VulnSea for agentic workflows
VulnSea is built to be read by machines first. Every vulnerability is a structured markdown document with stable YAML frontmatter, mirrored as JSON and exposed through an incremental, cache-aware HTTP API. That makes it a clean knowledge source to wire directly into an agent loop — for automated triage, vulnerability management, and risk assessment — without scraping HTML or parsing prose.
Try it in ten seconds
No account needed: paste your dependencies (a package.json, requirements.txt, or go.mod) and see which are hit by known CVEs, ranked by our depth score — a single 0–100 urgency number that blends CVSS, EPSS, and proof of exploitation. Check pipeline freshness anytime on the status page.
Why it fits agents
- Stable structure. Frontmatter fields (
id,severity,cvss,epss,kev,exploited,affected/patched) are typed and consistent — safe to branch on without an LLM call. - Two depths. Scan a compact
/api/digestline per CVE for cheap filtering, then pull the full/cve/<id>.mdonly for the ones that survive triage — keeps token cost down. - Delta-first. An
ingestedAthigh-water mark + cursor paging means the agent only ever processes what is new since its last run. - Cheap idle.
If-None-Match→304when nothing changed, so a frequent poll costs almost nothing. - Self-describing. Point any tool-use model or codegen at
/openapi.jsonto mint a typed client or agent tool automatically.
Pattern 1 — Automated triage loop
A scheduled agent that watches for new vulnerabilities, filters to what matters to you, and escalates. Cheap to run on a tight schedule.
Poll the delta
next until it is null. Send the last ETag to short-circuit when idle.AUTH="Authorization: Bearer vsk_your_key"
curl -H "$AUTH" -H "If-None-Match: $ETAG" \
"https://vulnsea.com/api/digest?since=$HWM&order=asc&format=ndjson"
# 304 => nothing new, sleep | 200 => one CVE per lineFilter without an LLM
kev=true OR exploited=true OR severity=critical OR epss over your threshold, intersected with vendors/products in your asset inventory.# server-side narrowing also supported:
curl -H "$AUTH" \
"https://vulnsea.com/api/cve?since=$HWM&severity=critical,high&exploited=true&order=asc"Deep-read survivors
curl -H "$AUTH" https://vulnsea.com/cve/CVE-2021-44228.mdDecide & route
Pattern 2 — Continuous vuln management
Keep a running picture of exposure across your inventory rather than reacting per-CVE.
- Inventory join. Match
vendor/productandaffected/patchedversion ranges against your SBOM/CMDB to flag what you actually run — or hand a component list toPOST /api/sbom(and thetriage_sbomMCP tool) and let VulnSea do the matching. - Prioritize with signal. Rank by
kev→exploited→epss→cvssso remediation effort tracks real-world risk, not just base score. - Saved searches. Persist your standing queries (e.g. critical KEV affecting nginx) and let the agent re-run them each cycle — see your account.
- Close the loop. Re-query
patchedversions to auto-verify remediation and burn down the backlog.
Pattern 3 — On-demand risk assessment
Answer a point question — "are we exposed to X?" — by giving a model the search and read tools and letting it investigate.
# 1. find candidates
curl -H "$AUTH" "https://vulnsea.com/api/search?q=log4shell&kev=true"
# 2. pull full detail for the model to reason over
curl -H "$AUTH" https://vulnsea.com/api/cve/CVE-2021-44228
curl -H "$AUTH" https://vulnsea.com/cve/CVE-2021-44228.mdSearch is typo-tolerant (FTS5). Use /api/search to locate, /api/cve/<id> for structured facts, and the .md for narrative the model can cite.
Wiring it into a model
Minimal, high-leverage tool surface to expose to a tool-use agent:
search_cves(q, severity?, kev?)→/api/searchlist_new_cves(since, order=asc)→/api/cve(cursor paging)get_cve(id)→/api/cve/<id>(structured)read_cve_markdown(id)→/cve/<id>.md(narrative)
All four are described in https://vulnsea.com/openapi.json — generate the tool definitions instead of hand-writing them.
Access model
The latest 100 CVEs (by publish date) are free and need no auth — enough to prototype an agent. Older CVEs and full-corpus enumeration need an account: send an API key or call from a logged-in session. Every response carries an access field (public or full) so the agent always knows which window it is seeing. See the API usage guide for auth, paging, and caching detail.