An AI-powered vulnerability triage agent that autonomously gathers live threat intelligence and produces expert-level remediation decisions — in minutes, not hours.
Built with Claude (Anthropic) and Python. Designed for security professionals, MSPs, and organisations that need actionable triage decisions rather than another list of CVSS scores.
Disclaimer: This agent assists human analysts. It does not replace them. All triage decisions must be validated by a qualified security professional before being acted upon. Findings marked
human_review_required: truemust not be acted on without manual verification.
Security scanners produce hundreds of findings. CVSS scores alone are a poor guide — only 2.3% of CVSS 7+ vulnerabilities are ever actually exploited. Without live threat context, teams waste effort patching low-risk findings while genuinely dangerous ones sit unpatched.
Most organisations either over-patch (wasting engineering time) or under-patch (missing critical exposures). Neither is acceptable.
Enter a CVE and your asset details. The AI agent then autonomously:
- Fetches live CVE details and CVSS score from NIST NVD (with VulnCheck NVD2 mirror for speed)
- Fetches EPSS exploitation probability from FIRST.org (updated daily)
- Checks the CISA Known Exploited Vulnerabilities (KEV) catalog in real time
- Queries the GitHub Advisory Database for package-level detail
- Checks the Open Source Vulnerability (OSV) database
- Checks Exploit-DB for publicly available proof-of-concept exploit code
- Queries VulnCheck for XDB exploit entries, ransomware campaign use, and exploitation reports
- Computes a weighted composite risk score across all gathered intelligence
- Produces a structured triage decision with recommended action, SLA, MITRE ATT&CK mapping, CIS Controls v8, NIST SP 800-53, compensating controls, and full analyst notes
The agent decides which tools to call and in what order. You get a complete triage decision, not a data dump.
Claude autonomously gathers intelligence across 3 iterations, calls compute_score, then produces the full triage report. Results stream in real time via SSE — the console log updates as each tool completes, so you see live progress rather than a blank spinner.
Python calls all 8 intelligence sources sequentially, then passes the complete data to Claude in a single call. Faster for straightforward CVEs (~47s vs ~86s), slightly less verbose output.
Both modes produce identical composite scores and risk tiers. The AI Agent mode typically produces deeper analyst notes.
git clone https://github.com/DodiBadshah/vulnerability-triage-agent.git
cd vulnerability-triage-agent
pip install -r requirements.txtcopy .env.example .envEdit .env and add your keys:
ANTHROPIC_API_KEY=your_anthropic_key_here
VULNCHECK_API_KEY=your_vulncheck_key_here
Get your keys:
- Anthropic API key: https://console.anthropic.com
- VulnCheck API key (free community tier): https://vulncheck.com
python app.py- AI Agent mode: http://localhost:5000/agent
- Standard mode: http://localhost:5000/standard
Enter a CVE ID, fill in your asset details, and click Run AI Agent or Analyse Vulnerability.
| Key | Required | Free Tier | Purpose |
|---|---|---|---|
ANTHROPIC_API_KEY |
Yes | Pay per use | Powers the AI agent reasoning |
VULNCHECK_API_KEY |
Recommended | Yes (community) | Faster NVD mirror, XDB exploits, ransomware intel |
All other intelligence sources (NIST NVD, FIRST EPSS, CISA KEV, GitHub Advisory, OSV, Exploit-DB) are free and require no API key.
composite = (
epss_probability * 0.30 +
kev_listed * 0.25 +
cvss / 10.0 * 0.20 +
has_exploitdb * 0.15 + # binary: 1.0 if any EDB entry, else 0.0
poc_available * 0.10
) * 10.0
if asset_exposure == "internet-facing":
composite += 1.5 # additive boost, not a multiplier
composite = min(composite, 10.0)
Internet-facing assets receive a flat +1.5 additive boost (not a multiplier) to preserve score differentiation at the high end. Without this, a multiplicative approach flattens all high-risk CVEs to 10.0, losing meaningful distinction.
