Skip to content

Deterministic · Versioned · Public methodology

Know which CVEs actually get exploited.

One verdict per CVE, built from seven public threat-intel sources. No proprietary scoring, no enterprise gatekeeping, no ML hallucinations.

Try the API — free View pricing

319,455

CVEs analyzed

7

Intelligence sources

6

Exploitability verdicts

  • Hosted in Frankfurt, EU
  • GDPR compliant
  • TLS 1.3 + WAF protected

Six verdict tiers

From ACTIVELY_EXPLOITED to UNKNOWN.

Every CVE collapses into a single label and a 0–100 score. No tabs, no toggles, no “contact sales for the real one.”

ACTIVELY_EXPLOITED

Score 95–98

Confirmed exploitation in the wild. Drop everything.

Example: CVE-2021-44228 — Log4Shell

WEAPONIZED

Score 70–95

Production-grade exploit available. Patch this week.

Example: CVE-2017-0144 — EternalBlue

POC_AVAILABLE

Score 25–69

Public PoC exists. Patch in next sprint.

Example: CVE-2023-23397 — Outlook NTLM leak

THEORETICAL

Score 10–24

No known exploitation. Patch in regular cycle.

Example: most low-severity library CVEs

NOT_APPLICABLE

Score 0

Rejected, reserved, or duplicate CVE. No action needed.

Example: any **REJECT** entry in NVD

UNKNOWN

Reserved fallback

Insufficient signals to score. Returning conservative estimate.

Example: brand-new CVEs awaiting enrichment

How the verdict is built

Seven public sources. One score. Versioned formula.

No magic, no opaque ML, no proprietary feed lock-in. The exact formula lives in our public scoring engine.

  • NIST NVD
  • CISA KEV
  • FIRST.org EPSS
  • ExploitDB
  • Metasploit Framework
  • ProjectDiscovery Nuclei
  • Curated GitHub PoCs

Verdict response

GET /v1/cve/CVE-2021-44228

{
  "cve_id": "CVE-2021-44228",
  "verdict": "ACTIVELY_EXPLOITED",
  "score": 98,
  "score_version": 1,
  "sources": [
    "cisa_kev",
    "epss",
    "metasploit",
    "exploitdb",
    "github_pocs"
  ]
}

Same shape on every tier. See what scales →

Why RealExploit

Built for security teams that need answers, not opinions.

Deterministic verdicts

Same inputs always produce the same verdict. No ML hallucinations, no scoring drift between runs.

Audit-ready

Every verdict cites its source records. Versioned scoring formula in public docs — nothing behind a sales call.

Drop-in API

REST + webhooks. Single-CVE lookups, bulk batch, CSV upload, verdict-change notifications. JSON only.

Pricing

Honest tiers. No usage cliff.

Web console for everyone. API on Pro and up. Full comparison →

Free

Try it without a card

$0

  • Web console
  • 5 CVE lookups / week
  • Telegram gate to activate
Start free

Pro

For one engineer

$99/mo

  • Full REST API
  • 1,000 lookups / day
  • 3 webhooks
Start Pro
Most teams

Team

3 shared seats

$499/mo

  • 150,000 lookups / day org-shared
  • Bulk batch up to 500 CVEs
  • Unlimited webhooks
Start Team

Enterprise

10 seats, per-seat quota

$1,499/mo

  • 200,000 lookups / day per seat
  • Bulk batch up to 1,000 CVEs
  • Async CSV up to 100,000
Start Enterprise

Stop guessing. Start patching what actually matters.

The Free tier covers most teams’ first month of triage. No credit card.

Get API key — free View pricing