Home/Capabilities
Features

Every capability, every data source

100+ sources, 4+ million records, cross-linked into one navigable graph
threatengine.sh is built from open-source threat intelligence: NVD CVEs, MITRE ATT&CK and CAPEC, CISA KEV, EPSS, vendor advisories from every major vendor, ExploitDB, Sigma and YARA rules, Snort/Suricata signatures, NIST 800-53 controls, and more. Every fact traces back to its primary source.

What you can do here

Pick your job below and click straight through. Live tasks work now; Roadmap tasks are coming and shown greyed so you can see where the engine is going.

Look up & pivot (everyone starts here)

6
One search box understands CVE IDs, vuln nicknames, technique IDs, actor and tool names, and raw indicators. You never hit a dead end - anything we don't host locally turns into external pivot links.
Look up any CVELive
Full enrichment on one page: severity, CISA KEV, EPSS exploitation odds, ransomware use, affected packages with fix versions, the actors who exploit it, and every vendor advisory.
Try: Log4Shell
Search by vuln nicknameLive
Type the name everyone uses; we resolve it to the real CVE.
Try: eternalblue
Explore an ATT&CK techniqueLive
What it is, the detection rules that catch it, the actors and tools that use it, and the controls that mitigate it.
Try: T1190
Profile a threat actorLive
Origin, motivation, target sectors, the techniques and tools they use, and the CVEs they've exploited - all cross-linked.
Try: APT29
Investigate a tool or malwareLive
Who uses it, the Sigma/YARA rules that detect it, and any live indicators.
Try: Mimikatz
Pivot on an IP, domain, or hashLive
Paste an indicator; if we hold data we show it, and either way you get one-click lookups to VirusTotal, Shodan, GreyNoise, urlscan, and more.
Try: an IP / domain / hash

SOC & detection analysts

6
Answer 'can I actually see this attack?' fast - and find the exact rule that proves it.
Browse detection rulesLive
Sigma, YARA, and 52k+ network IDS signatures, filterable by the technique they detect.
Try: powershell
See your detection coverageLive
A heatmap of which ATT&CK techniques you can detect vs. where you're blind.
Find the rule for a techniqueLive
From any technique page, jump straight to the Sigma/YARA/IDS rules that catch it.
Try: T1059
Map defenses with D3FENDLive
MITRE's defensive countermeasure catalog: what you can do to detect, isolate, evict, and harden.
Actor detection checklistRoadmap
Pick an actor and get every technique they use with the exact detection rule for each (or the gap).
APT29 detection checklist
"What changed" detection diffRoadmap
New KEV entries and new exploits since a date you pick, so you know what to tune this week.

Vulnerability & threat analysts

6
Triage what matters now: actively-exploited, high-probability, ransomware-linked.
Work the KEV catalogLive
Every CISA Known-Exploited vulnerability, flagged on its CVE page with the action required.
Read the daily threat briefLive
The top critical CVEs of the last 14 days, ranked by what's actually dangerous.
Check exploitation odds (EPSS)Live
FIRST.org's exploitation-probability score on every CVE, so you patch by real risk.
Try: Log4Shell EPSS
Trace a weakness (CWE to CAPEC)Live
Walk the weakness hierarchy and see how adversaries exploit each class.
Try: SQL injection
Find exploitable CVEs for a productLive
Name a product (and version) you're assessing and get its CVEs, exploits first.
Try: apache
Service banner to CVERoadmap
Paste an nmap-style service banner and resolve it to the CVEs that hit that version.
OpenSSH 8.2p1

Penetration testers & red teams

5
From a foothold to the next move - what can you exploit, and where does it lead?
Product/version to exploitable CVEsLive
Identify a target's software and pull the CVEs and public exploits for it.
Try: a product + version
Find public exploits & PoCsLive
ExploitDB and PoC links surfaced on the CVE page, ready to pivot to.
Try: EternalBlue
Emulate an adversaryLive
Atomic Red Team test cases and Caldera profiles tied to each technique.
Try: T1059
Attack-path / chainingRoadmap
From a foothold CVE, see the privilege-escalation and lateral-movement techniques that typically follow - the next move, not just the entry.
foothold to next move
Pre-engagement recon packRoadmap
Give a target stack and get the consolidated CVE + exploit + technique picture in one view.

GRC & compliance analysts

6
Turn a control framework into a threat-informed, audit-ready picture - honestly. We only show mappings that are actually published; we never fabricate.
One-click audit answerLive
For a whole framework: every control, the ATT&CK techniques it defends, and whether you can detect each - with a CSV/JSON export for your auditor.
Try: NIST 800-53 audit
Self-assessmentLive
Tick the controls/families you've implemented and see your resulting technique coverage.
Threat-informed coverage reportLive
A generated coverage view that ties your framework to real adversary behavior.
Browse any framework's controlsLive
NIST 800-53, NIST CSF, CIS v8.1, CSA CCM, CRI Profile, OWASP - searchable.
Crosswalk navigationRoadmap
"I've implemented NIST 800-53 - what does that already satisfy in ISO 27001, SOC 2, or PCI-DSS?" Map your work across frameworks from published crosswalks.
800-53 to ISO / PCI
Inherited threat coverageRoadmap
For frameworks without a direct ATT&CK mapping, derive coverage through the 800-53 crosswalk - clearly labeled as derived.

