Vulnerability Intelligence & Decision Support Engine
Normalize • Enrich • Prioritize • Decide
Documentation • Overview • Features • Architecture • Getting Started • Changelog • Licensing
⭐ If you find VulnParse-Pin useful, please consider starring the repository to show your support! ⭐
⚙️ If you want to contribute, check out the CONTRIBUTING.md guide for details on how to get involved. ⚙️
🎗️ Feedback is very much desired. Please leave a discussion or issue! 🎗️
What's New in v1.2.0
Try It In 60 Seconds
Why VulnParse-Pin Exists
What Makes VulnParse-Pin Different?
Where It Fits
Who Is VulnParse-Pin For?
Key Features
Installation
Feedback and Contributions
Roadmap and Future Enhancements
Documentation
VulnParse-Pin reduces vulnerability noise by up to 94% and produces a ranked, explainable remediation plan based on real-world exploitability.
Stop sorting by severity. Start prioritizing what actually matters.
VulnParse-Pin is a post-scan intelligence and decision support engine that turns thousands of scanner findings into a ranked, explainable remediation plan based on real-world exploitability.
Most vulnerability programs prioritize by CVSS severity alone, which leads to inflated backlogs and triage fatigue.
VulnParse-Pin prioritizes by:
- Known-Exploited Risk (CISA KEV): KEV status and public exploit signals take precedence to focus on what matters most.
- Real-World probability (EPSS): Exploitation probability is factored into scoring to surface high-risk vulnerabilities that may have lower CVSS but are more likely to be exploited.
- Exploit Availability (ExploitDB, GHSA): Presence of known exploits in public databases is a critical signal for prioritization.
- Attack Capability Context (ACI, NMAP): Asset context and inferred attacker capability help break ties and focus on what is most actionable.
- Whole-of-CVEs Context: When multiple CVEs contribute to a finding, VulnParse-Pin aggregates their signals for a more accurate risk assessment.
👉 Find what actually matters. Defend why it matters. Act on it.
VulnParse-Pin now goes beyond prioritization — it delivers context-aware, explainable decision intelligence to help you defend your remediation decisions and communicate risk effectively.
This release transforms VulnParse-Pin into a fully auditable vulnerability intelligence decision support engine (VIDE).
- Infers real-world attack capability from evidence signals in findings (RCE, lateral movement, privilege escalation, etc.).
- Detects potential exploit chains, not just individual vulnerabilities.
- Scores findings across all associated CVEs with bounded decay, not just the highest CVSS contributor. This enables a more realistic risk assessment.
- Includes full score trace for auditability and explainability.
- Detect degraded or low-quality scanner input.
- Confidence scoring and strict ingestion gates.
- Decision ledger events for ingestion outcomes.
- Signed + quarantined SQLite cache governance for reliable online/offline GHSA enrichment with source confidence normalization.
- Online + offline modes with error handling and fallback.
- Package-level fallback when CVE-level GHSA data is unavailable.
- Uses real open-port data to refine prioritization.
- Influences ranking without mutating source findings.
- HMAC-SHA256 signed scan-complete events with replay protection and OAL filtering for secure integration with external systems.
- Replay protection with timestamp and nonce validation.
Most VM tools tell you what to fix.
VulnParse-Pin shows you:
- Why a vulnerability is ranked where it is
- Which signals contributed to that decision
- How multiple CVEs influenced the final risk score
- What data quality issues may affect confidence
Every decision includes:
score_trace→ how risk was calculated- Decision ledger → how prioritization decisions were made
- Ingestion confidence → how trustworthy the input data is
👉 You’re not just prioritizing risk — you’re proving it.
In a sample dataset of 1,250 findings, VulnParse-Pin reduced triage scope to 72 high-priority items while surfacing all KEV-listed vulnerabilities at the top. This resulted in a ~94% reduction in triage volume without losing known-exploited risk signals.
No configuration required — just install and run the demo profile to see VulnParse-Pin in action with a sample OpenVAS report and Nmap context.
- Your top exploitable vulnerabilities
- Prioritization back by real-world risk signals (KEV, EPSS, ExploitDB, NVD, and more)
- Explainable scoring artifacts to support your decisions
- Executive and technical reports for communicating risk and remediation plans
- Automatic NMAP Attack Surface Mapping for refined prioritization based on real open ports
pip install vulnparse-pin
vpp --demoDemo profile defaults:
- Input: packaged OpenVAS sample (
openvas_updated_test.xml, 15 assets / 2,000 findings) - Nmap context: packaged Nmap sample (
base_test_nmap.xml) - GHSA: forced
onlinewith--ghsa-budget 25 - Outputs: JSON, CSV, executive markdown, technical markdown, runmanifest
Results are saved automatically to user's local app data and path shown in the terminal.
