What you can do with Vulnerability Intelligence

Built for

Security Engineers, DevOps Teams, MSPs, Container Platform Owners

Example workflows

Scan node:20-slim (balanced)

Runs a local Trivy scan on a real Debian-based Node image and shows HIGH-tier fixes in patch_today.

Try this

Scan node:20-slim with policy_preset balanced. Summarize patch_today vs defer and explain one bucket_reason.

Python base — permissive patches

Contrasts policy presets on a slim API base — MEDIUM pip CVEs surface only under permissive_patches.

Try this

Scan python:3.13-slim with policy_preset permissive_patches. How many patch_today rows appear vs balanced?

Why is CRITICAL in defer?

Shows EPSS + fix-available gating — high CVSS does not auto-page.

Try this

Scan python:3.13-slim and explain why notable_deferred_critical CVEs stayed in defer despite CRITICAL scanner severity.

Analyze one CVE

Single-CVE cross-source analysis for the regreSSHion case study.

Try this

Analyze CVE-2024-6387 across NVD, KEV, and EPSS and compare CVSS rank vs composite exploit priority.

Context to know first

Do I have to paste Trivy JSON?

No. With MCPBundles Desktop connected, pass `target` on `scan_triage` and Trivy runs on your machine. Paste JSON only when Desktop is offline.

What do exploit_priority, patch_today, and defer mean?

Exploit priority = CISA KEV or EPSS above your threshold. Patch today = vendor fix available and composite tier meets your policy minimum. Defer = everything else, including scary CVSS with low EPSS and no fix.

Why would a CRITICAL CVE land in defer?

Scanner severity is not the same as exploit likelihood. Old libc/tar rows often show CRITICAL CVSS with sub-5% EPSS and no vendor fix — the policy explains each defer with bucket_reason.

AI Skill
SKILL.md

Domain knowledge for Vulnerability Intelligence — workflow patterns, data models, and gotchas for your AI agent.

Vulnerability Intelligence

Combines NIST NVD, CISA KEV, and FIRST.org EPSS into composite risk scores and container scan triage.

Container scan triage

With MCPBundles Desktop connected and a Container Scan credential bound:

  1. Call scan_triage with target (image ref like node:20-slim or filesystem).
  2. Desktop runs Trivy locally; the cloud enriches findings with NVD + KEV + EPSS.
  3. Results land in three buckets — exploit_priority, patch_today, defer — each row includes bucket_reason.
  4. Tune rules with policy_preset (balanced, strict, on_call, permissive_patches) or individual thresholds.

You can still paste Trivy/Grype JSON via scan_output when Desktop is unavailable.

Profile tools

  • manage_stack — flag CVEs that affect your declared technologies.
  • manage_watchlist — track EPSS/KEV deltas on specific CVE IDs.
  • security_briefing — daily digest of KEV additions and watchlist changes.

Tools in this Server (34)

Compare Cvss Vs Composite

Compare scanner CVSS ranking vs composite exploit-priority ranking for the same scan. Shows overlap and flipped priorities. When the workspace panel i...

Cve By Cpe

Find CVEs affecting a specific product using its exact CPE name from the NVD database. CPE format: cpe:2.3:part:vendor:product:version:*:*:*:*:*:*:* w...

Cve By Severity

Search the NIST NVD for CVEs by CVSS v3 severity (LOW, MEDIUM, HIGH, CRITICAL) with optional keyword and recency filters. Use keyword_search to narrow...

Cve By Weakness

Search the NIST NVD for CVEs by CWE weakness type with optional severity and recency filters. Common CWE IDs: CWE-79 (XSS), CWE-89 (SQL Injection), CW...

Cve History

Get the complete change history for a specific CVE from the NIST NVD. Shows when and how the CVE was modified — including analysis updates, CVSS chang...

Cve Kev

Get CVEs in the CISA KEV catalog with full NVD CVSS scoring details. These are actively exploited vulnerabilities federal agencies must remediate. Use...

