All services
Threat Intelligence

A CVE just hit CISA KEV at 06:15 UTC.
Do you know if it affects your stack?

Threat data is published faster than any human can process it. Horus syncs CISA KEV and EPSS daily, correlates against your persisted inventory, and alerts you the same morning. No re-scan needed.

See Watchtower live Self-host free
Without Horus
CISA adds ActiveMQ RCE to KEV on Tuesday. Your team finds out when someone shares a tweet on Friday. You re-scan the weekend.
An EPSS score jumps from 0.03 to 0.34 overnight. A pre-KEV signal that this CVE is about to be weaponized. Nobody catches it.
Your CVE correlation relies on scanner output. If the scanner didn't run this week, you're flying blind against new threats.
With Horus
Watchtower syncs KEV at 06:30 UTC daily. Correlates against 847 inventory entries. ActiveMQ match → PagerDuty P1 before you open your laptop.
EPSS spike detection triggers when a score jumps 0.2+ overnight. Catch the pre-KEV signal before the CVE gets weaponized publicly.
Zero re-scan overhead. Watchtower re-correlates your persisted inventory — not your live network. Fast, free, and deterministic.
How it works

Sync. Correlate. Alert. No re-scan.

The intelligence layer is entirely deterministic. No LLM involved. CVE correlation, SSVC inputs and Watchtower alerts are computed from structured data sources.

01 / SYNC

Data sources synced nightly

NVD API 2.0 (338K+ CVEs). CISA KEV catalog. FIRST EPSS scores. ThreatFox and URLhaus IOC feeds. All structured, all deterministic.

02 / CORRELATE

Inventory cross-referenced

Persisted asset inventory (software, versions, ports) cross-referenced against new KEV entries, EPSS updates, and IOC feeds. ~25 CPE alias mappings. Version normalization.

03 / ALERT

Same-day notification

KEV match → SSVC: Act guaranteed. EPSS spike → alert. IOC match → alert. PagerDuty P1, Slack, or email. You find out the same morning, not the same week.

Watchtower · daily run · 06:30 UTC
watchtower · daily run · 2026-06-22 06:30 UTC

cisa_kev sync complete · +4 new entries

epss_daily sync · 338,247 scores updated


→ cross-referencing 847 inventory entries


⚡ kev match: activemq/5.15.14

  CVE-2023-46604 · EPSS 0.97 · RCE

  asset: 10.0.1.15 (internal broker)


→ epss spike: spring-webmvc/5.3.27

  CVE-2023-20861 · 0.03 → 0.34 (+0.31 overnight)

  pre-KEV signal · monitoring


→ SSVC: ACT · activemq finding escalated

→ incident #44 opened · PagerDuty P1 fired


run complete · 2 matches · 0 false positives

Full capability set

Everything in Threat Intelligence.

CVE correlation, KEV, EPSS, dark web feeds and data sovereignty. All deterministic.

NVD + CPE

CVE Correlation Engine

338,000+ CVEs from NVD API 2.0. ~25 CPE product alias mappings. Version normalization: "2.4.41" and "2.4.41-1ubuntu1" treated as equal. No false CVEs. Deterministic only.

  • NVD API 2.0 (CVSS v3.1/v3/v2)
  • ~25 CPE alias mappings
  • Version normalization
  • Daily sync job
CISA

Known Exploited Vulnerabilities

CISA KEV catalog synced daily. KEV match = Exploitation:active in SSVC → Act priority guaranteed. KEV findings bypass the debate. Auto-confirmed.

  • Daily KEV catalog sync
  • KEV match → SSVC: Act
  • KEV badge on all affected findings
  • Same-day Watchtower alert
FIRST

EPSS Scores

Exploit Prediction Scoring System. EPSS > 0.9 → Exploitation:likely in SSVC. Daily score updates. Spike detection (0.2+ overnight) catches pre-KEV signals.

  • 338k EPSS scores updated daily
  • EPSS > 0.9 → SSVC: likely
  • Spike detection: 0.2+ day-over-day
IOC feeds

Dark Web + IOC Intelligence

ThreatFox malware IOC + URLhaus malicious URL feed, checked against your domains and IPs daily. Ransomware victim list cross-referenced against your industry.

  • ThreatFox IOC feed
  • URLhaus malicious URL feed
  • Ransomware victim tracking
  • Domain / email dark web search
Privacy

Data Sovereignty: 4 Modes

The deterministic core (CVE correlation, SSVC, Watchtower) never calls an LLM. When agents run, choose: No-cloud · Local model (Ollama/vLLM in your VPC) · Cloud + redacted (hosts/IPs pseudonymized before any prompt) · Cloud. GDPR and HIPAA ready.

  • Bidirectional redaction map
  • Zero leaks verified in test suite
  • Allowlist for reference domains
  • Badge in UI: "No data leaves"

Know about threats
the same day they're published.

The demo shows Watchtower running against a live asset inventory.

Open live demo → Self-host free