VulnRadar — Early Threat Awareness for Security Engineers and Their Teams
VulnRadar is live at vulnradar.isertkaya.de
Every day, hundreds of new vulnerabilities are published across security advisories, CERT bulletins, vendor portals, exploit databases, and research blogs. For a security engineer, keeping up with this constant stream of information while simultaneously managing remediation, asset inventories, and stakeholder reporting is an enormous challenge. Most teams either rely on expensive commercial platforms, cobble together a collection of RSS feeds and scripts, or — more commonly — simply miss things until they become urgent. VulnRadar was built to close that gap.
The Problem: Too Much Signal, Not Enough Context
The fundamental challenge in vulnerability management is not a lack of information — it is an overwhelming abundance of it. On any given day, a security engineer might need to monitor NVD for new CVEs, check the CISA Known Exploited Vulnerabilities catalogue, read vendor advisories from a dozen different portals, scan security research blogs, track active exploit availability, and cross-reference all of this against their organisation’s specific asset inventory. Each of these sources uses different formats, different severity scales, and different levels of urgency.
The result is a daily triage problem that consumes enormous analyst time and still produces gaps. A critical vulnerability in a vendor you rely on might be published on a niche research blog six hours before it appears in NVD. An exploit posted to GitHub might precede the official CVE by days. By the time a traditional scan-based workflow surfaces the issue, the window for proactive response may already be closed.
VulnRadar approaches this problem differently. Rather than waiting for a scan to detect a vulnerable asset, it watches the entire threat landscape continuously and matches incoming intelligence against your environment in real time — so the question shifts from „what did our scanner find?“ to „what is happening out there, and are we affected?“
What Is VulnRadar?
VulnRadar is a self-hosted vulnerability intelligence platform designed for security engineers and their teams. At its core it is an intelligence aggregation, correlation, and prioritisation engine — one that ingests raw security signals from over 100 sources, makes sense of them, and surfaces what matters to your specific organisation with enough lead time to act proactively.
It covers the full analyst workflow: from the first appearance of a threat signal through enrichment, triage, asset matching, case creation, remediation tracking, SLA enforcement, stakeholder reporting, and audit documentation. Everything in a single platform, on your own infrastructure, with no data leaving your environment.
Intelligence Collection: Breadth and Depth
VulnRadar collects from a deliberately broad set of source categories:
Official vulnerability records — NVD CVE feeds, CISA KEV, CISA Vulnrichment, GitHub Security Advisories, Red Hat Security Data, and OSV provide the authoritative baseline. These sources are collected and continuously re-enriched so that changes to CVSS scores, KEV additions, and new CPE data are reflected quickly.
Security news and research — blogs, threat reports, conference publications, and independent research feeds. This is the layer that most VM tools completely ignore, and it is precisely where early warning signals live. A detailed writeup about an exploited zero-day, a researcher’s proof-of-concept, or a threat actor report linking a CVE to active campaigns — these appear in news and research sources well before they reach official databases.
CERT and vendor advisories — directly from vendor portals, national CERT feeds, and advisory RSS streams. For organisations with complex supply chains, this layer ensures that vendor-specific patch notifications and emergency advisories are captured alongside the standard CVE feeds.
Exploit signals — public proof-of-concept indicators, active exploitation language detection, zero-day references, Metasploit module mentions, and PoC-in-GitHub markers. VulnRadar’s exploit enrichment layer continuously checks whether working exploit code exists for tracked vulnerabilities, which fundamentally changes the risk calculus for a finding.
SBOM imports — software bill of materials files from build pipelines or component registries can be imported directly, giving VulnRadar a precise component-level view of what your applications depend on and surfacing relevant CVEs at the dependency level.
Correlation and Enrichment: Making Raw Data Actionable
Raw collection is only the first step. A single vulnerability can generate dozens of separate reports across different sources within a short time window — a NVD record, three vendor advisories, two research blog posts, a CERT bulletin, and a CISA KEV addition. Without correlation, each of these arrives as a separate item demanding analyst attention.