Automation & integration

5
Everything the UI shows is available as clean, scoped data for your pipeline.
Export scoped dataLive
Per-CVE, per-technique, and per-control JSON - scoped, never a whole-DB dump, with a provenance/verify-before-use note.
Try: export a CVE returns JSON
Pull the daily brief as JSONLive
The top-critical feed for your dashboards and bots.
returns JSON
Generate a CVE infographicLive
A ready-to-share SVG for one CVE.
Try: Log4Shell infographic returns an image
Get an entity graphLive
The actor/tool/technique relationship graph as JSON.
returns JSON
Watchlists & change trackingRoadmap
Track CVEs, actors, or products and get a diff over time.

The data behind it

Every task above is powered by these sources, cross-linked into one graph. Every fact traces to its origin.

CVE & vulnerability data

6
Every CVE published, with full enrichment from NVD, CISA KEV, EPSS, ExploitDB, and vendor advisories. Every reference link is preserved.
NVD CVE records
every CVE from 1999 to today, fully searchable
350K+
CISA KEV catalog
actively-exploited CVEs flagged on every CVE page
1.5K+
EPSS exploitation scores
FIRST.org's exploitation-probability score on every CVE
330K+
CPE product matches
CVE↔product↔version linkage, indexed for fast lookup
3M+
CVE references
every external link from NVD's reference field, deduplicated
1M+
OSV ecosystem vulns
language-package vulnerabilities (npm, PyPI, Maven, RubyGems, Go, etc.)
260K+

Threat actors & campaigns

5
Curated threat-actor profiles cross-linked with techniques, tools, and CVEs they've exploited.
MITRE ATT&CK groups
every G-numbered adversary group from MITRE
150+
Curated actor profiles
deep dives with origin, motivation, target sectors, capabilities
200+
Actor↔technique links
what each actor is known to do (per MITRE)
20K+
Actor↔tool mappings
tooling each actor uses
1.5K+
CVE exploitation
which CVEs each actor has been seen exploiting
1.0K+

Adversary tactics, techniques, procedures

6
Full MITRE ATT&CK + CAPEC attack-pattern data, plus Atomic Red Team test cases.
ATT&CK techniques
every technique + sub-technique from MITRE
850+
Tools & malware
named offensive tools (Mimikatz, Cobalt Strike, etc.)
800+
CAPEC attack patterns
MITRE's higher-level attack pattern catalog
600+
Atomic Red Team
executable test cases per technique
1.5K+
Caldera adversaries
MITRE Caldera emulation profiles
37
CAR analytics
MITRE Cyber Analytics Repository
100+

Detection content

5
Production-ready detection rules across SIEM, network IDS, and host telemetry.
Sigma rules
SIEM-agnostic detection rules covering most ATT&CK techniques
3.0K+
YARA rules
malware-family identification rules from multiple repositories
5.5K+
Snort/Suricata rules
network IDS signatures (Emerging Threats Open, Snort Community)
50K+
Falco runtime rules
container/Linux runtime detection
97
Nuclei templates
vulnerability scanner templates
10K+

Defensive measures & compliance

4
Defensive countermeasures and compliance mappings - what to do about each threat.
D3FEND techniques
MITRE's defensive countermeasure catalog
100+
NIST 800-53 controls
every security control with family + class
1.5K+
Control↔ATT&CK mappings
which compliance controls mitigate which techniques
4.5K+
ATT&CK mitigations
MITRE's M-numbered mitigation catalog
44

Weakness taxonomy

4
CWE weakness classification with full relationships and CAPEC cross-links.
CWE weaknesses
full Common Weakness Enumeration from MITRE
950+
CWE relationships
parent/child weakness hierarchy
1.0K+
CVE↔CWE links
every CVE tagged with its weaknesses
410K+
CAPEC↔CWE links
attack patterns tied to underlying weaknesses
1.0K+

Exploits & IOCs

3
Public exploits, proof-of-concepts, and indicators of compromise from open sources.
ExploitDB
every exploit/PoC from Exploit-DB.com, linked to CVE where applicable
40K+
Indicators of Compromise
URLs, hashes, IPs from URLHaus + ThreatFox + MalwareBazaar + SSLBL
350K+
Nuclei vuln templates
CVE-tagged templates ready for active scanning
10K+

Vendor security advisories

9
Authoritative advisories from every major vendor - not just NVD's reference snapshot.
Red Hat RHSA
Red Hat Security Advisories
20K+
Ubuntu USN
Ubuntu Security Notices
10K+
SUSE CSAF
SUSE security updates
30K+
Microsoft MSRC
Patch Tuesday + Microsoft Security Response Center
20K+
Cisco CSAF
Cisco PSIRT advisories
4.0K+
CISA CSAF
CISA-issued advisories
3.5K+
Apple, Adobe, Mozilla, Siemens
all-vendor coverage in one place
2.0K+
Oracle CPU
Oracle quarterly Critical Patch Updates
3.5K+
All advisories combined
across 40+ vendors
110K+
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin