Connect your account, then chat with AI to run tools.
Run Trivy on your machine via Desktop, enrich with NVD + CISA KEV + EPSS, and bucket container CVEs into exploit priority, patch today, and defer — with a reason on every row.
Try this workflow
Scan node:20-slim (balanced)
Scan node:20-slim with policy_preset balanced. Summarize patch_today vs defer and explain one bucket_reason.
Opens MCPBundles Studio with this server selected. After sign-in, chat and run tools from the same thread.
Browse all toolsBuilt for
Security Engineers, DevOps Teams, MSPs, Container Platform Owners
Scan node:20-slim (balanced)
Runs a local Trivy scan on a real Debian-based Node image and shows HIGH-tier fixes in patch_today.
Scan node:20-slim with policy_preset balanced. Summarize patch_today vs defer and explain one bucket_reason.
Python base — permissive patches
Contrasts policy presets on a slim API base — MEDIUM pip CVEs surface only under permissive_patches.
Scan python:3.13-slim with policy_preset permissive_patches. How many patch_today rows appear vs balanced?
Why is CRITICAL in defer?
Shows EPSS + fix-available gating — high CVSS does not auto-page.
Scan python:3.13-slim and explain why notable_deferred_critical CVEs stayed in defer despite CRITICAL scanner severity.
Analyze one CVE
Single-CVE cross-source analysis for the regreSSHion case study.
Analyze CVE-2024-6387 across NVD, KEV, and EPSS and compare CVSS rank vs composite exploit priority.
Do I have to paste Trivy JSON?
No. With MCPBundles Desktop connected, pass `target` on `scan_triage` and Trivy runs on your machine. Paste JSON only when Desktop is offline.
What do exploit_priority, patch_today, and defer mean?
Exploit priority = CISA KEV or EPSS above your threshold. Patch today = vendor fix available and composite tier meets your policy minimum. Defer = everything else, including scary CVSS with low EPSS and no fix.
Why would a CRITICAL CVE land in defer?
Scanner severity is not the same as exploit likelihood. Old libc/tar rows often show CRITICAL CVSS with sub-5% EPSS and no vendor fix — the policy explains each defer with bucket_reason.
Domain knowledge for Vulnerability Intelligence — workflow patterns, data models, and gotchas for your AI agent.
Combines NIST NVD, CISA KEV, and FIRST.org EPSS into composite risk scores and container scan triage.
With MCPBundles Desktop connected and a Container Scan credential bound:
You can still paste Trivy/Grype JSON via scan_output when Desktop is unavailable.
Compare scanner CVSS ranking vs composite exploit-priority ranking for the same scan. Shows overlap and flipped priorities. When the workspace panel i...
Find CVEs affecting a specific product using its exact CPE name from the NVD database. CPE format: cpe:2.3:part:vendor:product:version:*:*:*:*:*:*:* w...
Search the NIST NVD for CVEs by CVSS v3 severity (LOW, MEDIUM, HIGH, CRITICAL) with optional keyword and recency filters. Use keyword_search to narrow...
Search the NIST NVD for CVEs by CWE weakness type with optional severity and recency filters. Common CWE IDs: CWE-79 (XSS), CWE-89 (SQL Injection), CW...
Get the complete change history for a specific CVE from the NIST NVD. Shows when and how the CVE was modified — including analysis updates, CVSS chang...
Get CVEs in the CISA KEV catalog with full NVD CVSS scoring details. These are actively exploited vulnerabilities federal agencies must remediate. Use...
Look up a specific CVE by its ID from the NIST National Vulnerability Database. Returns full details including CVSS scores, description, affected prod...
Get recently published or modified CVEs from the NIST NVD. Defaults to the last 7 days of modified CVEs. Use pub_or_mod to switch between filtering by...
Search the NIST NVD for CVEs by keyword with optional severity and recency filters. Combine keyword + cvss_v3_severity + days_back for targeted querie...
Get a frequency breakdown of weakness types (CWEs) across all CISA KEV entries. Shows which vulnerability classes are most commonly exploited in the w...
Find CISA KEV entries with past-due or upcoming federal remediation deadlines. Overdue entries represent federally mandated patches that haven't been ...
CISA KEV catalog summary for the vulnerability intelligence workspace. When the workspace panel is open, results update the panel automatically — do n...
Look up a specific CVE in the CISA Known Exploited Vulnerabilities catalog. Returns full KEV entry details including the required remediation action, ...
Manage persisted container scan triage history. Actions: list, get (by run_id or latest for target), compare (latest two runs for target), clear. When...
Manage your technology stack profile. The server remembers what you run and flags CVEs that affect your technologies in every response. Actions: add (...
Manage your CVE watchlist. The server tracks EPSS score changes and KEV status for watched CVEs and reports deltas in every lookup and briefing. Actio...
