Getting Started
Quick Start Architecture
AI Agents
MSP Hunter Threat Researcher Tech Support Compliance Agent Account Manager Onboarding Agent
Compliance
HIPAA SOC 2 PCI-DSS NIST
Guides
First 30 Days Scaling
API
Overview Endpoints

Threat Researcher

Real-Time CVE Monitoring & Threat Intelligence

What It Does

The Threat Researcher is your always-on intelligence analyst. It monitors global vulnerability databases, tracks active exploit campaigns, maps attack tactics to the MITRE ATT&CK framework, and delivers actionable briefings β€” all in real time. Every new CVE published to NVD is evaluated within minutes to determine whether any of your clients run affected software.

Unlike a static vulnerability scanner, Threat Researcher operates on live intelligence feeds. When a zero-day is disclosed at 2am, Threat Researcher is already cross-referencing it against your client asset inventory and queuing alerts before your team starts their morning coffee.

What This Agent Replaces

Threat Researcher replaces manual CVE triage, weekly threat digest subscriptions, and expensive dedicated threat intelligence platforms. MSP partners using this agent report saving 8–15 hours per week previously spent reading security bulletins and manually assessing client exposure.

How It Works

The agent runs a continuous five-stage enrichment pipeline. Every new CVE or threat indicator that enters the pipeline is processed end-to-end, typically within 4–8 minutes of initial disclosure.

πŸ“‘ Ingest

Pull CVEs from NVD + live feeds

πŸ—ΊοΈ Map

MITRE ATT&CK tactic tagging

πŸ”’ Score

CVSS v3 severity + client exposure

πŸ”Ž Match

Cross-ref client asset inventory

🚨 Alert

Push to dashboard + notify

Data Sources

Threat Researcher aggregates intelligence from multiple authoritative and community sources, refreshed continuously throughout the day.

Source Type Refresh Rate What It Provides
NVD β€” NIST National Vulnerability Database CVE Registry Every 2 hours Official CVE records, CVSS v3 base scores, affected product CPE strings, patch links
MITRE ATT&CK Tactic Framework Weekly sync Technique-to-tactic mapping, mitigation guidance, detection recommendations
CISA KEV (Known Exploited Vulnerabilities) Exploit Activity Feed Daily CVEs confirmed as actively exploited in the wild β€” these become immediate alerts
AlienVault OTX Community Threat Intel Every 4 hours IOCs (IPs, domains, hashes) associated with active malware and ransomware campaigns
AbuseIPDB IP Reputation Real-time Reputation scores for IP addresses detected in client network traffic
Shodan Internet Exposure Weekly External-facing service enumeration β€” detects exposed ports and banners for client IP ranges
Exploit-DB Proof-of-Concept Exploits Daily Flags CVEs for which public exploit code exists β€” dramatically increases alert urgency

CVSS Scoring

Every vulnerability is assigned a CVSS (Common Vulnerability Scoring System) v3 base score from 0.0 to 10.0. The score reflects the intrinsic characteristics of the vulnerability, independent of your specific environment. Threat Researcher also computes an Environmental Score that adjusts the base CVSS based on how many of your clients run the affected software and what data those systems handle.

CVSS Score Bands

Score Range Severity Alert Behavior Expected Response Time
9.0 – 10.0 Critical Immediate push notification + email + dashboard red banner. All affected clients alerted. Patch or mitigate within 24 hours
7.0 – 8.9 High Dashboard alert + email digest. Included in daily briefing with remediation steps. Patch within 72 hours
4.0 – 6.9 Medium Added to weekly briefing. No immediate push notification unless exploit code confirmed. Patch within 30 days
0.1 – 3.9 Low Logged silently. Appears in weekly trend report. No proactive notification. Address in next maintenance window
0.0 Informational Audit log only. Not escalated unless part of a CVE chain. No action required
CVSS 9.0+ Requires Immediate Action

A CVSS 9.0 or higher vulnerability means that exploitation is trivially easy, requires no authentication, and can result in full system compromise or data exfiltration. When Threat Researcher fires a Critical alert, treat it as an incident in progress β€” not a to-do. Check whether exploit code is public (shown in the alert) and whether the CVE appears on the CISA KEV list.

CVSS v3 Score Components

Understanding what drives a score helps you assess real-world risk:

Component What It Measures High-Risk Value
Attack Vector (AV) How is the vulnerability reachable? Network (N) β€” remotely exploitable over the internet
Attack Complexity (AC) How hard is it to exploit? Low (L) β€” no special conditions required
Privileges Required (PR) What access level does the attacker need? None (N) β€” works as an unauthenticated user
User Interaction (UI) Does a victim need to do anything? None (N) β€” fully automated exploitation
Confidentiality Impact (C) Can data be read? High (H) β€” full data disclosure
Integrity Impact (I) Can data be modified? High (H) β€” full data modification
Availability Impact (A) Can the system be taken down? High (H) β€” total service loss

MITRE ATT&CK Mapping

Every CVE and threat indicator is automatically mapped to one or more tactics in the MITRE ATT&CK Enterprise framework. This tells you what adversaries are trying to achieve with an exploit, not just that a vulnerability exists β€” making remediation prioritization and detection engineering significantly more actionable.