VulnRadar automatically groups related reports into unified intelligence clusters. CVEs and aliases (GHSA, OSV, vendor IDs) are extracted and normalised, vendors and products are identified, and semantically related items are merged. The analyst sees one consolidated entry per vulnerability, with all source evidence attached, rather than a flood of duplicate alerts.
Each cluster is then enriched from multiple authoritative sources simultaneously:
- NVD for CVSS base score, vector string, CPE applicability data, and CWE classification
- FIRST EPSS for exploitation probability score — a statistical estimate of how likely a CVE is to be exploited in the wild within the next 30 days
- CISA KEV for confirmation of active exploitation in the wild
- OSV for additional alias resolution and affected version ranges
- Exploit availability — whether a public PoC, Metasploit module, or nuclei template exists
This multi-signal enrichment gives a picture far richer than a raw CVSS score alone. A CVE with a moderate CVSS score but a high EPSS probability, active exploitation status in KEV, and a publicly available PoC is objectively more dangerous than a critical-rated CVE with no known exploitation and no public exploit — and VulnRadar’s scoring reflects this.
Risk Scoring: Beyond CVSS
CVSS was designed to describe the technical characteristics of a vulnerability, not to tell a specific organisation how urgently they need to act. It ignores whether a working exploit exists, whether the vulnerability is actively being exploited in the wild, whether the affected product is critical to your operations, and whether you are actually running the affected version.
VulnRadar calculates a composite risk score from multiple signals:
- Source trust and weight — how credible and authoritative the reporting sources are
- CVE presence and NVD CVSS severity
- CISA KEV membership — confirmed active exploitation
- EPSS exploitation probability
- Active exploitation language in collected intelligence
- Zero-day or public PoC indicators
- Vulnerability category — network-edge, supply-chain, cloud, OT/ICS vulnerabilities carry additional weight
- Watchlist match — is an affected product or vendor in your environment?
- Asset criticality context — is this a critical asset or an internet-facing system?
- Known or possible version match based on CPE data and configured asset versions
The result is a priority classification: Act Now, Review, Monitor, or Info. This classification is visible immediately across all views and drives SLA timelines, notification thresholds, and digest prioritisation. The scoring model is fully configurable via a risk profile file, so organisations can tune weights to reflect their specific risk tolerance and asset landscape.
The Organisational Context Layer: Turning Global Intelligence into Local Risk
The most powerful capability in VulnRadar is the ability to apply organisational context to every incoming intelligence item automatically. This is what transforms a global vulnerability feed into an organisation-specific risk picture.
Asset inventories can be populated from multiple sources: direct connectors to Tenable.io, Qualys VMDR, Nessus, and DefectDojo; CSV imports; SBOM files; and manual entry. Assets carry metadata including owner, criticality level, network exposure, operating system, installed software, business unit, and lifecycle status. When a new intelligence cluster arrives that matches a product or vendor in your asset inventory, VulnRadar marks it as Likely Affected and notifies the relevant asset owners.
Watchlists provide a lightweight but powerful way to track technologies and vendors before they are explicitly catalogued as assets. Defining a watchlist entry for a specific product family, vendor, or technology keyword ensures that any intelligence touching that subject is immediately flagged — even before it appears as a formal asset record.
Vendor catalogs maintain a structured view of which vendors and product families are present in the environment. Combined with product alias normalisation, this means that vendor name variations across different sources („Microsoft Corp.“, „Microsoft Corporation“, „MSFT“) are resolved to a single entity, preventing missed matches.
Business units allow risk to be scoped and attributed correctly. A vulnerability affecting the payment processing infrastructure carries different urgency than the same vulnerability on a development workstation, and VulnRadar’s asset model reflects this distinction.
Keeping the Security Engineer Informed: The News-First Philosophy
Most vulnerability management tools are built around the assumption that the primary input is a scan result. VulnRadar challenges this assumption. Security engineers need to be effective not just at processing scan findings but at understanding the evolving threat landscape — knowing which threat actor groups are active, which vulnerability classes are being exploited in current campaigns, which vendors are issuing emergency patches, and what the security research community is currently focused on.
