About CSIRTS.com
One feed instead of twenty-one tabs — what this service is, why it exists, and how to plug it into your tooling.
What this is
CSIRTS.com (“Security Advisory Fusion”) aggregates official security advisories from national CERTs, EU institutions, vendor PSIRTs and vulnerability databases into a single normalized, deduplicated, English-language feed. Incident responders shouldn’t have to poll twenty-one portals across three continents before their first coffee — and with CSIRTS.com, they don’t.
- Sources: CISA (advisories + KEV catalog), CERT-EU, NCSC-UK, CERT-Bund (BSI), CERT-FR (avis & alertes), NCSC-NL, JPCERT/CC and JVN (Japan), HKCERT (Hong Kong), the Canadian Centre for Cyber Security, NVD, GitHub Security Advisories, Microsoft MSRC, Cisco, Fortinet, Palo Alto Networks, GitLab, Jenkins, Drupal, Ubuntu, Debian and AWS.
- Refresh: every 3 hours, fully automated, with per-source health on the Sources page.
- Exploitation intelligence: every advisory whose CVE appears in the CISA Known Exploited Vulnerabilities catalog is flagged, and the Exploited page lists everything under active attack.
- CVE fusion: every CVE gets a consolidated view — e.g. /cve/CVE-2026-20230 — showing all sources covering it, exploitation status and references.
- Language: German, French and Dutch advisories are machine-translated to English; the original advisory is always linked.
- Severity: taken from the source or derived from CVSS (critical ≥ 9, high ≥ 7, medium ≥ 4, low > 0).
Why defenders use it instead of raw NVD
NVD tells you a CVE exists. CSIRTS.com tells you who is warning about it — which national CERTs, which vendors — and whether it is being exploited right now. When CISA, CERT-EU and Cisco all publish about the same vulnerability within hours, that convergence is the strongest prioritization signal a SOC can get, and it is exactly what this site surfaces on every advisory and CVE page.
From the founder
CSIRTS.com came out of a routine I knew too well from day-to-day threat intelligence work: every morning, a dozen browser tabs — CISA, CERT-EU, the national CERTs, vendor PSIRTs — each with its own format, its own language, its own way of saying “patch this now”. The signal was always there; it was just fragmented, and assembling an operational picture took more time than it should have.
I built CSIRTS.com as the tool I wanted to use myself: one place where official advisories are already normalized, translated and cross-referenced against real-world exploitation — not just collected. It is designed as an operational layer for defenders: less noise, faster prioritization, and clarity about what the authorities are actually telling you to fix first.
Antonio Radu
Founder & Intelligence Analyst, IntelFusionsantonio@csirts.com
The IntelFusions network
CSIRTS.com is part of IntelFusions, a cyber threat intelligence and AI security research platform. Where CSIRTS.com unifies official security advisories, IntelFusions connects the wider threat landscape into one continuously updated knowledge graph: a database of 470+ tracked threat actors — from nation-state APTs to ransomware crews — linked to their techniques, malware families, detection rules mapped to MITRE ATT&CK, and live incident tracking, alongside dedicated AI security research. Together they form one workflow: CSIRTS.com tells you what to patch and what is exploited; IntelFusions tells you who is behind the activity and how to detect them. If you work in threat intelligence, detection engineering or incident response, IntelFusions is the natural next tab.
JSON API
Free, no key, CORS enabled. Responses are cached for 5 minutes.
GET https://www.csirts.com/api/advisories
Parameters (all optional):
q=ivanti full-text search in titles
source=cert-eu source id (see /sources)
severity=critical critical | high | medium | low | unknown
cve=CVE-2026-1234 advisories referencing a CVE
exploited=1 only CISA-KEV-listed (actively exploited)
since=2026-06-01 published on/after date
page=1 50 results per pageExample — critical advisories under active exploitation: /api/advisories?severity=critical&exploited=1
Machine-readable contract: /api/openapi.json (OpenAPI 3.1) — point your client generator or AI agent at it.
MCP server (for AI agents)
CSIRTS.com is also a remote Model Context Protocol server. Connect Claude, ChatGPT or any MCP client to https://www.csirts.com/api/mcp (streamable HTTP, no auth) and your agent gets four tools: search_advisories, get_cve, latest_exploited and daily_briefing. In Claude Code: claude mcp add --transport http csirts https://www.csirts.com/api/mcp.
A machine-readable overview of the whole site — every page type, API endpoint and feed, with usage hints for LLMs — lives at /llms.txt.
RSS & Atom
Subscribe to /rss for curated advisories, or filter: /rss?severity=critical, /rss?exploited=1, /rss?source=cisa, per-product /rss?product=<slug>. Add format=atom for Atom 1.0. The full directory of feeds lives at /feeds.
Frequently asked questions
What is CSIRTS.com?
CSIRTS.com ("Security Advisory Fusion") is a free service that aggregates official security advisories from 24 authoritative sources — CISA, the CISA KEV catalog, CERT-EU, NCSC-UK, CERT-Bund (BSI), CERT-FR, NCSC-NL, JPCERT/CC and JVN (Japan), HKCERT (Hong Kong), the Canadian Centre for Cyber Security, NVD, GitHub Security Advisories, and the Microsoft, Cisco, Fortinet, Palo Alto Networks, GitLab, Jenkins, Drupal, Ubuntu, Debian and AWS security teams — into one normalized, deduplicated, English-language feed with a web UI, JSON API and RSS.
How is CSIRTS.com different from NVD?
NVD is a database of raw CVE records, with no operational guidance and a well-known analysis backlog. CSIRTS.com aggregates what security authorities are actively warning about: national CERT advisories, vendor PSIRT bulletins and the CISA Known Exploited Vulnerabilities catalog, cross-referenced so you can see every source covering the same CVE and whether it is being exploited in the wild.
How often is the data updated?
The ingestion pipeline runs every 3 hours, fully automatically. Every source has health monitoring visible on the Sources page.
What does the "known exploited" flag mean?
An advisory is flagged as known exploited when at least one of its CVEs appears in the CISA Known Exploited Vulnerabilities (KEV) catalog, meaning exploitation has been observed in the wild. US federal agencies are required to remediate KEV-listed vulnerabilities under Binding Operational Directive 22-01.
Is the API free?
Yes. The JSON API and RSS feeds are free, require no API key, and support filtering by keyword, source, severity, CVE ID, exploitation status and date.
Who is behind CSIRTS.com?
CSIRTS.com is built and operated by IntelFusions (intelfusions.com), a cyber threat intelligence and AI security research platform tracking 470+ threat actors, malware families, detection rules and live incidents. CSIRTS.com is the advisory layer of that ecosystem.
Attribution & disclaimer
All advisory content belongs to the respective publishing organizations. CSIRTS.com is an aggregation layer: always verify against the linked original advisory before acting. Machine translations are provided for convenience and may contain errors.