Frequently asked questions, TQL documentation, and resources to help you get the most out of the platform.
CSURFACE Threat Sensor is a threat intelligence platform that combines proprietary intelligence (data from private sensors and honeypots) with public sources (NVD, EPSS, CISA KEV, STIX, public exploit and PoC feeds). Provides advanced scoring (SSVC 4-tier decision framework, KEV-prediction early-warning scoring), detection rules (Suricata, Sigma, Snort, YARA), and comprehensive analytics.
SSVC (Stakeholder-Specific Vulnerability Categorization) is CISA's vulnerability categorization framework. It defines 4 decisions: Act (immediate action), Attend (urgent), Track* (monitor closely), Track (standard monitoring). Based on 3 axes: Exploitation (none/poc/active), Automatable (yes/no), Technical Impact (partial/total).
The KEV Predictor is a machine-learning early-warning score that estimates the probability a CVE will be added to the CISA KEV (Known Exploited Vulnerabilities) catalog. It is complementary to EPSS — it does not use EPSS as a feature — and is recomputed daily, anticipating which vulnerabilities are most likely to enter KEV before CISA lists them.
EPSS (Exploit Prediction Scoring System) is developed by FIRST/Cyentia. It calculates the probability (0-1) that a CVE will be exploited in the next 30 days. Updated daily.
CSURFACE Threat Sensor combines proprietary intelligence with open sources. Proprietary intelligence: data from a private network of sensors (honeypots) capturing real-time exploitation attempts. Open sources: NVD (official CPEs, CVSS), EPSS (exploitation probability), CISA KEV (known exploited vulnerabilities), STIX feeds (threat campaigns), public exploit and PoC databases.
Free (all intel, 3 alert rules), Professional $49/mo (10 alerts, Slack/Discord, exports), Advanced $199/mo (unlimited, CPE management, all integrations, SLA).
Define conditions (vendor, CVSS, EPSS thresholds, KEV, severity) and get notified when new CVEs match. Professional: 10 rules, Advanced: unlimited.
Yes. All CVE data, analytics, libraries (CWE, CAPEC, ATT&CK), scoring (SSVC, KEV Predictor) are free. Paid plans add productivity features.
TQL (Threat Query Language) is a text-based query language for filtering CVEs with complex criteria. Type queries directly in the search box on the home page.
| Field | Type | Description |
|---|---|---|
vendor | string | Vendor / manufacturer name |
affected_product | string | Affected product name |
cve_id | string | CVE identifier (e.g. CVE-2024-1234) |
cvss_score | number (0-10) | CVSS score (best available) |
cvss_v31_score | number (0-10) | CVSS v3.1 specific score |
cvss_v40_score | number (0-10) | CVSS v4.0 specific score |
epss_score | number (0-1) | EPSS exploitation probability |
severity | enum | CRITICAL, HIGH, MEDIUM, LOW |
in_kev | bool | Present in CISA KEV |
has_exploit | bool | Has weaponized exploit |
has_poc | bool | Has public proof-of-concept |
is_ransomware | bool | Used by ransomware |
cvss_vector | string | CVSS vector string |
published_date | date (YYYY-MM-DD) | CVE publication date |
ssvc_decision | enum | act, attend, track*, track |
cwe_id | string | CWE identifier (e.g. CWE-79) |
| Operator | Description |
|---|---|
== | Equals |
!= | Not equals |
> | Greater than |
< | Less than |
>= | Greater or equal |
<= | Less or equal |
contains / has / ~ | Contains substring |
not_contains / has not / !~ | Does not contain substring |
in | Value in list |
not_in | Value not in list |
| Connector | Alternatives | Description |
|---|---|---|
and | AND, && | Both conditions must be true |
or | OR, || | At least one condition must be true |