What You Will Achieve
By the end of this playbook you will have:
- A Python prioritization script that scores CVEs using KEV presence, EPSS, and CVSS
- A daily CVE watchlist synced from isMalicious CVE endpoints
- Ticket-ready output (CSV/JSON) for patch management workflows
- Clear escalation rules when KEV + high EPSS overlap active threat campaigns
Prerequisites
| Requirement | Details | |---|---| | isMalicious API key | Pro or Enterprise for CVE dashboard access | | Python 3.9+ | For the prioritization script | | Asset inventory (optional) | Map CVEs to affected products in your environment |
Explore live CVE context at ismalicious.com/cve and API reference at ismalicious.com/api-docs.
Step 1: Fetch CVE metrics from isMalicious
Use the CVE API to retrieve CVSS, EPSS, KEV (Known Exploited Vulnerabilities), and SSVC context for each CVE ID you track.
#!/usr/bin/env python3
"""Prioritize CVEs using KEV + EPSS + CVSS from isMalicious."""
import base64
import os
import requests
API_BASE = "https://ismalicious.com/api/cve"
API_KEY = os.environ["ISMALICIOUS_API_KEY"]
API_SECRET = os.environ.get("ISMALICIOUS_API_SECRET", "")
AUTH = base64.b64encode(f"{API_KEY}:{API_SECRET}".encode()).decode()
HEADERS = {
"X-API-KEY": AUTH,
"Accept": "application/json",
}
def fetch_cve(cve_id: str) -> dict:
resp = requests.get(f"{API_BASE}/{cve_id}", headers=HEADERS, timeout=30)
resp.raise_for_status()
return resp.json()
def priority_score(data: dict) -> float:
"""Higher = patch sooner. KEV is dominant; EPSS breaks ties."""
kev = 1000.0 if data.get("kev", {}).get("listed") else 0.0
epss = float(data.get("epss", {}).get("score") or 0) * 100
cvss = float(data.get("cvss", {}).get("score") or 0) * 10
return kev + epss + cvss
if __name__ == "__main__":
watchlist = ["CVE-2024-3400", "CVE-2023-4966", "CVE-2024-21762"]
ranked = sorted(
((cve, priority_score(fetch_cve(cve))) for cve in watchlist),
key=lambda x: x[1],
reverse=True,
)
for cve_id, score in ranked:
print(f"{cve_id}\tpriority={score:.1f}")
Run a free threat report on related domains or IPs if a CVE ties to active exploitation in your sector.
Step 2: Define escalation tiers
| Tier | Condition | Action | |---|---|---| | P0 | KEV listed + EPSS ≥ 0.5 | Emergency patch within 72h | | P1 | KEV listed OR EPSS ≥ 0.3 | Patch within 14 days | | P2 | CVSS ≥ 7.0 | Standard change window | | P3 | All other tracked CVEs | Backlog review monthly |
Align tiers with your compliance program and risk appetite.
Step 3: Export for patch management
Extend the script to emit CSV for ServiceNow/Jira import:
import csv
with open("cve-priority-queue.csv", "w", newline="") as f:
writer = csv.writer(f)
writer.writerow(["cve_id", "priority_score", "kev", "epss", "cvss", "report_url"])
for cve_id, score in ranked:
data = fetch_cve(cve_id)
writer.writerow([
cve_id,
f"{score:.1f}",
data.get("kev", {}).get("listed", False),
data.get("epss", {}).get("score"),
data.get("cvss", {}).get("score"),
f"https://ismalicious.com/cve/{cve_id}",
])
Step 4: Correlate with threat intel
When a CVE appears in KEV and related C2 or phishing infrastructure hits your SIEM enrichment playbook, escalate to incident response.
For enterprise SOC workflows see isMalicious for SIEM.
Related resources
- CVE dashboard — browse KEV, EPSS, and SSVC in the UI
- API documentation — CVE endpoints and authentication
- SIEM enrichment playbook — correlate exploited CVEs with live IOCs
- Compliance solutions — audit-ready vulnerability reporting
- Free threat report — check related infrastructure on demand
Next steps
Schedule daily cron execution, connect output to your CMDB asset matches, and subscribe to isMalicious CVE alerts for newly KEV-listed IDs affecting your stack.