Threat Researcher maps to all 14 ATT&CK Enterprise tactics. Understanding where a vulnerability falls in the kill chain determines how urgently it needs to be patched.

TA0043
Reconnaissance
Gathering target info before attack
TA0042
Resource Development
Staging attacker infrastructure
TA0001
Initial Access
Getting a foothold in the network
TA0002
Execution
Running attacker-controlled code
TA0003
Persistence
Maintaining access across reboots
TA0004
Privilege Escalation
Gaining higher-level permissions
TA0005
Defense Evasion
Avoiding detection tools
TA0006
Credential Access
Stealing account credentials
TA0007
Discovery
Learning the target environment
TA0008
Lateral Movement
Moving through the network
TA0009
Collection
Gathering target data
TA0011
Command & Control
Communicating with compromised systems
TA0010
Exfiltration
Stealing data out of the network
TA0040
Impact
Ransomware, destruction, disruption
Kill Chain Priority

Vulnerabilities mapped to Initial Access (TA0001) and Execution (TA0002) are the highest priority to patch β€” they represent the entry point. Vulnerabilities mapped to Impact (TA0040) indicate a threat that can cause immediate, visible damage like ransomware or data destruction if already inside the perimeter.

Threat Briefing Generation

Threat Researcher generates two types of briefings automatically: a Daily Threat Briefing delivered each morning and a Weekly Threat Brief delivered every Monday. Both are available in the dashboard and can be pushed to email or Slack.

Daily vs. Weekly Briefing Comparison

Feature Daily Briefing Weekly Brief
Delivery time 7:00am local (configurable) Monday 8:00am local
Scope Last 24 hours of CVEs and alerts Full prior week + trend analysis
CVE count Critical and High only All severities, sorted by priority
Client exposure mapping Yes β€” clients affected listed by name Yes β€” full affected client roster per CVE
MITRE ATT&CK mapping Yes β€” tactic tags on each CVE Yes β€” plus tactic trend analysis
Trend analysis No Yes β€” week-over-week CVE volume, emerging attack types
IOC list IPs and domains from last 24 hours Full week IOC digest with context
Format Compact β€” 1–2 pages, actionable bullets Full report β€” 4–8 pages with executive summary

Sample Daily Briefing

Gridlock Daily Threat Briefing
Friday, June 6, 2026  Β·  7:00 AM

CVE-2026-29441 Critical 9.8 β€” Remote code execution in Apache HTTP Server 2.4.57 via malformed request headers. No auth required. Exploit code public on GitHub. 3 clients affected: Cascade Orthopedics, Valley Dental, Redwood CPA. CISA KEV listed. Patch immediately β€” Apache 2.4.58 available.

CVE-2026-30112 High 8.1 β€” Privilege escalation in Windows Server 2019 LSASS component. Auth required but exploitable by any domain user. TA0004 Privilege Escalation. 7 clients affected. Patch Tuesday cycle β€” schedule within 72 hours.

BlackCat ransomware group (ALPHV) actively targeting healthcare providers in the Pacific Northwest using spear-phishing + CVE-2026-29441 for lateral movement. All healthcare clients have been auto-enrolled in elevated monitoring. IOCs appended below.

12 new malicious IPs added to blocklist. 4 new malicious domains. 2 new file hashes (ransomware payloads). Full IOC list exported to your firewall integration automatically.

CVE Watchlist

The CVE Watchlist lets you track specific vulnerabilities that matter to your client base. Add any CVE by ID and Threat Researcher will notify you every time new information is published about it: patch releases, public exploit availability, CISA KEV listing, new affected products, or researcher analysis.

When to Use the Watchlist

Managing the Watchlist

Access the watchlist at Agents β†’ Threat Researcher β†’ CVE Watchlist. Add CVEs by ID (CVE-YYYY-NNNNN format) or by searching for a product name. You can also assign a watchlist entry to a specific client so alerts are routed to that client's notification channel rather than the global feed.

The Weekly Brief includes a trend analysis section that tracks week-over-week changes in the threat landscape. This is the most useful section for preparing QBR (quarterly business review) presentations and justifying security spend to clients.

Metrics Tracked in Trend Analysis

Metric Description Why It Matters
Total CVEs Published Count of new CVEs across all severities, this week vs. last week Rising volume means attackers have more ammo to work with. Used to justify continuous patching programs.
Critical CVE Rate Percentage of published CVEs scoring Critical (9.0+) An increasing Critical rate signals more destructive vulnerabilities entering the wild.
Time-to-Exploit (TTE) Average days from CVE disclosure to confirmed public exploit code Tracks how fast the exploit market is moving. A shrinking TTE means your patch window is narrowing.
Top Targeted Products Software products with the most new CVEs this week Tells you which technology categories need extra attention in your client stack.
MITRE Tactic Heatmap Which ATT&CK tactics had the most new CVE associations Shows whether the current threat wave is focused on initial access, persistence, exfiltration, etc.
Client Exposure Score Average CVSS weighted by number of affected clients, this week vs. last week Your primary metric for reporting to clients and measuring the value of patching programs over time.

Integration with the Alerts System

Threat Researcher is the primary source of security alerts in Gridlock. When a CVE is discovered that matches your client asset inventory, the agent automatically generates a structured alert that flows through the full alert lifecycle.

Alert Lifecycle

  1. Generated: Threat Researcher creates an alert record with CVE ID, CVSS score, MITRE tactic tags, affected clients, and remediation steps.
  2. Triaged: The agent self-triages based on severity and client exposure. Critical alerts for production clients are immediately escalated to Active status; Low severity alerts enter a review queue.
  3. Notified: Notification channels fire based on severity thresholds you configure: Critical = push + email; High = email; Medium/Low = daily digest.
  4. Assigned: Alerts can be auto-assigned to a technician by vertical or by client. The alert record includes the remediation steps Threat Researcher generated.
  5. Resolved: Once a patch is confirmed applied or a compensating control is documented, the alert is resolved and logged to the audit trail.
  6. Correlated: The Compliance Agent reads resolved alerts to automatically update compliance evidence records and control scores.
Auto-Remediation on Ultimate Plan

On the Ultimate plan, Threat Researcher can trigger automated remediation actions for a subset of vulnerability types β€” including patch deployment via RMM integration, firewall rule updates for newly identified malicious IPs, and account lockout for credentials found in breach databases. Review your auto-remediation policy at Settings β†’ Automation β†’ Threat Researcher.

IOC Extraction

Indicators of Compromise (IOCs) are artifacts β€” IP addresses, domain names, file hashes, URLs, email addresses β€” that indicate a system may have been compromised or is under attack. Threat Researcher extracts IOCs from all threat intelligence sources and publishes them in three forms.

IOC Types

IOC Type Example Action Taken
IPv4 / IPv6 Address 185.220.101.47 Added to IP blocklist. Checked against client firewall logs for prior connections.
Domain / Hostname update-secure-cdn[.]net Added to DNS blocklist. Checked against client DNS query logs.
URL http://malicious[.]example/payload.exe Added to web filter blocklist if proxy integration is configured.
File Hash (MD5/SHA256) d41d8cd98f00b204e9800998ecf8427e Sent to endpoint agents for scan. Alerts fired if hash detected on any client system.
Email Address phisher@spoof-domain[.]ru Added to email filter deny list. Alert if this address sends to any client inbox.
YARA Rule rule BlackCat_Ransomware_2026 {...} Pushed to endpoint detection where supported for behavioral matching.

IOC Export

All IOCs are exportable in standard formats from Agents β†’ Threat Researcher β†’ IOC Export: STIX 2.1 (structured threat intelligence exchange), plain CSV, Snort/Suricata rules, or a flat text list suitable for firewall import. IOC exports can also be scheduled to push automatically to your firewall or SIEM via the API.

FAQ

How does Threat Researcher know which software my clients run?

Threat Researcher builds its client asset inventory from three sources: the Gridlock network connector (which enumerates installed software and running services), RMM integration (if configured), and manual asset entries you add through the dashboard. The more complete your asset inventory, the more precise the CVE-to-client matching becomes. Start with the network connector for automatic discovery β€” it typically builds an 80–90% complete inventory within the first 24 hours.

What plan do I need for Threat Researcher?

Threat Researcher is available on all plans, including Starter ($149/mo). Starter includes the Daily Briefing and Critical/High alerting. The Weekly Brief with trend analysis and IOC export are included on Pro and Ultimate. Auto-remediation integrations require the Ultimate plan.

How is this different from a CVE scanner I can run myself?

A scanner checks a system at a point in time. Threat Researcher is continuous and context-aware. It monitors live feeds so new CVEs are evaluated within minutes, not days. It maps vulnerabilities to the ATT&CK framework so you understand the attacker's goal, not just that a patch is available. It cross-references the CISA KEV feed to prioritize CVEs that are actively being weaponized right now. And critically, it does all of this across your entire client portfolio simultaneously β€” something a manual scan process cannot scale to.

Can I reduce alert noise if I'm getting too many Medium severity alerts?

Yes. Go to Agents β†’ Threat Researcher β†’ Alert Thresholds. You can set the minimum severity for push notifications, email alerts, and dashboard banners independently. Most teams set push notifications to Critical only, email alerts to High and above, and let Medium/Low accumulate in the weekly digest. You can also mute alerts for specific CVEs (e.g., if you have a compensating control already in place) or for specific software you know is not in your client stack.