Support Center

Frequently asked questions, TQL documentation, and resources to help you get the most out of the platform.

Frequently Asked Questions

CSURFACE Threat Sensor is a threat intelligence platform that combines proprietary intelligence (data from private sensors and honeypots) with public sources (NVD, EPSS, CISA KEV, STIX, public exploit and PoC feeds). Provides advanced scoring (SSVC 4-tier decision framework, KEV-prediction early-warning scoring), detection rules (Suricata, Sigma, Snort, YARA), and comprehensive analytics.

SSVC (Stakeholder-Specific Vulnerability Categorization) is CISA's vulnerability categorization framework. It defines 4 decisions: Act (immediate action), Attend (urgent), Track* (monitor closely), Track (standard monitoring). Based on 3 axes: Exploitation (none/poc/active), Automatable (yes/no), Technical Impact (partial/total).

The KEV Predictor is a machine-learning early-warning score that estimates the probability a CVE will be added to the CISA KEV (Known Exploited Vulnerabilities) catalog. It is complementary to EPSS — it does not use EPSS as a feature — and is recomputed daily, anticipating which vulnerabilities are most likely to enter KEV before CISA lists them.

EPSS (Exploit Prediction Scoring System) is developed by FIRST/Cyentia. It calculates the probability (0-1) that a CVE will be exploited in the next 30 days. Updated daily.

CSURFACE Threat Sensor combines proprietary intelligence with open sources. Proprietary intelligence: data from a private network of sensors (honeypots) capturing real-time exploitation attempts. Open sources: NVD (official CPEs, CVSS), EPSS (exploitation probability), CISA KEV (known exploited vulnerabilities), STIX feeds (threat campaigns), public exploit and PoC databases.

Free (all intel, 3 alert rules), Professional $49/mo (10 alerts, Slack/Discord, exports), Advanced $199/mo (unlimited, CPE management, all integrations, SLA).

Define conditions (vendor, CVSS, EPSS thresholds, KEV, severity) and get notified when new CVEs match. Professional: 10 rules, Advanced: unlimited.

Yes. All CVE data, analytics, libraries (CWE, CAPEC, ATT&CK), scoring (SSVC, KEV Predictor) are free. Paid plans add productivity features.

TQL Reference

What is TQL?

TQL (Threat Query Language) is a text-based query language for filtering CVEs with complex criteria. Type queries directly in the search box on the home page.

Syntax

field operator value [and|or field operator value ...]

Fields

Field Type Description
vendorstringVendor / manufacturer name
affected_productstringAffected product name
cve_idstringCVE identifier (e.g. CVE-2024-1234)
cvss_scorenumber (0-10)CVSS score (best available)
cvss_v31_scorenumber (0-10)CVSS v3.1 specific score
cvss_v40_scorenumber (0-10)CVSS v4.0 specific score
epss_scorenumber (0-1)EPSS exploitation probability
severityenumCRITICAL, HIGH, MEDIUM, LOW
in_kevboolPresent in CISA KEV
has_exploitboolHas weaponized exploit
has_pocboolHas public proof-of-concept
is_ransomwareboolUsed by ransomware
cvss_vectorstringCVSS vector string
published_datedate (YYYY-MM-DD)CVE publication date
ssvc_decisionenumact, attend, track*, track
cwe_idstringCWE identifier (e.g. CWE-79)

Operators

Operator Description
==Equals
!=Not equals
>Greater than
<Less than
>=Greater or equal
<=Less or equal
contains / has / ~Contains substring
not_contains / has not / !~Does not contain substring
inValue in list
not_inValue not in list

Connectors

Connector Alternatives Description
andAND, &&Both conditions must be true
orOR, ||At least one condition must be true

Examples

vendor == "Microsoft"
All Microsoft CVEs
severity == "CRITICAL" and has_exploit == true
Critical CVEs with weaponized exploits
cvss_score > 9.0 and epss_score > 0.5
High CVSS + high exploitation probability
in_kev == true and is_ransomware == true
KEV CVEs used by ransomware
cwe_id contains "CWE-79"
Cross-site scripting vulnerabilities
ssvc_decision == "act"
CVEs requiring immediate action
vendor contains "Apache" and published_date > "2024-01-01"
Recent Apache CVEs
severity in ["CRITICAL", "HIGH"] and in_kev == true
Critical/High KEV CVEs
has_exploit = true and is_ransomware = true
Weaponized exploit and ransomware use
has_poc == true and has_exploit == false
PoC exists but not yet weaponized
epss_score > 0.7 and in_kev == false
High EPSS but not yet in KEV (emerging threats)
cvss_vector has "AV:N" and cvss_vector has "AC:L"
Network-accessible, low complexity
ssvc_decision == "act" and is_ransomware == true
Act-now ransomware CVEs
vendor == "Microsoft" and severity == "CRITICAL" and has_exploit == true
Complex multi-condition query
has_exploit == true and has_poc == true and epss_score > 0.6
Weaponized exploit and public PoC with high exploitation likelihood