Overview#
During an incident response engagement, a forensic analyst discovers the attackers entered through CVE-2024-3400, a critical-rated command injection vulnerability in a firewall product. She creates a vulnerability profile with the CVE identifier, CVSS score of 10.0, and links it to both the affected system records and the active investigation. The profile joins a growing library that the team references when assessing exposure during future threat assessments. That structured, investigation-linked approach to CVE management is what the Vulnerability domain provides.
The domain handles vulnerability profile management for tracking CVEs and security vulnerabilities within investigations. Profiles include CVE identifiers, CVSS severity scores, affected systems, and reference links to support cybersecurity analysis and incident response. All vulnerability data is stored in PostgreSQL with multi-tenant organisation isolation and full investigation linking.
Key Features#
-
CVE Tracking: Create and maintain vulnerability profiles using standard CVE identifiers to catalog known security vulnerabilities relevant to investigations and threat analysis.
-
CVSS Severity Scoring: Record Common Vulnerability Scoring System scores with automatic severity classification (Critical, High, Medium, Low, None) for risk prioritisation.
-
Affected Systems: Document which systems, software, and infrastructure components are affected by each vulnerability to understand exposure scope.
-
Reference Management: Link vulnerability profiles to authoritative references including National Vulnerability Database entries, vendor advisories, and technical documentation.
-
Threat Assessment: Assign threat levels and assessments to vulnerability profiles to communicate risk in the context of the broader investigation or organisational security posture.
-
Investigation Linking: Associate vulnerability profiles with active investigations and related target profiles for comprehensive case management.
CVSS Severity Levels#
| Score | Severity |
|---|---|
| 9.0 - 10.0 | Critical |
| 7.0 - 8.9 | High |
| 4.0 - 6.9 | Medium |
| 0.1 - 3.9 | Low |
| 0.0 | None |
Mermaid Diagram#
Use Cases#
-
Cybersecurity Operations: Catalog vulnerabilities discovered during security incidents to understand the attack surface and inform remediation priorities for affected systems.
-
Government & Defence: Track known vulnerabilities affecting organisational systems to support risk management, patching decisions, and compliance with cyber resilience mandates such as NIS2 and DORA.
-
Incident Response: Document vulnerabilities exploited in cyber attacks as part of investigative case files with full technical context and references for legal proceedings and regulatory notifications.
-
Threat Intelligence Teams: Maintain awareness of critical vulnerabilities that threat actors may exploit, supporting proactive defence planning and vulnerability disclosure coordination.
Integration#
The Vulnerability domain connects with security and intelligence capabilities:
- Threat Intelligence: Vulnerability data enriches threat analysis.
- Profile Management: Vulnerability profiles extend the base profile system.
- Investigation Management: Vulnerabilities link to active investigations.
- Alert System: Critical vulnerability discoveries can trigger notifications.
Open Standards#
- CVE (MITRE Common Vulnerabilities and Exposures): Vulnerability profiles are keyed on CVE identifiers (e.g. CVE-2024-3400), using the MITRE CVE naming convention as the canonical reference for known security vulnerabilities.
- CVSS v3.x (FIRST Common Vulnerability Scoring System): Severity scoring uses the 0.0, 10.0 CVSS scale with the standard Critical / High / Medium / Low / None severity bands defined in CVSS v3.1.
- NVD (NIST National Vulnerability Database): Reference links to NVD entries are stored against each vulnerability profile, making NVD the primary authoritative source for enriched CVE metadata.
- TLP (FIRST Traffic Light Protocol): Vulnerability profiles carry a secrecy level field that defaults to TLP:WHITE, enabling controlled sharing of sensitive vulnerability data in line with TLP conventions.
- GraphQL (June 2018 specification): All vulnerability profile queries and mutations are exposed via a typed GraphQL API, allowing clients to request precisely the fields needed for each use case.
- OAuth 2.0 / OpenID Connect: Access to vulnerability data is gated by the platform's authentication layer, which implements OAuth 2.0 bearer-token authorisation enforced on every GraphQL resolver.
- JSON (RFC 8259): References, affected products, affected systems, and raw data are persisted and exchanged as JSON, providing an interoperable serialisation format for downstream integrations.
Last Reviewed: 2026-02-05 Last Updated: 2026-04-14