Target Intelligence

You give us a CVE. We tell you every vulnerable host on the internet right now.

VulnCheck Target Intelligence is a continuously updated index of internet-facing hosts confirmed to be running vulnerable software. Unlike traditional internet scanners that surface potentially vulnerable hosts, Target Intelligence applies fingerprinting and version detection techniques to identify hosts with a high degree of confidence, then maps those findings directly to CVEs.

This makes Target Intelligence useful as a stage 1 triage tool: before an attacker gets there, you can answer the question "which hosts on the internet are actually on the target list for this CVE right now?"

Base URL

https://api.vulncheck.com/v3/index/target-intel

Authentication

All requests require a bearer token in the Authorization header.

Authorization: Bearer <your_api_token>

Query Parameters

Parameters can be combined. All parameters are optional, but at least one should be provided for meaningful results.

Parameter	Type	Description
`cidr`	string	CIDR range for subnet lookups. Use `/32` for a single host (e.g., `203.0.113.42/32`)
`hostname`	string	Hostname derived from DNS lookup at time of scan
`cve`	string	CVE ID to retrieve all confirmed vulnerable hosts (e.g., `CVE-2024-21887`)
`vendor`	string	Software vendor name
`product`	string	Software product name
`version`	string	Software version string
`cpe`	string	Full CPE string
`asn`	string	Autonomous System Number (e.g., `AS15169`)
`country`	string	Country name (e.g., `United States`, `Germany`)
`country_code`	string	ISO 3166-1 alpha-2 country code (e.g., `US`, `DE`)
`protocol`	string	Transport protocol (typically `tcp`)
`port`	integer	TCP port number
`contains_cve`	boolean	When `true`, returns only hosts where a CVE is associated with the fingerprinted service
`classifications`	string	Comma-separated list of classification values to filter by. Valid values: `c2`, `scanner`, `proxy`, `attack-infrastructure`, `honeypot`, `mcp`, `cdn`, `sector`, `canary-attacker`
`limit`	integer	Maximum number of results to return per page

Note on vendor, product, and version: These parameters work in any combination. Querying by vendor alone or version alone is supported but may return broad results. Combining two or more produces more targeted output.

Response Schema

Each result represents a single observed host-port-service tuple. Results are returned as a JSON array.

Top-Level Fields

Field	Type	Always Present	Description
`ip`	string	Yes	IPv4 address of the observed host
`hostname`	string	Yes	Hostname from DNS lookup at scan time (may be empty)
`port`	integer	Yes	TCP port on which the service was observed
`timestamp`	string	Yes	ISO 8601 timestamp of when the observation was made
`date_added`	string	Yes	ISO 8601 timestamp of when the record was added to the index
`protocol`	string	Yes	Transport protocol (typically `tcp`)
`cpe`	array	Yes	CPE strings derived from fingerprinting
`cve`	array\|null	Conditional	CVE IDs associated with this host's fingerprint. `null` when no CVE match
`vendor`	array	Yes	Vendor names derived from fingerprinting
`product`	array	Yes	Product names derived from fingerprinting
`version`	array	Yes	Version strings derived from fingerprinting
`fingerprints`	array	Yes	Per-fingerprint detail objects — see below
`contains_cve`	boolean	Yes	`true` when the fingerprinted service has an associated CVE
`asn`	string	Conditional	Autonomous System Number (e.g., `AS64500`). Omitted when not available
`as_name`	string	Conditional	Autonomous System name. Omitted when not available
`as_domain`	string	Conditional	Autonomous System domain. Omitted when not available
`country`	string	Conditional	Country name. Omitted when not available
`country_code`	string	Conditional	ISO 3166-1 alpha-2 country code. Omitted when not available
`classifications`	array	Conditional	Classification tags applied to this host (e.g., `c2`, `honeypot`, `proxy`). Omitted when none apply
`metadata`	object	Conditional	Additional metadata. Omitted when not available

`fingerprints` Array

Each element describes a single fingerprint match for the host-port.