Discover the most exploitable CVEs by EPSS score. Filter by minimum/maximum exploit probability to find vulnerabilities most likely to be exploited in...
Get a KEV exposure breakdown for a specific vendor — how many actively exploited vulnerabilities affect each of their products, and which products hav...
Get CISA KEV entries that are linked to known ransomware campaigns. These are the highest-priority vulnerabilities — actively exploited AND used by ra...
Get the most recently added vulnerabilities to the CISA KEV catalog. Results are sorted newest-first. Use days_back to control the lookback window. Cr...
Generate a threat landscape report showing how many CVEs fall into each EPSS risk band (CRITICAL/HIGH/MEDIUM/LOW). Provides total counts at each thres...
Triage container vulnerabilities. With a Container Scan credential and Desktop connected, pass target (image or filesystem) to run Trivy locally, then...
Get the EPSS exploit prediction score for a CVE at a specific historical date. Useful for understanding how exploit risk has evolved, or for retrospec...
Find CVEs by EPSS percentile ranking. The percentile shows where a CVE ranks relative to all other scored CVEs. A percentile of 0.99 means the CVE has...
Get the 30-day EPSS score trend for a specific CVE. Shows how the exploit prediction probability has changed over the past month. Useful for identifyi...
Look up EPSS exploit prediction scores for one or more CVEs. Returns the probability (0-1) that each CVE will be exploited in the wild within 30 days,...
Search the CISA KEV catalog by vendor, product, vulnerability name, or keyword. Case-insensitive full-text search across all fields. Use ransomware_on...
Search the EPSS database by CVE ID pattern. Find all scored CVEs matching a text pattern — useful for year-based analysis (e.g., 'CVE-2025'), vendor-r...
Security briefing — KEV catalog changes, watchlist deltas, stack exposure, and scan regression since your last briefing. When the workspace panel is o...
Get a summary of the CISA Known Exploited Vulnerabilities catalog: total count, catalog version, date released, how many were added in the last 7/30/9...
Check a list of CVEs from a vulnerability scan against the CISA KEV catalog. Returns which CVEs are confirmed actively exploited (in KEV), which are n...
Triage a list of CVEs from a vulnerability scan by exploit probability. Pass in CVE IDs from a scan report and get back a prioritized remediation plan...
Full cross-source vulnerability analysis: NVD CVE details + EPSS exploit probability + CISA KEV status + composite risk score. Fetches all three sourc...
Open the Vulnerability Intelligence workspace. Use when the user asks to view the triage panel before running scan_triage, security_briefing, or KEV l...
No. With MCPBundles Desktop connected, pass `target` on `scan_triage` and Trivy runs on your machine. Paste JSON only when Desktop is offline.
Exploit priority = CISA KEV or EPSS above your threshold. Patch today = vendor fix available and composite tier meets your policy minimum. Defer = everything else, including scary CVSS with low EPSS and no fix.
Scanner severity is not the same as exploit likelihood. Old libc/tar rows often show CRITICAL CVSS with sub-5% EPSS and no vendor fix — the policy explains each defer with bucket_reason.
Balanced requires HIGH+ tier before patch_today when a fix exists. Permissive_patches lowers the bar to MEDIUM+, which surfaces pip/npm fixes on slim Python bases that balanced would defer.
Add the MCPBundles server URL to your MCP client configuration (Claude Desktop, Cursor, VS Code, etc.). The URL format is: https://mcp.mcpbundles.com/bundle/vulnerability-intelligence. Authentication is handled automatically.
Vulnerability Intelligence provides 34 tools that can be called by AI agents, along with a SKILL.md that gives your AI agent domain knowledge about when and how to use them.
Vulnerability Intelligence uses No auth required or API Key. Container Scan requires credentials. Connect via MCPBundles and authentication is handled automatically.
Connect Vulnerability Intelligence to any MCP client in minutes
https://mcp.mcpbundles.com/bundle/vulnerability-intelligenceThe link prefills the Add custom connector dialog — you still review the values and click Add, then Connect to complete OAuth.
Vulnerability Intelligence and paste the MCP URL into Remote MCP server URL.Custom connectors at claude.ai require a paid Claude plan (Pro, Max, Team, or Enterprise).
Also listed on
Same data, different audiences.
More security integrations you might like
The CISA Known Exploited Vulnerabilities (KEV) Catalog is the authoritative U.S. government list of ...
OFAC-API.com provides KYC, AML, and sanctions compliance screening against 25+ global data sources i...
Run Trivy or Grype on your machine via MCPBundles Desktop. Used by Vulnerability Intelligence scan_t...
Microsoft Entra ID is an identity and access management service that provides secure authentication ...
The Exploit Prediction Scoring System (EPSS) by FIRST.org estimates the probability that a CVE will ...
OPUSWatch provides API-based solutions for managing operational risk and ensuring regulatory complia...