Risk tiers and SLA targets:
| Tier | Condition | SLA |
|---|---|---|
| EMERGENCY | KEV listed and score >= 6.0, OR score >= 8.0, OR (EPSS >= 50% and score >= 6.0) | 24 hours |
| HIGH | Score >= 5.5, OR EPSS >= 10% | 7 days |
| MEDIUM | Score >= 3.5 | 30 days |
| LOW | Score >= 1.5 | 90 days |
| DEFER | Score < 1.5 | 180 days |
| Source | What It Provides | Cost |
|---|---|---|
| NIST NVD | CVSS score, description, CWE, published date | Free |
| VulnCheck NVD2 | Faster NVD mirror with enriched data | Free community tier |
| FIRST.org EPSS | Daily exploitation probability score (0-100%) | Free |
| CISA KEV | Confirmed active exploitation by real threat actors | Free |
| GitHub Advisory | Affected packages, vulnerable version ranges, patched versions | Free |
| OSV Database | Open source ecosystem coverage and fixed versions | Free |
| Exploit-DB | Publicly available proof-of-concept exploit code | Free |
| VulnCheck XDB | GitHub PoC URLs, ransomware campaign use, exploitation reports | Free community tier |
vulnerability-triage-agent/
├── app.py Flask web app and AI agent loop
├── templates/
│ ├── agent.html AI Agent mode UI (SSE streaming)
│ ├── index.html Home page
│ └── standard.html Standard mode UI
├── agent/ Original CLI prototype (v1)
│ ├── schema.py Pydantic input/output models
│ ├── scorer.py Weighted risk formula
│ ├── prompt.py Prompt templates
│ ├── triage.py Agent loop
│ └── report.py HTML report renderer
├── data/
│ └── mock_findings.json Example findings for CLI mode
├── main.py CLI entry point (v1)
├── requirements.txt
├── .env.example
├── LICENSE-APACHE
└── LICENSE-COMMERCIAL.md
| Layer | Tool |
|---|---|
| AI Agent | Claude Sonnet 4.6 (Anthropic) via tool use API |
| Web framework | Flask |
| HTTP client | httpx |
| Streaming | Server-Sent Events (SSE) |
| Environment | python-dotenv |
| Frontend | Vanilla JS, CSS custom properties |
| Intelligence sources | 8 live APIs (see above) |
This agent is powered by Claude Sonnet 4.6 (Anthropic), using Anthropic's tool use API with prompt caching enabled. Claude autonomously decides which intelligence tools to call, in what order, and when it has enough information to produce a triage decision — typically completing in 3 iterations.
Prompt caching is applied to the system prompt and tool definitions, reducing token consumption by approximately 47% per run compared to uncached calls.
The architecture intentionally separates the AI reasoning layer from the tool and scoring logic:
- Tool definitions (
TOOLSinapp.py) follow the standard function-calling schema supported by all major LLM providers - Tool dispatcher (
dispatch_tool()) is completely LLM-agnostic - Scoring engine (
compute_score()) has no dependency on any LLM provider - Intelligence fetchers (NVD, EPSS, KEV, etc.) are pure Python functions
To swap the LLM provider in future, only the client initialisation and client.messages.create() call need to change. All 8 intelligence sources, the scoring formula, the tool logic, and the entire frontend remain identical.
Every triage decision is automatically mapped to:
- CIS Controls v8 — specific control identifiers (e.g. CIS-7, CIS-2, CIS-12, CIS-13)
- NIST SP 800-53 Rev 5 — control identifiers (e.g. SI-2, SI-3, RA-5, AC-17, IR-4)
- MITRE ATT&CK — technique IDs with tactic, description, and direct ATT&CK links
This makes the output immediately useful for auditors, compliance teams, and client security reviews.
Personal and non-commercial use: free under Apache 2.0 (see LICENSE-APACHE).
Commercial use (security consultancies, MSPs, businesses, paid services): requires a commercial license. Contact dodibadshah@gmail.com.
See LICENSE-COMMERCIAL.md for full terms.
Custom deployments with branded reports, bespoke compliance mapping, and integration with your existing vulnerability management tools are available as a managed service.
Contact: Dodi Badshah Email: dodibadshah@gmail.com