VulnParse-Pin analyzed your report and prioritized vulnerabilities based on:
- KEV known-exploited status
- EPSS exploitation probability
- ExploitDB presence and recency
- CVSS metrics
- Most recent NVD context
- Asset context (internal vs. external, public_ip vs private_ip, etc.)
- CVSS-only scoring
- No exploit context
- No clear prioritization
- No asset context
- Black-box scoring with no explainability
- Ranked enriched findings with exploit context and scoring metadata
- Auditable, prioritized outputs for technical and executive review
- JSON, CSV, and Markdown reporting options for downstream workflows and presentations
This is your vulnerability data, but now it's actionable and focused on what matters most. You can review the top-ranked vulnerabilities with confidence, knowing that the prioritization is based on real-world risk signals and enriched context.
You now have a clear starting point for remediation.
See the Getting Started In 5 Minutes or Installation guide for more details and options.
Vulnerability scanners answer:
"What vulnerabilities exist in my environment?"
What they don't answer is:
"What should I fix first, and why?"
The gap is where vulnerability management fails.
Instead of:
- CVSS-only prioritization
- Overload of "critical" findings
- No explainability
You get:
- Exploit-driven prioritization
- [Context-aware risk modeling]
- Full explainability with auditable scoring artifacts
- Flexible reporting for technical and executive audiences
- Consistent outputs across formats for governance confidence
| Traditional Tools | VulnParse-Pin |
|---|---|
| CVSS-based prioritization | Exploit + probability + context-driven prioritization |
| Black-box scoring | Fully explainable score_trace and decision ledger |
| Single-CVE scoring | Whole-of-CVEs aggregation |
| No input validation | Ingestion confidence + degraded input detection |
| Static vulnerability view | Attack capability inference (ACI) |
| Limited pipeline integration | Signed webhook delivery + run manifests |
| Narrow configurability | Flexible, policy-driven scoring and prioritization |
- Run vulnerability scans as usual with your existing tools (Nessus/OpenVAS XML supported, plus Nessus/Qualys CSV constrained-export ingestion).
- Export results in supported formats.
- Use VulnParse-Pin to ingest, enrich, and prioritize findings based on real-world risk signals and configurable policies.
- Review the prioritized outputs for triage and remediation planning.
- Patch, mitigate, or accept risk based on the enriched context and explainable scoring artifacts provided by VulnParse-Pin.
You decide what to prioritize, but VulnParse-Pin helps you make informed decisions and defend them with data.
VulnParse-Pin is for teams that need to triage high volumes of vulnerability findings without losing focus on what is most actionable.
- CI/CD Workflows: DevSecOps teams integrating vulnerability management into CI/CD pipelines for faster feedback and remediation.
- Practitioners: Security analysts, security engineers, SOC teams, red teams, and penetration testers.
- Program and risk owners: Vulnerability program managers, risk assessors, and security leadership.
- Service providers and builders: Consultants, MSSPs, researchers, and developers integrating or extending workflows.
See the Overview documentation for more details on use cases and target audiences.
-
✅ Scanner-Agnostic Normalization: Ingests and standardizes output from any vulnerability scanner or feed (Currently Nessus/OpenVAS).
-
✅ Powerful Attack Capability Inference (ACI): Infers real-world attack capabilities from finding evidence to enhance prioritization beyond CVSS.
-
✅ Powerful Optimizations: Designed for both small and high-volume workloads with dynamic execution strategies, caching, and parallel processing:
- Sublinear scaling with finding count
- Parallelized scoring and prioritization paths
- Optimized NVD enrichment with streaming and filtering
- Tested on datasets up to 700k findings with real-world CVE distributions (~1800 findings/sec in under 5 minutes).
-
✅ Exploit Intelligence Enrichment: Integrates with CISA KEV, ExploitDB, NVD, and more for comprehensive context.
-
✅ Configurable Scoring and Prioritization Engine: Flexible, policy-driven scoring that can be tuned to organizational risk tolerance and priorities. This includes the ability to prioritize known-exploited vulnerabilities and adjust scoring based on asset context.
-
✅ Deterministic Pass Pipelines: Modular processing stages for enrichment, scoring, and prioritization that can be customized or extended.
-
✅ Executive and Technical Reporting: Provides both high-level summaries for executives and detailed insights for technical teams, with explainable scoring and prioritization artifacts.
-
✅ Offline Mode and Local Feeds: Supports offline operation and local feed management for environments with limited connectivity or strict data handling requirements.
