Real-Time CVE Monitoring & Threat Intelligence
The Threat Researcher is your always-on intelligence analyst. It monitors global vulnerability databases, tracks active exploit campaigns, maps attack tactics to the MITRE ATT&CK framework, and delivers actionable briefings β all in real time. Every new CVE published to NVD is evaluated within minutes to determine whether any of your clients run affected software.
Unlike a static vulnerability scanner, Threat Researcher operates on live intelligence feeds. When a zero-day is disclosed at 2am, Threat Researcher is already cross-referencing it against your client asset inventory and queuing alerts before your team starts their morning coffee.
Threat Researcher replaces manual CVE triage, weekly threat digest subscriptions, and expensive dedicated threat intelligence platforms. MSP partners using this agent report saving 8β15 hours per week previously spent reading security bulletins and manually assessing client exposure.
The agent runs a continuous five-stage enrichment pipeline. Every new CVE or threat indicator that enters the pipeline is processed end-to-end, typically within 4β8 minutes of initial disclosure.
Pull CVEs from NVD + live feeds
MITRE ATT&CK tactic tagging
CVSS v3 severity + client exposure
Cross-ref client asset inventory
Push to dashboard + notify
Threat Researcher aggregates intelligence from multiple authoritative and community sources, refreshed continuously throughout the day.
| Source | Type | Refresh Rate | What It Provides |
|---|---|---|---|
| NVD β NIST National Vulnerability Database | CVE Registry | Every 2 hours | Official CVE records, CVSS v3 base scores, affected product CPE strings, patch links |
| MITRE ATT&CK | Tactic Framework | Weekly sync | Technique-to-tactic mapping, mitigation guidance, detection recommendations |
| CISA KEV (Known Exploited Vulnerabilities) | Exploit Activity Feed | Daily | CVEs confirmed as actively exploited in the wild β these become immediate alerts |
| AlienVault OTX | Community Threat Intel | Every 4 hours | IOCs (IPs, domains, hashes) associated with active malware and ransomware campaigns |
| AbuseIPDB | IP Reputation | Real-time | Reputation scores for IP addresses detected in client network traffic |
| Shodan | Internet Exposure | Weekly | External-facing service enumeration β detects exposed ports and banners for client IP ranges |
| Exploit-DB | Proof-of-Concept Exploits | Daily | Flags CVEs for which public exploit code exists β dramatically increases alert urgency |
Every vulnerability is assigned a CVSS (Common Vulnerability Scoring System) v3 base score from 0.0 to 10.0. The score reflects the intrinsic characteristics of the vulnerability, independent of your specific environment. Threat Researcher also computes an Environmental Score that adjusts the base CVSS based on how many of your clients run the affected software and what data those systems handle.
| Score Range | Severity | Alert Behavior | Expected Response Time |
|---|---|---|---|
| 9.0 β 10.0 | Critical | Immediate push notification + email + dashboard red banner. All affected clients alerted. | Patch or mitigate within 24 hours |
| 7.0 β 8.9 | High | Dashboard alert + email digest. Included in daily briefing with remediation steps. | Patch within 72 hours |
| 4.0 β 6.9 | Medium | Added to weekly briefing. No immediate push notification unless exploit code confirmed. | Patch within 30 days |
| 0.1 β 3.9 | Low | Logged silently. Appears in weekly trend report. No proactive notification. | Address in next maintenance window |
| 0.0 | Informational | Audit log only. Not escalated unless part of a CVE chain. | No action required |
A CVSS 9.0 or higher vulnerability means that exploitation is trivially easy, requires no authentication, and can result in full system compromise or data exfiltration. When Threat Researcher fires a Critical alert, treat it as an incident in progress β not a to-do. Check whether exploit code is public (shown in the alert) and whether the CVE appears on the CISA KEV list.
Understanding what drives a score helps you assess real-world risk:
| Component | What It Measures | High-Risk Value |
|---|---|---|
| Attack Vector (AV) | How is the vulnerability reachable? | Network (N) β remotely exploitable over the internet |
| Attack Complexity (AC) | How hard is it to exploit? | Low (L) β no special conditions required |
| Privileges Required (PR) | What access level does the attacker need? | None (N) β works as an unauthenticated user |
| User Interaction (UI) | Does a victim need to do anything? | None (N) β fully automated exploitation |
| Confidentiality Impact (C) | Can data be read? | High (H) β full data disclosure |
| Integrity Impact (I) | Can data be modified? | High (H) β full data modification |
| Availability Impact (A) | Can the system be taken down? | High (H) β total service loss |
Every CVE and threat indicator is automatically mapped to one or more tactics in the MITRE ATT&CK Enterprise framework. This tells you what adversaries are trying to achieve with an exploit, not just that a vulnerability exists β making remediation prioritization and detection engineering significantly more actionable.
Threat Researcher maps to all 14 ATT&CK Enterprise tactics. Understanding where a vulnerability falls in the kill chain determines how urgently it needs to be patched.
Vulnerabilities mapped to Initial Access (TA0001) and Execution (TA0002) are the highest priority to patch β they represent the entry point. Vulnerabilities mapped to Impact (TA0040) indicate a threat that can cause immediate, visible damage like ransomware or data destruction if already inside the perimeter.