Cve Lookup

Look up a specific CVE by its ID from the NIST National Vulnerability Database. Returns full details including CVSS scores, description, affected prod...

Cve Recent

Get recently published or modified CVEs from the NIST NVD. Defaults to the last 7 days of modified CVEs. Use pub_or_mod to switch between filtering by...

Cve Search

Search the NIST NVD for CVEs by keyword with optional severity and recency filters. Combine keyword + cvss_v3_severity + days_back for targeted querie...

Cwe Breakdown

Get a frequency breakdown of weakness types (CWEs) across all CISA KEV entries. Shows which vulnerability classes are most commonly exploited in the w...

Due Soon

Find CISA KEV entries with past-due or upcoming federal remediation deadlines. Overdue entries represent federally mandated patches that haven't been ...

Kev Landscape

CISA KEV catalog summary for the vulnerability intelligence workspace. When the workspace panel is open, results update the panel automatically — do n...

Lookup

Look up a specific CVE in the CISA Known Exploited Vulnerabilities catalog. Returns full KEV entry details including the required remediation action, ...

Manage Scans

Manage persisted container scan triage history. Actions: list, get (by run_id or latest for target), compare (latest two runs for target), clear. When...

Manage Stack

Manage your technology stack profile. The server remembers what you run and flags CVEs that affect your technologies in every response. Actions: add (...

Manage Watchlist

Manage your CVE watchlist. The server tracks EPSS score changes and KEV status for watched CVEs and reports deltas in every lookup and briefing. Actio...

Most Exploitable

Discover the most exploitable CVEs by EPSS score. Filter by minimum/maximum exploit probability to find vulnerabilities most likely to be exploited in...

Product Exposure

Get a KEV exposure breakdown for a specific vendor — how many actively exploited vulnerabilities affect each of their products, and which products hav...

Ransomware

Get CISA KEV entries that are linked to known ransomware campaigns. These are the highest-priority vulnerabilities — actively exploited AND used by ra...

Recent

Get the most recently added vulnerabilities to the CISA KEV catalog. Results are sorted newest-first. Use days_back to control the lookback window. Cr...

Risk Report

Generate a threat landscape report showing how many CVEs fall into each EPSS risk band (CRITICAL/HIGH/MEDIUM/LOW). Provides total counts at each thres...

Scan Triage

Triage container vulnerabilities. With a Container Scan credential and Desktop connected, pass target (image or filesystem) to run Trivy locally, then...

Score At Date

Get the EPSS exploit prediction score for a CVE at a specific historical date. Useful for understanding how exploit risk has evolved, or for retrospec...

Score By Percentile

Find CVEs by EPSS percentile ranking. The percentile shows where a CVE ranks relative to all other scored CVEs. A percentile of 0.99 means the CVE has...

Score History

Get the 30-day EPSS score trend for a specific CVE. Shows how the exploit prediction probability has changed over the past month. Useful for identifyi...

Score Lookup

Look up EPSS exploit prediction scores for one or more CVEs. Returns the probability (0-1) that each CVE will be exploited in the wild within 30 days,...

Search

Search the CISA KEV catalog by vendor, product, vulnerability name, or keyword. Case-insensitive full-text search across all fields. Use ransomware_on...

Search

Search the EPSS database by CVE ID pattern. Find all scored CVEs matching a text pattern — useful for year-based analysis (e.g., 'CVE-2025'), vendor-r...

Security Briefing

Security briefing — KEV catalog changes, watchlist deltas, stack exposure, and scan regression since your last briefing. When the workspace panel is o...

Stats

Get a summary of the CISA Known Exploited Vulnerabilities catalog: total count, catalog version, date released, how many were added in the last 7/30/9...

Triage

Check a list of CVEs from a vulnerability scan against the CISA KEV catalog. Returns which CVEs are confirmed actively exploited (in KEV), which are n...

