The exploits
database.

A list of CVEs is easy. Knowing which ones are being exploited, who by, whether public code exists, and how to defend yourself, is the work. ThreatCluster does that work for you.

Browse the database How it works

Patch what matters first.

We rank vulnerabilities by what defenders care about: known exploitation, predicted exploitation, ransomware use, and news coverage. The result is a list you can work top-down, instead of a CVSS dump you have to triage yourself.

Filter by severity, by KEV listing, by ransomware activity, or by the products and vendors in your environment. Search for any CVE, vendor, or product to jump straight in.

  • Sort by exploitation, mentions, EPSS, CVSS, or recency
  • Match against your stack, not the whole world's
  • Updated daily from KEV, EPSS, and public exploit sources
The exploits database listing click to expand
image · 1
Overview screenshot
/exploits page. Stats strip, filter row, search bar, ranked CVE cards.

Read the situation in 30 seconds.

Every CVE opens with a plain-English summary of the exploitation activity around it. The disclosure, the patch timing, who's been hit, which campaigns are using it, and whether KEV has caught up. No reading three articles to piece it together.

Vendors, threat actors, and malware families are linked, so you can pivot to anything relevant without losing your place. The summary updates as the situation does.

AI-written exploitation activity summary on a CVE page click to expand
image · 2
Activity summary screenshot
CVE detail page. AI summary paragraph with entity links.

See who it's hitting.

Below the summary you'll find the active campaigns that have picked up the vulnerability, ranked by severity. Each one is a written-up incident with victims, attribution, and source articles, one click away.

This is what tells you whether you're looking at a theoretical bug or something that's already breaking into organisations like yours.

Active campaign cards related to a CVE click to expand
image · 3
Active campaigns screenshot
CVE detail page. Related campaign cards.

Know if the exploit is public.

The moment proof-of-concept code lands in public, the clock starts. ThreatCluster surfaces the available PoCs alongside the CVE, with star counts and dates so you can tell research from weaponised code at a glance.

If nothing public exists yet, this part of the page stays quiet. You only see it when it matters.

PoC × N KEV Ransomware EPSS ≥ 90% EPSS ≥ 50%
Public proof-of-concept exploit cards on a CVE page click to expand
image · 4
Public exploits screenshot
CVE detail page. PoC cards with stars and dates.

Know what to do about it.

Most CTI tells you what attackers did. ThreatCluster also tells you what to do about it, using MITRE D3FEND, the defensive counterpart to ATT&CK. We group the relevant countermeasures into the actions a defender can take: detect, isolate, harden, deceive, evict, or restore.

Click any technique to read how it works, where it applies, and what to watch out for, all without leaving the page.

Detect Harden Isolate Deceive Evict Restore
MITRE D3FEND defensive countermeasures grouped by tactic on a CVE page click to expand
image · 5
D3FEND screenshot
CVE detail page. D3FEND tactic chips and technique cards.

See the full attack at a glance.

The attack flow shows how the vulnerability is used in practice, from the first foothold through to impact. It's a visual walk-through of the exploit chain that an analyst could brief from in a meeting, not a wall of text.

Export the flow as an image for a report, or as a STIX bundle for the tooling your team already uses.

SVG PNG JSON CTID STIX 2.0
AI-generated MITRE ATT&CK attack flow graph on a CVE page click to expand
image · 6
Attack flow screenshot
CVE detail page. Graph with labelled nodes and export buttons.

Everything you need on a CVE,
in one place.

The exploitation activity, the campaigns, the public code, the defences, the attack flow. One page, kept current.

Browse the database See pricing