To support this, VulnRadar treats cybersecurity news and research as first-class intelligence sources, not an afterthought. The news feed is a curated, filterable stream of security content from researchers, threat intelligence providers, CERTs, and vendor security teams. Items can be starred, filtered by source, and searched. Analysts can configure which sources appear in their personal notification digest.
The MITRE ATT&CK integration links vulnerability clusters to relevant tactics, techniques, and procedures, giving context about how a vulnerability might be leveraged in a realistic attack chain. Threat actor profiles associated with active exploitation are surfaced alongside the vulnerability data, helping analysts understand not just what is vulnerable but who is likely to exploit it and how.
The What Changed delta view is designed specifically for the morning triage workflow. Rather than re-reviewing the entire vulnerability landscape each day, analysts see only what changed since the previous session: CVEs newly added to KEV, scores that increased overnight, patches that just became available, new exploitation evidence, and newly discovered CVEs in tracked products. This delta-first approach dramatically reduces the cognitive load of staying current.
Daily Security Brief: Automated Situational Awareness
The Daily Security Brief is VulnRadar’s answer to the daily triage meeting. Each morning, configured users receive an email digest that mirrors the structure of the in-app digest view: new findings first (ordered by priority within the last 24-hour window), followed by high-risk intelligence changes, and finally curated news from the analyst’s preferred sources.
The digest is not a dump of everything in the system. It applies the analyst’s personal thresholds: minimum risk score, KEV-only mode, preferred sources, and digest frequency (daily or weekly). An analyst who only wants to be notified about KEV-confirmed vulnerabilities with a score above a certain threshold receives a focused, actionable brief rather than a noisy one.
For teams using Slack, Microsoft Teams, Discord, or PagerDuty, the same intelligence is deliverable as channel notifications and on-call alerts — ensuring that critical findings reach the right people regardless of whether they check their email first.
Case Management and the Full Remediation Lifecycle
Identifying a vulnerability is only the beginning. VulnRadar supports the full remediation lifecycle through a structured case management system that sits directly alongside the intelligence feed.
A security engineer can create a CERT case from any intelligence cluster with a single action. The case carries the full context of the originating cluster — CVEs, affected assets, source evidence, risk score, exploitation status — and adds workflow fields: assigned owner, remediation status, patch availability, SLA deadline, priority, and notes. Cases can be linked to assets directly, so remediation progress is visible both at the case level and within the asset’s own vulnerability history.
SLA enforcement is automatic. Based on the risk classification of a finding, deadlines are calculated and tracked. Overdue cases surface in the digest, in dedicated views, and in notifications to case owners. Risk-accepted suppressions — where a finding is acknowledged but not remediated for documented reasons — are logged with full audit history including who accepted the risk, why, and when the acceptance expires.
For larger organisations, remediation campaigns allow a single case to track the same vulnerability across multiple assets simultaneously, with a progress bar showing how many affected systems have been remediated.
Reporting and Stakeholder Communication
Security teams regularly need to communicate findings to different audiences: technical colleagues, management, external partners, and auditors. VulnRadar reduces the friction of this communication through built-in report generation.
From any case or intelligence cluster, analysts can generate three types of draft reports: a detailed technical advisory for the engineering team, an executive summary suitable for management briefings, and an external CERT advisory in a format appropriate for disclosure or partner notification. These drafts use the intelligence already captured in the system — CVE details, affected products, exploitation status, recommended actions — so analysts have a structured starting point rather than a blank document.
For compliance and audit purposes, the platform tracks metrics across frameworks including ISO 27001, NIS2, DORA, and PCI-DSS, providing evidence of systematic vulnerability management processes and SLA adherence over time.
Multi-User, Multi-Organisation: Built for Teams
VulnRadar is not a single-analyst tool. It supports multi-user environments with full role-based access control: administrators, analysts, and read-only viewers each have appropriate permissions. Users can be scoped to specific organisations or business units, so a contractor with access to one client’s data cannot see another’s.