Field	Type	Description
`cpe`	string	CPE string for this fingerprint
`vendor`	string	Vendor name
`product`	string	Product name
`version`	string	Product version
Additional fields	string	Variable. May include detected service banner and other enrichment attributes depending on what the fingerprint captured

Example Requests

Look up a single IP using CIDR notation

curl -H "Authorization: Bearer <token>" \
  "https://api.vulncheck.com/v3/index/target-intel?cidr=203.0.113.42/32"

Find all hosts confirmed vulnerable to a specific CVE

curl -H "Authorization: Bearer <token>" \
  "https://api.vulncheck.com/v3/index/target-intel?cve=CVE-2024-21887"

Find all hosts running a specific product

curl -H "Authorization: Bearer <token>" \
  "https://api.vulncheck.com/v3/index/target-intel?vendor=ivanti&product=connect+secure"

Filter CVE results by country

curl -H "Authorization: Bearer <token>" \
  "https://api.vulncheck.com/v3/index/target-intel?cve=CVE-2024-21887&country_code=US"

Example Response

{
  "data": [
    {
      "ip": "203.0.113.42",
      "hostname": "vpn.example.com",
      "port": 443,
      "timestamp": "2025-01-15T08:42:11Z",
      "date_added": "2025-01-15T08:42:11Z",
      "protocol": "tcp",
      "cpe": ["cpe:2.3:a:ivanti:connect_secure:22.3.0:*:*:*:*:*:*:*"],
      "cve": ["CVE-2024-21887", "CVE-2023-46805"],
      "vendor": ["Ivanti"],
      "product": ["Connect Secure"],
      "version": ["22.3.0"],
      "fingerprints": [
        {
          "cpe": "cpe:2.3:a:ivanti:connect_secure:22.3.0:*:*:*:*:*:*:*",
          "vendor": "Ivanti",
          "product": "Connect Secure",
          "version": "22.3.0"
        }
      ],
      "contains_cve": true,
      "asn": "AS64500",
      "as_name": "Example ISP",
      "as_domain": "example.com",
      "country": "United States",
      "country_code": "US",
      "classifications": ["c2:cobalt-strike"]
    }
  ]
}

When no CVE is associated with a fingerprinted service, the cve field is null (not an empty array) and contains_cve is false:

{
  "ip": "198.51.100.7",
  "hostname": "",
  "port": 80,
  "timestamp": "2025-01-15T09:10:00Z",
  "date_added": "2025-01-15T09:10:00Z",
  "protocol": "tcp",
  "cpe": ["cpe:2.3:a:apache:tomcat:10.1.0:*:*:*:*:*:*:*"],
  "cve": null,
  "vendor": ["Apache"],
  "product": ["Tomcat"],
  "version": ["10.1.0"],
  "fingerprints": [
    {
      "cpe": "cpe:2.3:a:apache:tomcat:10.1.0:*:*:*:*:*:*:*",
      "vendor": "Apache",
      "product": "Tomcat",
      "version": "10.1.0"
    }
  ],
  "contains_cve": false,
  "asn": "AS64501",
  "country": "Germany",
  "country_code": "DE"
}

Data Freshness

Target Intelligence maintains a rolling window of scan data. The index is continuously updated as new scan results arrive. Older observations are expired on a rolling basis to keep the dataset current and operationally relevant.

The unique key per record is the combination of IP + port + fingerprint/service information. If a host is re-scanned, its record is updated with the latest observation.

What This API Is and Is Not

Target Intelligence is:

A confirmed exploitation target queue for known-vulnerable internet-facing hosts
A pre-loss triage tool for understanding exposure at the moment a CVE is disclosed
A source of high-confidence, CVE-mapped host data with version-level fingerprinting

Target Intelligence is not:

An Attack Surface Management (ASM) tool it does not take a seed domain and enumerate assets
A complete inventory of all internet-facing assets for a given organization
A replacement for internal asset discovery

To look up hosts associated with an organization, query by ASN, CIDR range, or a list of known IPs.

Accessing Canary Data

V3 API Overview