Security teams are drowning in feeds. CVE databases, exploitation feeds, ISAC bulletins, vendor advisories, commercial threat intelligence subscriptions, open-source OSINT aggregators, the data available to a vulnerability management program has never been larger or more fragmented. The result, in most organizations, is a paradox: more threat data than ever before, with no clearer picture of what to patch first.
Feed overload is its own form of blindness. When every source claims urgency and no prioritization framework exists to weight them against each other, analysts tune out the alerts and revert to patching by CVSS score, which is exactly the problem all the intelligence was supposed to solve.
This article maps the threat intelligence space for vulnerability management: what each feed is, what it actually tells you, and how to decide what belongs in your core program versus what is noise for your specific use case.
The Core Free Feeds Every VM Program Should Use
CISA Known Exploited Vulnerabilities (KEV)
The KEV catalog is the single highest-signal feed for vulnerability management. It is maintained by CISA and contains CVEs that are being actively exploited in the wild, confirmed with sufficient evidence to meet CISA's criteria for inclusion. New entries are added multiple times per week, and each entry includes the CVE ID, affected product, required action, and due date (for federal agencies).
KEV tells you: this vulnerability is being used by real attackers right now. It does not tell you how widespread the exploitation is, which threat actors are using it, or what the attack chain looks like. For VM purposes, that does not matter, KEV status is a binary override signal. If you have a KEV-listed CVE in your environment, it goes to the top of your queue unconditionally.
Update frequency: multiple times per week. Format: JSON. Size: ~300KB. Free.
EPSS (Exploit Prediction Scoring System)
EPSS is a daily machine learning-based score (0–1) estimating the probability that a CVE will be exploited in the wild in the next 30 days. It is published by FIRST and trained on exploit databases, threat intelligence feeds, malware samples, and historical exploitation patterns. EPSS is where statistical prediction meets operational prioritization.
What EPSS tells you: the exploitation probability for a given CVE, and how that probability is trending over time. A CVE whose EPSS score jumps from 0.01 to 0.6 over seven days is accelerating toward exploitation, often because a PoC was published or a threat actor started incorporating it into their toolkit.
What EPSS does not tell you: whether your specific assets are exposed, or which threat actors are doing the exploiting. It is a population-level signal.
Update frequency: daily. Format: gzipped CSV. Size: ~8MB. Free.
NVD (National Vulnerability Database)
The NVD is the authoritative source for CVE metadata: CVSS scores, affected product CPEs, CWE classifications, and NVD analyst notes. It is where vulnerability intelligence lives, not threat intelligence. NVD tells you what a vulnerability is and how severe it theoretically is. It says nothing about whether anyone is exploiting it.
NVD coverage is near-complete for disclosed CVEs, but publication can lag CVE assignment by days to weeks, a meaningful gap for zero-days in active exploitation. For recently published high-severity CVEs, supplement NVD with vendor advisories that often publish faster.
Update frequency: continuous, bulk data available daily. Format: JSON feeds by year. Free.
Google OSV (Open Source Vulnerabilities)
OSV covers vulnerabilities in open-source packages, npm, PyPI, Maven, Go modules, Rust crates, and more. Where NVD coverage of open-source vulnerabilities is inconsistent (many OSS CVEs are published weeks after discovery), OSV has faster and more complete coverage of the package ecosystem. For any organization running substantial open-source software stacks, OSV is a required complement to NVD, not optional.
OSV also provides affected version ranges in a machine-parseable format that is significantly more useful for automated scanning than NVD's CPE-based versioning, which is notoriously difficult to match against package manager output.
The Contextual Feeds That Require Interpretation
MITRE ATT&CK
ATT&CK is a knowledge base of attacker tactics, techniques, and procedures, not a vulnerability feed. It tells you how adversaries behave once they have access, not which CVEs they are using to get it. The connection to VM is indirect: ATT&CK techniques that rely on specific vulnerability classes (e.g., T1190, Exploit Public-Facing Application) can help you identify which vulnerability categories matter most to your threat model. But mapping your open CVEs to ATT&CK techniques directly is a high-effort exercise that most teams cannot sustain operationally.