Notification preferences are configurable per user — each analyst can set their own risk score threshold, choose which event types trigger alerts, and select whether they receive email, channel notifications, or both. The result is a platform that serves both the senior engineer who wants to see everything and the junior analyst who needs a curated, filtered view of what requires their attention today.
Organisation profiles support multiple compliance framework configurations, CSIRT and CISO contact information, and business unit hierarchies with associated asset ownership — giving the platform the structure needed to operate as a shared team resource rather than a personal tool.
How VulnRadar Compares to Existing Tools
Understanding where VulnRadar fits means being honest about what it is and what it is not — and how it differs from the categories of tools that already exist.
Tenable.io, Qualys VMDR, Rapid7 InsightVM are enterprise-grade scan-based platforms. They are excellent at discovering what is installed across a network, assessing configurations, and tracking remediation at scale. They are expensive, require agents or network access for scanning, and their intelligence layer is largely an add-on to the core scanning workflow. For organisations that need continuous network scanning across thousands of assets, these tools are the right choice — but at a price point that excludes many teams. VulnRadar does not replace a network scanner. It complements one by providing the intelligence context that scan results alone cannot supply: what is being actively exploited today, what threat actors are targeting this CVE, and what the broader security community is saying about this vulnerability right now.
DefectDojo is a vulnerability management and aggregation platform focused on consolidating findings from multiple scanning tools into a single tracked workflow. It is developer- and AppSec-oriented, excellent at managing finding lifecycles from CI/CD pipelines. It does not aggregate external threat intelligence, does not monitor security news, and does not provide the kind of real-time threat landscape awareness that VulnRadar is built around.
MISP (Malware Information Sharing Platform) is a threat intelligence sharing platform used primarily in CERT and SOC environments for indicator exchange and collaborative intelligence. It operates at the IOC and threat-actor level rather than the vulnerability management level, and requires significant configuration and operational overhead. VulnRadar focuses specifically on the vulnerability intelligence use case with a workflow built around analyst daily practice rather than indicator sharing.
Snyk, Dependabot, OWASP Dependency-Check are developer-facing tools designed to identify vulnerable dependencies in code repositories and CI/CD pipelines. They operate at the code level, integrate into development workflows, and are excellent at catching vulnerable libraries in application dependencies. They do not provide the broader threat intelligence context, do not support asset-level remediation tracking across an enterprise, and are not designed for the security operations team as their primary user.
Wazuh is a SIEM, XDR, and intrusion detection platform. It monitors running systems for security events, configurations, and policy violations. Its vulnerability detection module checks installed packages against CVE databases — useful but reactive, and fundamentally different from the proactive intelligence aggregation approach of VulnRadar.
OpenVAS / Greenbone is an open-source network vulnerability scanner. Like commercial scanners, it discovers and assesses network-accessible assets but does not aggregate external intelligence, does not monitor news and advisory sources, and does not provide the analyst workflow features that VulnRadar is built around.
OpenCVE is the closest conceptual relative to VulnRadar. It aggregates from MITRE, NVD, Red Hat, CISA, and Vulnrichment, supports watchlists and project-scoped tracking, and sends alerts when CVEs relevant to configured products are published or updated. For teams that need clean CVE monitoring with solid official-source coverage, OpenCVE is a mature and well-maintained choice. The key difference is scope: OpenCVE operates almost entirely within the official CVE ecosystem. It tracks what is formally published and enriched. VulnRadar deliberately extends beyond that layer — ingesting security news, research blogs, exploit signals, and advisory content that surfaces days before a CVE record is complete or even assigned. The analyst workflow in VulnRadar is also deeper: case management, SLA enforcement, asset health tracking, remediation campaigns, and stakeholder report generation go well beyond alert delivery.