-
✅ Decision Ledger & RunManifest: Full traceability of how every priority decision was made, with a structured ledger of decision events and a run manifest for auditability and governance.
See the Features documentation for a comprehensive list of features and capabilities.
VulnParse-Pin can be installed using pip:
pip install vulnparse-pinor
install from source:
git clone https://github.com/QT-Ashley/VulnParse-Pin.git
cd VulnParse-Pin
pip install -e .Standalone executables with release artifacts are also available on PyPI and GitHub Releases, which include pre-built wheels for easy installation:
pip install vulnparse_pin-*py3-none-any.whlAfter installation, you can run VulnParse-Pin with your own scanner exports:
vpp -f path/to/your_scan.[nessus|xml] -o <output_file>.json -pp -oC <output_file>.csv -oM <output_file>.md -oMT <output_file>_technical.md --output-runmanifest <output_file>_runmanifest.jsonCSV profile examples for reporting workflows:
# Analyst-facing triage CSV
vpp -f path/to/your_scan.[nessus|xml] --output-csv <output_file>_analyst.csv --csv-profile analyst
# Audit-facing traceability CSV
vpp -f path/to/your_scan.[nessus|xml] --output-csv <output_file>_audit.csv --csv-profile auditVerify a previously generated runmanifest artifact without rerunning the pipeline:
vpp --verify-runmanifest <output_file>_runmanifest.jsonCheck out Releases for the latest release artifacts.
A list of all available command-line options can be found in the Getting Started In 5 Minutes guide.
If you tried VulnParse-Pin, even briefly, please consider leaving feedback or contributing to the project:
- Did it fit your workflow?
- What was confusing or difficult to use?
- What features would you like to see next?
- What other use cases do you have in mind?
Anything you can share is helpful, whether it's a quick comment, a detailed issue, or a pull request with improvements.
Contributor workflow and expectations are documented in CONTRIBUTING.md.
- Additional Scanner Support: Expanding normalization capabilities to support more vulnerability scanners and feeds.
- Advanced Enrichment Sources: Integrating additional threat intelligence sources for richer context.
- Machine Learning Integration: Exploring the use of machine learning models for enhanced scoring, prioritization, and AI-augmented reporting at the derived context layer (truth layer remains immutable).
- Historical Trend Analysis: Adding features to analyze historical vulnerability data and trends over time.
- Community Contributions: Encouraging and incorporating contributions from the open source community to enhance features and expand use cases.
For the latest updates on the roadmap and future enhancements, please refer to the Roadmap documentation.
For more detailed information on how to use, configure, and extend VulnParse-Pin, please refer to the documentation:
- Docs Index
- Overview
- Getting Started In 5 Minutes
- Upgrade and Migration
- Troubleshooting
- Output Interpretation
- Testing Guide
- Architecture
- Extension Playbooks
- ADR Workflow
- Architecture Review Checklist
- Deprecation and Versioning Policy
- Pipeline System
- RunManifest Overview
- RunManifest Technical Deep Dive
- Security Features
- Current Scoring Profile (March 2026)
- Configs
- Benchmarks
- Performance Optimizations
- Licensing
- Value Proposition One Pager
- VulnParse-Pin Wiki Docs
Check out the CHANGELOG for a detailed history of changes and updates.
VulnParse-Pin is licensed under the GNU Affero General Public License v3.0 or later (AGPLv3+).
This ensures that improvements to VulnParse-Pin — including those used in hosted or network-accessible services — remain open and benefit the community.
- ✅ Free to use, modify, and run internally
- ✅ Free for research, education, SOC pipelines, and consulting
- ✅ Free to sell services using VulnParse-Pin
⚠️ If you run a modified version as a hosted service, you must make the source available
Unmodified use does not require source disclosure.
Modified use does require source disclosure if the modified version is used in a hosted or network-accessible service.
VulnParse-Pin is provided "as is" without any warranties or guarantees. The developers and contributors are not liable for any damages or losses resulting from the use of VulnParse-Pin. Users are responsible for ensuring that their use of VulnParse-Pin complies with all applicable laws and regulations.
VulnParse-Pin is a tool designed to assist in vulnerability management and prioritization. It should be used as part of a comprehensive security program and not as a standalone solution. Always validate and verify findings through additional analysis and testing before taking remediation actions.
VulnParse-Pin does not guarantee the accuracy or completeness of the vulnerability data it processes. Users should exercise caution and use their judgment when interpreting results and making decisions based on VulnParse-Pin's outputs.
VulnParse-Pin is not responsible for any misuse or abuse of the tool. It is intended for ethical use by security professionals and organizations to improve their security posture.
For a full list of disclaimers and legal information, please refer to the Licensing documentation.