Overview
What is the Live Exploit Tracker
The Live Exploit Tracker gives security teams real-time visibility into which vulnerabilities are being actively exploited in the wild, who is exploiting them, and how urgently you need to act.
Live Exploit Tracker answers the questions that matter during triage:
- Is this CVE actually being exploited right now? Not just theoretically exploitable — are real attackers targeting it today?
- How worried should I be? Is this mass scanning noise, or are attackers carefully selecting targets?
- Is the threat growing or fading? Should I patch now, or is this yesterday's news?
- Who is attacking? What do we know about the IPs involved — are they known botnets, legitimate scanners, or fresh infrastructure?
- How do I protect my technology stack? Subscribe to the vendors you rely on and automatically block attacker IPs targeting their products — current and future threats included.
The tracker draws on telemetry from the CrowdSec Network — a global community of security practitioners sharing real-time attack signals — to provide exploitation intelligence that goes beyond what traditional vulnerability databases offer.
Key Capabilities
Prioritize
Not all CVEs deserve the same urgency. The Live Exploit Tracker provides two complementary scores and an exploitation phase classification to help you decide where to focus:
- CrowdSec Score (0–10): A composite severity rating that accounts for both attacker sophistication and current momentum. A score of 8 means "this is actively dangerous and demands attention."
- Opportunity Score (0–5): How targeted the attacks are. A high score means attackers are carefully selecting victims — an alert on your systems is a serious signal.
- Momentum Score (0–5): Whether exploitation is growing, steady, or declining. A high score means a new campaign is likely underway.
- Exploitation Phase: Where the CVE sits in its lifecycle — from insufficient data through background noise to mass exploitation.
Each tracked CVE also includes a CrowdSec Analysis — a human-readable intelligence narrative describing the vulnerability, observed exploitation patterns, and specific indicators like targeted endpoints.
→ Learn more about Scores & Ratings
→ Learn more about Exploitation Phases
Mitigate
Once you've identified a threat, the tracker lets you act on it:
- IP Intelligence: View every IP address observed exploiting a specific CVE or probing a specific product, enriched with CTI data including reputation, geolocation, known classifications, and behavioral history.
- Firewall Integrations: Create blocklists that automatically feed malicious IPs into your firewalls (Palo Alto, FortiGate, Cisco, pfSense, OPNsense, and more). Subscribe an integration to entire vendors, specific CVEs, or reconnaissance rules, and the blocklist stays current as new attacker IPs are observed. Vendor subscriptions automatically cover all current and future threats for that vendor's products.
Beyond CVEs: Reconnaissance Rules
Not all threats map to a single CVE. The tracker also monitors Reconnaissance rules (called "fingerprint rules" in the API) — detection patterns for product-level probing activity. For example, "Microsoft Exchange Probing" catches reconnaissance targeting Exchange servers regardless of which specific vulnerability the attacker intends to exploit.
→ Learn more about Reconnaissance Rules vs CVEs
How to Access
The Live Exploit Tracker is available through two interfaces:
- Web Interface: A dashboard for browsing CVEs, viewing timelines and attacker IPs, managing integrations, and reading CrowdSec Analysis reports. Ideal for SOC analysts and security managers.
- REST API: Programmatic access for automation, SIEM/SOAR integration, and custom tooling. A Python SDK is also available.
Both interfaces require an API key. Contact the CrowdSec team to obtain yours if you haven't already.
Next Steps
| I want to... | Start here |
|---|---|
| Protect my technology stack by vendor | Vendor Subscriptions |
| Understand what the scores mean | Scores & Ratings |
| Browse CVEs and assess threats | Web Interface Guide |
| Automate with the API | API Authentication & Setup |
| Block attacker IPs on my firewall | Integrations & Blocklists |
| Investigate a specific alert | Triage Workflow Guide |
| Set up proactive monitoring | Proactive Monitoring Guide |
