Axonius Threat Intelligence

Axonius Threat Intelligence enriches vulnerability data with additional exploit and threat context, helping you understand which CVEs are more likely to represent real-world risk. Instead of relying only on scanner severity or CVSS, you can see whether a vulnerability is known to be exploited, weaponized, trending, associated with threat actors, ransomware, botnets, or included in KEV sources. This gives your security teams better context for prioritization and helps them focus on vulnerabilities that are more likely to be actively used by attackers.

The data also improves investigation and decision-making by adding exploit timelines, references, affected CPEs, MITRE ATT&CK mappings, targeted industries/countries, and related threat activity directly into Axonius. As a result, your security teams can prioritize faster, reduce noise, and make more informed remediation decisions inside their existing exposure management workflows.

📘

Notes

  1. This capability is available only for Exposures customers.
  2. Data received from Axonius Threat Intelligence is available on the Aggregated Security Findings page and on the Vulnerability Repository.

Field Mapping

Axonius Threat Intelligence retrieves and displays the following fields.

📘

Note

Some fields are Complex Fields or Tables. See Asset Profile Page - Complex Fields for more information on table fields.

Field NameDescription
In KEVWhether the CVE is a Known Exploited Vulnerability
VendorThe vendor or organization that owns the affected product
ProductThe specific product affected by the vulnerability
Short DescriptionA brief summary of the vulnerability
Vulnerability NameThe common name assigned to the vulnerability
CISA Date AddedThe date when CISA added the vulnerability to their KEV catalog
KEV Date AddedThe date when Axonius first detected this vulnerability in the KEV catalog
Days Before CISAThe number of days between the Axonius detection and the addition to CISA, calculated as (CISA Date Added - KEV Date Added) in days (when both dates are present)
CWE IDCommon Weakness Enumeration identifiers associated with this vulnerability
Honeypot DetectedWhether Axonius detected exploitation attempts through the Honeypot network
Exploit ReferencesLinks to public exploit code repositories, converted from SSH clone URLs to HTTPS format
CitationsA complex field (table) that references to exploitation reports with source URL and date added fields
Stores the following object fields: Source, Date Added
Public ExploitWhether a publicly available exploit exists for this vulnerability
Weaponized Exploit FoundWhether a weaponized (ready-to-use) exploit was discovered
Exploit MaturityThe highest maturity level of available exploits (e.g., Proof of Concept, Functional, High)
First Weaponized ExploitThe date when the first weaponized or higher-maturity exploit was published
Exploits CountNumber of exploit instances associated with this CVE
Threat Actors CountNumber of threat actor groups associated with exploiting this CVE
Botnets CountNumber of botnet families associated with exploiting this CVE
Ransomware Families CountNumber of ransomware families associated with exploiting this CVE
Most Recent ExploitationThe most recent date of observed exploitation from Shadowserver or Honeypot sources
First ExploitationThe earliest date of observed exploitation
First Exploit PublishedThe date when the first exploit (on any maturity level) was published
Most Recent Exploit PublishedThe date when the most recent exploit was published
Associated Threat ActorsNames of threat actor groups known to exploit this CVE
Targeted CountriesCountries targeted by threat actors exploiting this vulnerability, aggregated across all associated actors
Targeted IndustriesIndustry sectors targeted by threat actors exploiting this vulnerability, aggregated across all associated actors
BotnetsNames of botnet families exploiting this CVE
Ransomware FamiliesNames of ransomware families exploiting this CVE
NVD PublishedWhether the CVE has been officially published on NVD
CAPEC MappingsA complex field (table) that displays common Attack Pattern Enumeration and Classification mappings that describe attack methods
Stores the following object fields: CAPEC ID, Name, URL, Language
MITRE ATT&CK TechniquesA complex field (table) that displays MITRE ATT&CK framework techniques associated with exploiting this vulnerability
Stores the following object fields: ID, Name, URL, Domain, Tactics, Sub-Techniques
MITRE ATT&CK MitigationsA complex field (table) that displays recommended mitigations for each associated ATT&CK technique
Stores the following object fields: ID, Technique ID, Mitigation URL, Description
MITRE ATT&CK DetectionsA complex field (table) that displays detection methods for each associated ATT&CK technique
Stores the following object fields: ID, Technique ID, Data Source, Data Components, Detects
MITRE D3FEND MappingsMITRE D3FEND defensive countermeasure mappings for each associated ATT&CK technique
CVE IDThe unique Common Vulnerabilities and Exposures identifier (e.g., CVE-2024-1234).
CVE DescriptionDetailed description of the vulnerability and its potential impact
First Found DateThe date when this vulnerability was first discovered
Affected CPEsCommon Platform Enumeration identifiers specifying affected software/hardware configurations
CVE ReferencesURLs to external references about the vulnerability, filtered for relevant exploit information
CVSS VersionThe version of the CVSS scoring system used (e.g., 4.0, 3.1)
CVSS VectorThe complete CVSS vector string representing all scoring metrics
CVE Vector: Attack VectorHow the vulnerability can be exploited (Network, Adjacent, Local, Physical)
CVE Vector: Access ComplexityThe complexity required to exploit the vulnerability
CVE Vector: Privileges RequiredThe level of privileges an attacker needs before exploitation
CVE Vector: User InteractionWhether exploitation requires user action
Commercial Exploit FoundWhether commercial exploit tools or frameworks include this vulnerability
First Threat Actor Report DateThe earliest date when a threat actor was reported exploiting this CVE
Most Recent Threat Actor Report DateThe most recent date when a threat actor was reported exploiting this CVE
First Ransomware Report DateThe earliest date when ransomware was reported exploiting this CVE
Most Recent Ransomware Report DateThe most recent date when ransomware was reported exploiting this CVE
First Botnet Report DateThe earliest date when a botnet was reported exploiting this CVE
Most Recent Botnet Report DateThe most recent date when a botnet was reported exploiting this CVE
Trending on GitHubWhether exploit-related repositories for this CVE are trending on GitHub.
ExploitsDetailed records of individual exploits

Viewing Data

Data retrieved by Axonius Threat Intelligence is marked by a dedicated icon under the Adapter Connections column:

To add data from this source:

  1. From the Aggregated Security Findings page or the Vulnerability Repository, click the Query Wizard.

  2. Select Axonius Threat Intelligence from the Source dropdown.

  3. Select the required fields from the Field dropdown and apply any additional filters according to your needs. You can also add columns from Edit Columns > Edit Table.

    Example data:

Select an asset from the table to explore it on its Profile page, then select Axonius Threat Intelligence under Adapter Connections to view the relevant data.

Clickable field names are tables and appear under the Asset Profile's Tables section. For example, see the CVE References table: