev
The CLI provides a flexible query system against the locally stored KEV database.
Example usage:
cisakev list --cve CVE-2023-12345
cisakev list --vendor "Cisco"
cisakev list --date "2025-03-15"cisakev
cisakev --help
cisakev list --help
-
CVE Enrichment
Augment KEV data with additional intelligence from:- NVD
- CVSS / CWE scores
- References and exploitability metadata
-
CLI and Queryable Data
- CLI tool
- Uses SQLite for fast lookup and filtering
- Export options and stats available
-
Public PoC Scraper
Automatically search for public PoCs from:- GitHub (using GitHub API)
- ExploitDB
- Other OSINT sources
-
Web UI
Slack/webhook alerts will display the latest added KEVs, their CVE IDs, vendors, and brief summaries.
The system provides rich logs for terminal or file output (ideal for cron):
- Internal vulnerability tracking
- Security team alerting
- Threat intelligence workflows
- SOC automation pipelines
- Home labs and CTI research environments
- Version: 1.1.1_alpha
Part of ongoing CVE automation research and threat intelligence tooling