Triage

Triage a list of CVEs from a vulnerability scan by exploit probability. Pass in CVE IDs from a scan report and get back a prioritized remediation plan...

Vulnerability Analyze

Full cross-source vulnerability analysis: NVD CVE details + EPSS exploit probability + CISA KEV status + composite risk score. Fetches all three sourc...

Vulnerability Intelligence Open App

Open the Vulnerability Intelligence workspace. Use when the user asks to view the triage panel before running scan_triage, security_briefing, or KEV l...

Required Providers (4)

CISA KEV

Security & Auth
The CISA Known Exploited Vulnerabilities (KEV) Catalog is the authoritative U.S. government list of vulnerabilities...
Tools
13 tools

NIST NVD

Security & Auth
The NIST National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability...
Tools
11 tools

EPSS

Security & Auth
The Exploit Prediction Scoring System (EPSS) by FIRST.org estimates the probability that a CVE will be exploited in the...
Tools
12 tools

Container Scan

Security & Auth
Run Trivy or Grype on your machine via MCPBundles Desktop. Used by Vulnerability Intelligence scan_triage to scan...
Tools
2 tools

Frequently Asked Questions

Do I have to paste Trivy JSON?

No. With MCPBundles Desktop connected, pass `target` on `scan_triage` and Trivy runs on your machine. Paste JSON only when Desktop is offline.

What do exploit_priority, patch_today, and defer mean?

Exploit priority = CISA KEV or EPSS above your threshold. Patch today = vendor fix available and composite tier meets your policy minimum. Defer = everything else, including scary CVSS with low EPSS and no fix.

Why would a CRITICAL CVE land in defer?

Scanner severity is not the same as exploit likelihood. Old libc/tar rows often show CRITICAL CVSS with sub-5% EPSS and no vendor fix — the policy explains each defer with bucket_reason.

What is permissive_patches vs balanced?

Balanced requires HIGH+ tier before patch_today when a fix exists. Permissive_patches lowers the bar to MEDIUM+, which surfaces pip/npm fixes on slim Python bases that balanced would defer.

How do I connect Vulnerability Intelligence to my AI agent?

Add the MCPBundles server URL to your MCP client configuration (Claude Desktop, Cursor, VS Code, etc.). The URL format is: https://mcp.mcpbundles.com/bundle/vulnerability-intelligence. Authentication is handled automatically.

How many tools does Vulnerability Intelligence provide?

Vulnerability Intelligence provides 34 tools that can be called by AI agents, along with a SKILL.md that gives your AI agent domain knowledge about when and how to use them.

What authentication does Vulnerability Intelligence require?

Vulnerability Intelligence uses No auth required or API Key. Container Scan requires credentials. Connect via MCPBundles and authentication is handled automatically.

Setup Instructions

Connect Vulnerability Intelligence to any MCP client in minutes

MCP URL
https://mcp.mcpbundles.com/bundle/vulnerability-intelligence

One-click install:

The link prefills the Add custom connector dialog — you still review the values and click Add, then Connect to complete OAuth.

Or add manually

  1. Open claude.ai → Settings → Connectors.
  2. Click the + button and choose Add custom connector.
  3. Set Name to Vulnerability Intelligence and paste the MCP URL into Remote MCP server URL.
  4. Click Add. Vulnerability Intelligence will appear under Not connected — select it and click Connect to complete OAuth.
Name: Vulnerability Intelligence
Remote MCP server URL: https://mcp.mcpbundles.com/bundle/vulnerability-intelligence
Authentication: OAuth

Custom connectors at claude.ai require a paid Claude plan (Pro, Max, Team, or Enterprise).

Other ways to use Vulnerability Intelligence

Same data, different audiences.

App

Polished interactive UI — explore the data visually with no setup.

Open the app

Ready to use Vulnerability Intelligence?

Sign in to connect your credentials and start running tools from the chat.

Vulnerability Intelligence MCP Server & Skill