For VM programs, ATT&CK is most useful for understanding which software categories are most targeted by your relevant threat actors, not for triaging individual CVEs.
Vendor Security Advisories
Vendor advisories (Microsoft Patch Tuesday, Cisco advisories, VMware security bulletins, Apache security announcements) often precede NVD publication by days to weeks for critical vulnerabilities. Monitoring advisories for your specific software stack, particularly for high-criticality vendors like OS providers, network equipment manufacturers, and infrastructure software, gives you an early warning that NVD will not. This is particularly important for zero-days that are being patched before a CVE is formally assigned.
The trade-off: vendor advisories require manual monitoring per vendor, have inconsistent formats, and require correlation back to your asset inventory. They are high-value but high-effort.
Sector-Specific ISACs
Information Sharing and Analysis Centers (FS-ISAC for financial services, H-ISAC for healthcare, E-ISAC for energy, etc.) provide sector-specific threat intelligence including vulnerability exploitation activity targeting your industry. ISAC bulletins sometimes identify that a vulnerability is being actively exploited in your sector before CISA adds it to KEV. For organizations in targeted sectors, ISAC membership provides meaningful signal uplift, particularly for nation-state activity that CISA may be slower to publicize.
The limitation: ISAC intelligence requires membership and often involves manual consumption of PDF reports that do not integrate easily into automated VM workflows.
Free vs. Commercial Feeds: A Practical Comparison
| Feed | Type | Cost | VM Signal Value | Integration Complexity |
|---|---|---|---|---|
| CISA KEV | Vulnerability intel | Free | Critical | Low, JSON feed |
| FIRST EPSS | Exploitation prediction | Free | Critical | Low, daily CSV |
| NVD | Vulnerability intel | Free | Critical | Low, JSON feeds |
| Google OSV | Vulnerability intel (OSS) | Free | High (OSS stacks) | Low, API + JSON |
| Vendor advisories | Vulnerability intel | Free | High (specific vendors) | High, manual, varied format |
| MITRE ATT&CK | Threat intel (TTP) | Free | Medium (strategic) | High, requires TTP-to-CVE mapping |
| ISAC bulletins | Sector threat intel | Membership fees | High (sector-specific) | High, manual PDF reports |
| Commercial feeds (Recorded Future, Mandiant, etc.) |
Threat intel + vuln intel | $50K–$500K/yr | High (if tuned) | Medium, API, pre-correlated |
Avoiding Feed Overload: A Practical Framework
The most common mistake in building a threat-informed VM program is subscribing to every available feed and then failing to operationalize any of them. More feeds do not produce better prioritization without a model for weighting and correlating them.
A practical starting point for most organizations:
- Start with the free critical feeds. KEV, EPSS, and NVD cover the vast majority of what matters for day-to-day VM prioritization. Get these ingested, correlated, and operational before adding anything else.
- Add OSV if you have open-source dependencies. If your organization runs applications with npm, PyPI, or Maven dependencies, OSV is not optional; NVD coverage of package-level vulnerabilities is insufficient.
- Add vendor advisories for your top 10 software vendors. Identify the 10 software vendors whose products have the broadest deployment in your environment. Set up email alerts or RSS for their security advisories. That is a manageable monitoring commitment with high relevance.
- Evaluate commercial feeds against a specific operational gap. If your team is spending significant time on threat actor attribution or trying to correlate CVEs to specific threat groups targeting your sector, a commercial feed may close that gap. If you cannot articulate the specific decision a commercial feed would improve, it is a sunk cost.
- Do not add ISAC feeds until your core program is functional. ISAC intelligence is valuable but high-consumption. Add it once you have the operational capacity to actually act on sector-specific bulletins within their relevant time window.
The goal of a threat-informed vulnerability management program is not to consume every available feed. It is to consume the feeds that most reliably tell you which vulnerabilities in your environment are most likely to be exploited next, and to act on that signal faster than the attackers do. CISA KEV and EPSS accomplish that for the vast majority of organizations at zero cost. Everything else is incremental, and only valuable if you have the operational capacity to act on it.