Target Intelligence

You give us a CVE. We tell you every vulnerable host on the internet right now.

VulnCheck Target Intelligence is a continuously updated index of internet-facing hosts confirmed to be running vulnerable software. Unlike traditional internet scanners that surface potentially vulnerable hosts, Target Intelligence applies fingerprinting and version detection techniques to identify hosts with a high degree of confidence, then maps those findings directly to CVEs.

This makes Target Intelligence useful as a stage 1 triage tool: before an attacker gets there, you can answer the question "which hosts on the internet are actually on the target list for this CVE right now?"

Base URL

https://api.vulncheck.com/v3/index/target-intel

Authentication

All requests require a bearer token in the Authorization header.

Authorization: Bearer <your_api_token>

Query Parameters

Parameters can be combined. All parameters are optional, but at least one should be provided for meaningful results.

Parameter	Type	Description
`cidr`	string	CIDR range for subnet lookups. Use `/32` for a single host (e.g., `203.0.113.42/32`)
`hostname`	string	Hostname derived from DNS lookup at time of scan
`cve`	string	CVE ID to retrieve all confirmed vulnerable hosts (e.g., `CVE-2024-21887`)
`vendor`	string	Software vendor name
`product`	string	Software product name
`version`	string	Software version string
`cpe`	string	Full CPE string
`asn`	string	Autonomous System Number (e.g., `AS15169`)
`country_code`	string	ISO 3166-1 alpha-2 country code (e.g., `US`, `DE`)
`port`	integer	TCP port number
`contains_cve`	boolean	When `true`, returns only hosts where a CVE is associated with the fingerprinted service
`limit`	integer	Maximum number of results to return per page

Note on vendor, product, and version: These parameters work in any combination. Querying by vendor alone or version alone is supported but may return broad results. Combining two or more produces more targeted output.

Response Schema

Each result represents a single observed host-port-service tuple. Results are returned as a JSON array.

Top-Level Fields

Field	Type	Always Present	Description
`ip`	string	Yes	IPv4 address of the observed host
`port`	integer	Yes	TCP port on which the service was observed
`type`	string	Yes	Service classification (e.g., `http`, `ssh`)
`protocol`	string	Yes	Transport protocol (typically `tcp`)
`cpe`	string	Yes	CPE string derived from fingerprinting
`asn`	string	Yes	Autonomous System Number
`country`	string	Yes	Country name
`country_code`	string	Yes	ISO 3166-1 alpha-2 country code
`cve`	array	null	Conditional
`fingerprint_metadata`	object	Yes	Key-value metadata from the fingerprinting process — see below

`fingerprint_metadata` Object

Field	Type	Description
`rule_source`	string	Confidence tier for this finding. Values: `confirmed` or `likely`. `confirmed` indicates version-level precision; `likely` indicates a probable match based on behavioral or indirect signals
Additional fields	string	Variable. May include vendor, product, version, detected service banner, and other enrichment attributes depending on what the fingerprint captured

Example Requests

Look up a single IP using CIDR notation

curl -H "Authorization: Bearer <token>" \
  "https://api.vulncheck.com/v3/index/target-intel?cidr=203.0.113.42/32"

Find all hosts confirmed vulnerable to a specific CVE

curl -H "Authorization: Bearer <token>" \
  "https://api.vulncheck.com/v3/index/target-intel?cve=CVE-2024-21887"

Find all hosts running a specific product

curl -H "Authorization: Bearer <token>" \
  "https://api.vulncheck.com/v3/index/target-intel?vendor=ivanti&product=connect+secure"

Filter CVE results by country

curl -H "Authorization: Bearer <token>" \
  "https://api.vulncheck.com/v3/index/target-intel?cve=CVE-2024-21887&country_code=US"

Example Response

{
  "data": [
    {
      "ip": "203.0.113.42",
      "port": 443,
      "type": "https",
      "protocol": "tcp",
      "cpe": "cpe:2.3:a:ivanti:connect_secure:22.3.0:*:*:*:*:*:*:*",
      "asn": "AS7922",
      "country": "United States",
      "country_code": "US",
      "cve": ["CVE-2024-21887", "CVE-2023-46805"],
      "fingerprint_metadata": {
        "rule_source": "confirmed",
        "vendor": "Ivanti",
        "product": "Connect Secure",
        "version": "22.3.0"
      }
    }
  ]
}

When no CVE is associated with a fingerprinted service, the cve field is null (not an empty array):

{
  "ip": "198.51.100.7",
  "port": 80,
  "type": "http",
  "protocol": "tcp",
  "cpe": "cpe:2.3:a:apache:tomcat:10.1.0:*:*:*:*:*:*:*",
  "asn": "AS16509",
  "country": "Germany",
  "country_code": "DE",
  "cve": null,
  "fingerprint_metadata": {
    "rule_source": "likely",
    "vendor": "Apache",
    "product": "Tomcat",
    "version": "10.1.0"
  }
}

Data Freshness

Target Intelligence maintains a rolling window of scan data. The index is continuously updated as new scan results arrive. Older observations are expired on a rolling basis to keep the dataset current and operationally relevant.

The unique key per record is the combination of IP + port + fingerprint/service information. If a host is re-scanned, its record is updated with the latest observation.

What This API Is and Is Not

Target Intelligence is:

A confirmed exploitation target queue for known-vulnerable internet-facing hosts
A pre-loss triage tool for understanding exposure at the moment a CVE is disclosed
A source of high-confidence, CVE-mapped host data with version-level fingerprinting

Target Intelligence is not:

An Attack Surface Management (ASM) tool it does not take a seed domain and enumerate assets
A complete inventory of all internet-facing assets for a given organization
A replacement for internal asset discovery

To look up hosts associated with an organization, query by ASN, CIDR range, or a list of known IPs.

Accessing Canary Data

V3 API Overview