Threat Researcher generates two types of briefings automatically: a Daily Threat Briefing delivered each morning and a Weekly Threat Brief delivered every Monday. Both are available in the dashboard and can be pushed to email or Slack.
| Feature | Daily Briefing | Weekly Brief |
|---|---|---|
| Delivery time | 7:00am local (configurable) | Monday 8:00am local |
| Scope | Last 24 hours of CVEs and alerts | Full prior week + trend analysis |
| CVE count | Critical and High only | All severities, sorted by priority |
| Client exposure mapping | Yes β clients affected listed by name | Yes β full affected client roster per CVE |
| MITRE ATT&CK mapping | Yes β tactic tags on each CVE | Yes β plus tactic trend analysis |
| Trend analysis | No | Yes β week-over-week CVE volume, emerging attack types |
| IOC list | IPs and domains from last 24 hours | Full week IOC digest with context |
| Format | Compact β 1β2 pages, actionable bullets | Full report β 4β8 pages with executive summary |
CVE-2026-29441 Critical 9.8 β Remote code execution in Apache HTTP Server 2.4.57 via malformed request headers. No auth required. Exploit code public on GitHub. 3 clients affected: Cascade Orthopedics, Valley Dental, Redwood CPA. CISA KEV listed. Patch immediately β Apache 2.4.58 available.
CVE-2026-30112 High 8.1 β Privilege escalation in Windows Server 2019 LSASS component. Auth required but exploitable by any domain user. TA0004 Privilege Escalation. 7 clients affected. Patch Tuesday cycle β schedule within 72 hours.
BlackCat ransomware group (ALPHV) actively targeting healthcare providers in the Pacific Northwest using spear-phishing + CVE-2026-29441 for lateral movement. All healthcare clients have been auto-enrolled in elevated monitoring. IOCs appended below.
12 new malicious IPs added to blocklist. 4 new malicious domains. 2 new file hashes (ransomware payloads). Full IOC list exported to your firewall integration automatically.
The CVE Watchlist lets you track specific vulnerabilities that matter to your client base. Add any CVE by ID and Threat Researcher will notify you every time new information is published about it: patch releases, public exploit availability, CISA KEV listing, new affected products, or researcher analysis.
Access the watchlist at Agents β Threat Researcher β CVE Watchlist. Add CVEs by ID
(CVE-YYYY-NNNNN format) or by searching for a product name. You can also assign a watchlist
entry to a specific client so alerts are routed to that client's notification channel rather than the
global feed.
The Weekly Brief includes a trend analysis section that tracks week-over-week changes in the threat landscape. This is the most useful section for preparing QBR (quarterly business review) presentations and justifying security spend to clients.
| Metric | Description | Why It Matters |
|---|---|---|
| Total CVEs Published | Count of new CVEs across all severities, this week vs. last week | Rising volume means attackers have more ammo to work with. Used to justify continuous patching programs. |
| Critical CVE Rate | Percentage of published CVEs scoring Critical (9.0+) | An increasing Critical rate signals more destructive vulnerabilities entering the wild. |
| Time-to-Exploit (TTE) | Average days from CVE disclosure to confirmed public exploit code | Tracks how fast the exploit market is moving. A shrinking TTE means your patch window is narrowing. |
| Top Targeted Products | Software products with the most new CVEs this week | Tells you which technology categories need extra attention in your client stack. |
| MITRE Tactic Heatmap | Which ATT&CK tactics had the most new CVE associations | Shows whether the current threat wave is focused on initial access, persistence, exfiltration, etc. |
| Client Exposure Score | Average CVSS weighted by number of affected clients, this week vs. last week | Your primary metric for reporting to clients and measuring the value of patching programs over time. |
Threat Researcher is the primary source of security alerts in Gridlock. When a CVE is discovered that matches your client asset inventory, the agent automatically generates a structured alert that flows through the full alert lifecycle.
On the Ultimate plan, Threat Researcher can trigger automated remediation actions for a subset of vulnerability types β including patch deployment via RMM integration, firewall rule updates for newly identified malicious IPs, and account lockout for credentials found in breach databases. Review your auto-remediation policy at Settings β Automation β Threat Researcher.
Indicators of Compromise (IOCs) are artifacts β IP addresses, domain names, file hashes, URLs, email addresses β that indicate a system may have been compromised or is under attack. Threat Researcher extracts IOCs from all threat intelligence sources and publishes them in three forms.
| IOC Type | Example | Action Taken |
|---|---|---|
| IPv4 / IPv6 Address | 185.220.101.47 | Added to IP blocklist. Checked against client firewall logs for prior connections. |
| Domain / Hostname | update-secure-cdn[.]net | Added to DNS blocklist. Checked against client DNS query logs. |
| URL | http://malicious[.]example/payload.exe | Added to web filter blocklist if proxy integration is configured. |
| File Hash (MD5/SHA256) | d41d8cd98f00b204e9800998ecf8427e | Sent to endpoint agents for scan. Alerts fired if hash detected on any client system. |
| Email Address | phisher@spoof-domain[.]ru | Added to email filter deny list. Alert if this address sends to any client inbox. |
| YARA Rule | rule BlackCat_Ransomware_2026 {...} | Pushed to endpoint detection where supported for behavioral matching. |
All IOCs are exportable in standard formats from Agents β Threat Researcher β IOC Export: STIX 2.1 (structured threat intelligence exchange), plain CSV, Snort/Suricata rules, or a flat text list suitable for firewall import. IOC exports can also be scheduled to push automatically to your firewall or SIEM via the API.
Automatically consumes Threat Researcher findings to update control scores, generate remediation evidence, and flag compliance gaps opened by unpatched CVEs.
When Threat Researcher fires a Critical alert, Tech Support can generate a step-by-step remediation runbook for the affected client environment.
Account Manager uses the Threat Researcher exposure score as one of its client health signals β high unresolved CVE counts will trigger a churn-risk flag.