For an audit, a compliance review, or an incident timeline, the question is always the same: what was known, when? Was a CVE on CISA's known-exploited list on the day in question? What did a domain's TLS certificate present at the time? We turn the live CISA known-exploited-vulnerabilities catalog, per-package OSV lookups, security advisories and live TLS cert checks into Ed25519-signed, provenance-stamped, archived records — captured as they happen, so anyone can re-check them months later without trusting your word or ours. Evidence of what was reported at a time — not a scan, not an assessment, not a guarantee of security.
Audits, compliance frameworks and incident reviews all turn on a point-in-time fact: what was known when. Was this CVE on CISA's known-exploited list on the date you patched? What TLS certificate and protocol did this endpoint present during the assessment window? Most of what gets offered to answer that is a screenshot pasted into a spreadsheet, or a note that says "we checked on the 3rd" — pulled together long after the fact. None of it is independent, and anyone reviewing it can question the date, the source, or whether it was edited.
For ISO 27001, SOC 2, the Essential Eight, or an incident timeline, what holds up is an independent, third-party record — what an authoritative source (CISA, NVD/CVE, OSV) reported, or what a TLS endpoint actually presented, captured at the moment it existed, signed and timestamped, and re-checkable by an auditor later. Not a recollection, not a screenshot anyone could have changed. That's what this vertical provides: a signed, archived record of what was reported at a time.
Live security signals, delivered the same way every datapoint we publish is — signed, sourced, and archived.
exploited_vulnerabilities tool returns the CISA KEV catalog — CVEs confirmed exploited in the wild (not merely disclosed), with the date each was added, the catalog version, and FIRST.org EPSS scores. Source: CISA Known Exploited Vulnerabilities catalog (US-gov, public domain) + FIRST.org EPSS.check_vulnerability tool looks a package up across the OSV.dev corpus — the known vulnerabilities, CVE IDs, CVSS vectors and fixed versions affecting it. Source: OSV.dev (Google), CC-BY-4.0.security_advisories tool returns recent advisories — id, CVE, summary, severity, ecosystem and affected package — from the GitHub Advisory Database. A record of what was published at a time.cert_check tool performs a direct TLS handshake to a domain and records what it presented — validity, issuer, expiry, days-to-expiry, TLS protocol version and SANs. This is our own live observation of the endpoint.This is a live exploited_vulnerabilities reading, fetched in your browser from POST /v1/batch — the number is the total CVEs CISA currently lists as known-exploited-in-the-wild, with the catalog version it came from (Source: CISA Known Exploited Vulnerabilities catalog). The second figure is a live cert_check on this very domain — days until our own TLS certificate expires, measured by a direct handshake. Both are captured as signed, provenance-stamped readings.
1,619
1,619 CVEs are currently on CISA's known-exploited-in-the-wild catalog (version 2026.06.12) — each confirmed exploited, not merely disclosed. And our own TLS certificate on dynamicfeed.ai has 75 days to expiry, valid on TLS 1.3. Both captured as signed, provenance-stamped readings.
This is a signed record of what an authoritative source reported, and what a TLS endpoint presented, at a time — the CISA KEV catalog is what CISA listed as known-exploited; the cert reading is our own live observation of the handshake. It is evidence of what was reported at a time — not a vulnerability scan, not a penetration test, not a security assessment, and not a guarantee that you, or any endpoint, are secure. CISA KEV and CVE/NVD are US-gov public domain; OSV is open (CC-BY-4.0, Google/OSV); the cert reading is our own live TLS observation.
Capture a signed record of whether a CVE was on CISA's known-exploited list, and what an endpoint's cert presented, on the date in question — an auditable account neither you nor a reviewer has to take on trust.
For ISO 27001, SOC 2 or the Essential Eight, attach a signed, timestamped record of what an authoritative source reported — re-verifiable in the auditor's own code, instead of a screenshot in a spreadsheet.
Produce signed, provenance-stamped records of known-exploited status and cert posture across the estates you manage — a third-party record you can hand a client or their auditor.
When a post-incident review asks "was this known-exploited then?", a signed record captured at the time gives the timeline a documented, re-checkable basis — not a reconstruction after the fact.
Record what a vendor's domain presented on TLS, and which advisories affected their stack, at the time of review — a signed record of what was reported, kept for the file.
An Ed25519-signed, archived datapoint anyone can independently verify — proof a reading existed unchanged at a time, useful when what was known, and when, is in dispute.
One keyless MCP or REST call: exploited_vulnerabilities, check_vulnerability (by package), security_advisories, or cert_check with a domain. No key to get started.
The response carries the known-exploited catalog, a package's vulnerabilities, recent advisories, or the live TLS reading for a domain — each with its source and exact measurement time.
Every response is Ed25519-signed and provenance-stamped, and written to the append-only archive — so you can produce it months later for an audit or a review.
An auditor — or either party — can re-check the signature on the public verify page or with the open-source verifier — no need to trust us.
Take the security-evidence vertical on its own — the live CISA known-exploited catalog, OSV package lookups, security advisories and live TLS cert checks, each signed, provenance-stamped, archived, with the public verify page, scoped to your domains and volume. Starting points below, in Australian dollars; final scope and price are agreed on a call.
Starter
A$99 /mo
from · indicative
Live exploited_vulnerabilities and cert_check over your domains, signed and provenance-stamped, with the public verify page — for a single team or desk.
Audit
A$249 /mo
from · indicative
All security feeds plus check_vulnerability and security_advisories, the append-only archive for your control evidence, and higher volume — for active audit and compliance work.
GRC / MSSP
A$499 /mo
from · indicative
Multi-domain coverage, archive retention scoped to your audit needs, and delivery shaped for GRC, vendor-risk or managed-security workflows.
These are starting points, not a checkout. Every engagement is scoped to your domains, volume, and how you need it delivered — final pricing is agreed before any work begins. Need conditions at a site on a date, signed for a claim? See weather evidence. Need AIS, tides and GPS at sea? See the maritime vertical. Want the GNSS-jamming angle? See GPS integrity. Want your own source wrapped the same way? See done-for-you.
We provide a signed record of what authoritative sources reported — CISA's known-exploited catalog, the CVE/NVD and OSV corpora, security advisories — and what a TLS endpoint presented at a time. It is evidence of what was reported at a time — not a vulnerability scan, not a penetration test, not a security assessment or audit, and not a guarantee that you, or any system, are secure. Signing and anchoring prove that a datapoint existed, unchanged, at a specific time — they do not prove it is true, accurate or complete; we make no accuracy guarantees about the upstream source, and this is not a security certification. The CISA KEV catalog and CVE/NVD are US-gov public domain; OSV is open (CC-BY-4.0, Google/OSV); the cert reading is our own live TLS observation. This is an independent, signed record — evidence of what was reported, not a safety or security certification.
Tell us your domains and how you'd use it, and we'll scope the security-evidence vertical on a short call. No card details, no checkout; we agree the scope and price first.