CVEFeed.io occupies a similar position — CVE monitoring with watchlist-based project scoping, CVSS, EPSS, KEV and CWE context, and delivery via Slack, Teams, Jira, and webhooks. It is a clean, focused notification service. Where VulnRadar differs is in the intelligence layer beneath the alerts: the aggregation of news and research alongside official records, the correlation of multiple sources into unified clusters, the per-asset risk scoring model, and the full remediation workflow. CVEFeed.io answers „notify me when something relevant is published.“ VulnRadar answers „what is happening in the threat landscape right now, how does it relate to my environment, and what should my team do about it.“
Qualys VMDR and comparable enterprise vulnerability management suites — Tenable.io, Rapid7 InsightVM — are powerful platforms built around network scanning and asset discovery at scale. Their threat intelligence layer is an enhancement on top of a core scanning workflow. They are the right answer for large enterprises that need continuous authenticated scanning across thousands of endpoints, compliance reporting at scale, and deep integration with ticketing and ITSM systems. They are also expensive, require agent deployment or network access, and carry significant operational overhead. VulnRadar does not compete with a network scanner. It fills the intelligence and analyst workflow gap that scan-based tools leave: knowing about a vulnerability and its exploitation context before a scan runs, correlating news and research signals with asset context, and managing the triage-to-remediation workflow without an enterprise budget.
VulnCheck provides deeply enriched vulnerability and exploit intelligence — CPE applicability data, EPSS, KEV, exploit references, Metasploit and PoC availability, ATT&CK and CAPEC mappings — primarily as a data API for security teams that want to build enrichment pipelines or feed downstream tooling. It is intelligence infrastructure rather than an analyst platform. VulnRadar consumes similar enrichment signals (EPSS, KEV, exploit availability, ATT&CK context) and surfaces them in an analyst-facing workflow rather than a raw API. The appropriate comparison is not „which has richer CVE data“ but „does your team need a data feed to integrate into existing tooling, or a complete analyst platform that provides that context directly?“ VulnCheck excels as enrichment infrastructure; VulnRadar is the platform that operationalises that intelligence.
GitHub Advisory Database and OSV.dev are purpose-built for the software supply chain use case: identifying CVEs in open-source dependencies, tracking affected version ranges, and integrating into developer workflows and CI/CD pipelines. Within that scope they are authoritative. VulnRadar imports from both as enrichment sources and supports SBOM-based asset matching — but these databases are inputs to the platform, not competitors to it. The use cases diverge: dependency scanning for development teams versus enterprise-wide vulnerability intelligence and operational risk management for security teams.
Why Self-Hosted?
The self-hosted model is a deliberate design choice, not a limitation. Vulnerability intelligence frequently contains sensitive information about which technologies an organisation uses, which systems are unpatched, and which risks have been formally accepted. Sending this data to a third-party SaaS platform is a risk that many organisations — particularly those in regulated industries or with strict data residency requirements — are unwilling or unable to accept.
Running on your own infrastructure means full control over data, retention, access, and integration. VulnRadar runs as a Docker container with local persistence, requires no external queue or cloud dependency, and can operate entirely air-gapped if needed. The configuration is version-controllable, the data is exportable, and the platform can be adapted to fit existing internal tooling without vendor dependencies.
For independent security consultants, internal platform teams, and smaller security operations functions that cannot justify enterprise licensing costs, self-hosting also means the difference between having a professional intelligence platform and not having one.
Who It Is For
VulnRadar is built for security engineers, vulnerability management analysts, and CERT teams who need to stay ahead of the threat landscape rather than simply react to it. It is for teams that want to understand what is happening globally and apply that understanding to their specific environment — not just process scan outputs.
If your current process involves manually checking multiple advisory sites each morning, maintaining spreadsheets of affected assets, writing summary emails by hand, or relying on a scanner to tell you about vulnerabilities days after the researcher community already knew — VulnRadar is designed specifically to replace that workflow with something faster, more structured, and more actionable.
The goal is not to add another tool to the stack. It is to give security engineers back the time and attention that manual intelligence gathering currently consumes, and direct that capacity toward the work that actually reduces risk: understanding, prioritising, and fixing vulnerabilities before they become incidents.