Glossary & playbooks

CISA's catalog of CVEs known to be exploited in the wild. Inclusion forces a federal patch deadline (BOD 22-01) and is the strongest signal a vuln deserves immediate action. ZDA flags KEV CVEs with a red 🔥 chip, and `kev=1` is a filter on /feed and CSV exports.

FIRST.org's ML-derived 0–1 probability that a CVE will be exploited in the next 30 days. Pairs well with severity: a high-severity CVE with EPSS 0.001 is statistically unlikely to be weaponized soon; a medium-severity with EPSS 0.7 is a near-term risk. ZDA shows EPSS as both a percentage and a percentile.

0.0–10.0 severity score derived from attack vector, complexity, privileges required, user interaction, and impact metrics. ZDA stores CVSS v3.1 from the highest-trust source available (NVD > GHSA > vendor).

MITRE's universal vuln identifier (CVE-YYYY-NNNNN). ZDA normalizes data from NVD, KEV, OSV, GHSA, EPSS, and dozens of vendor PSIRTs onto the CVE.

MITRE's matrix of adversary tactics, techniques, and procedures (TTPs). Threat-actor pages on ZDA show all techniques mapped to that group from MITRE ATT&CK Groups STIX data.

CISA decision model: combine exploitation status, automatable, technical impact, and mission prevalence into one of five action tiers — Act / Attend / Track* / Track / Defer. ZDA computes a default tier from KEV + exploit + CVSS signals on every CVE detail page.

CISA directive requiring federal civilian agencies to remediate KEV-listed vulns by the catalog's `due date`. Even non-federal teams use this date as a sane patch SLO. Surfaced on every CVE that has a KEV entry.

OASIS standards for sharing structured threat intelligence. ZDA serves STIX 2.1 bundles and a TAXII 2.1 collections endpoint at /api/v1/taxii/zda — point your SIEM/SOAR at it for a continuous IOC + advisory feed.

Atomic observable (IP, domain, URL, file hash, email) that suggests malicious activity. ZDA aggregates IOCs from URLhaus, MalwareBazaar, Feodo, abuse.ch SSL, OTX, and ThreatFox; cross-source dedup is on (type, value, source).

URL-shaped identifier for a software package, e.g. `pkg:npm/lodash@4.17.20`. ZDA's asset-profile matcher accepts pasted PURLs alongside CPE and `name@version` formats.

URI for a product, vendor, and version (`cpe:2.3:a:apache:log4j:2.14.0:*:*:*:*:*:*:*`). NVD records affected products as CPE; you can paste CPE lines into an asset profile.

Class of vulnerability (e.g. CWE-79 Cross-site Scripting, CWE-89 SQL Injection). NVD maps each CVE to one or more CWEs; visible in the metadata column on /cve/<id>.

GitHub's curated advisory feed for the open-source ecosystem (npm, pypi, maven, rubygems, nuget, composer, go, rust). One of ZDA's primary trust sources for affected ranges.

Google's vendor-neutral OSS vulnerability database. ZDA pulls all ecosystems and merges them into the CVE.

Microsoft Security Response Center and the generic term for any vendor's Product Security Incident Response Team — the official source of vendor advisories (CVEs, patch guidance, severity ratings). ZDA ingests MSRC monthly CVRF, Cisco PSIRT, Red Hat CSAF, Apple, GitLab, VMware, Atlassian, and CISA ICS-CERT.

Linux Foundation standard ID list for software licenses (MIT, Apache-2.0, GPL-3.0-or-later, BUSL-1.1, etc.). When you see SPDX in an SBOM or `LICENSE` file, it's the canonical machine-readable identifier. See the /licenses reference for what each one obligates you to do.

License property that requires derivative works be released under the same terms. Permissive licenses (MIT, Apache-2.0) have none. Weak copyleft (LGPL, MPL-2.0) is file-scoped. Strong copyleft (GPL) covers the full derivative work. Network copyleft (AGPL) extends the trigger to running modified code as a network service. Detail: /licenses.

License where the source is published but commercial / production use requires payment or is restricted. Common examples: BUSL (Terraform 1.6+, Vault), SSPL (MongoDB, Elasticsearch pre-2024, Redis 7.4+), Elastic-2.0. Not OSI-approved; many enterprises blanket-prohibit. Detail: /licenses.

A saved expression evaluated each cron tick across vulns/advisories/intel/news. Matches route through your alert channels (webhook / email / Slack). Manage at /app/watchlists.

Tenant-scoped description of what you run — packages, CPEs, hostnames. The matcher computes personalized findings ranked by risk_score (severity × EPSS × KEV × exploit × in-stack). Manage at /app/assets.

Triage a fresh CVE in under 5 minutes

When a new high/critical hits, you have one job — decide whether to drop everything. This is the same loop ZDA's SSVC tier automates on every detail page.

1. Is it on KEV? If yes → Act tier. Patch on the BOD 22-01 due date.
2. Is there a public exploit? Check the EXPLOIT chip + linked Exploit-DB / Metasploit row.
3. EPSS percentile > 0.95? Statistically about to be weaponized.
4. Does it affect a component in your /app/assets profile? If yes → in-stack multiplier kicks risk_score over 90.
5. Tag P0/P1/P2 on /app/bench, drop a note with mitigation, hand the ticket to platform.

Investigate a threat actor

Pivot from any actor page to their TTPs, linked CVEs, recent mentions, and IOC patterns.

1. Open /actors/<id>. Targeted sectors + country are at the top.
2. ATT&CK techniques: each links to attack.mitre.org for hunt logic.
3. Linked vulnerabilities: cross-references from MITRE ATT&CK Groups + ingested intel.
4. Mentions in research: Talos, Mandiant, Citizen Lab, ESET pull-ins surfaced inline.
5. Pin the actor on /app/bench so it shows in the Investigations queue.

Hunt for an IOC across the platform

Paste any IP/domain/hash/URL/email at /iocs and the FTS index returns matches across every IOC source.

1. Type filter (ipv4 / domain / sha256 / url) narrows the search.
2. Source filter (urlhaus / threatfox / feodo / otx) limits to one feed.
3. Click a row to see related CVEs, malware family, and first/last-seen.
4. CSV export the filtered list for handoff to SIEM enrichment.