--- title: "Nucleus Insights & Threat Rating" slug: "insights" tags: ["finding processing", "risk scoring", "VIP", "VIP Insights"] updated: 2025-12-01T20:33:11Z published: 2025-12-03T13:00:00Z canonical: "help.nucleussec.com/insights" stale: true --- > ## Documentation Index > Fetch the complete documentation index at: https://help.nucleussec.com/llms.txt > Use this file to discover all available pages before exploring further. # Nucleus Insights & Threat Rating ## Overview In modern vulnerability management, the biggest challenge is not identifying vulnerabilities—but knowing which ones to fix *first*. The Nucleus platform helps security teams solve this problem using two powerful features: **Nucleus Insights** and the **Nucleus Threat Rating**. These intelligence-driven enrichments allow you to move from a reactive, severity-based VM program to a proactive, threat-informed one. Whether you’re using SSVC, EPSS, or a homegrown risk model, these fields deliver critical signals needed to drive smart decisions. --- ## What is Nucleus Insights? **Nucleus Insights** is our native threat enrichment feed, aggregating data from a curated list of sources such as: - Public and proprietary exploit telemetry - Commercial feeds and open-source intelligence ### **Why It Matters** Nucleus Insights flags vulnerabilities based on actual observed behavior in the wild: | Field Name *field_id* | Description | | --- | --- | | Nucleus Ease of Exploitation *nucleus_ease_of_exploitation* | Indicates how easily a vulnerability can be exploited based on factors such as exploit complexity, required privileges, and user interaction. This field helps prioritize vulnerabilities that attackers can leverage with minimal effort or technical skill. | | Nucleus Exploit Weaponized *nucleus_exploit_weaponized* | Identifies whether a functional, weaponized exploit code exists for the vulnerability. Weaponized exploits are ready-to-use tools that significantly increase the likelihood of active exploitation in the wild. | | Nucleus Exploitation Consequence *nucleus_exploitation_consequence* | Describes the potential impact or outcome if the vulnerability is successfully exploited, such as data breach, system compromise, denial of service, or privilege escalation. This field helps assess the business risk associated with the vulnerability. | | Nucleus Exploited by Ransomware *nucleus_exploited_by_ransomware* | Flags vulnerabilities that are known to be actively exploited by ransomware groups or campaigns. This indicator is critical for prioritizing patches that could prevent ransomware attacks. | | Nucleus Fix Available *nucleus_fix_available* | Indicates whether a vendor-provided fix, patch, or remediation is currently available for the vulnerability. This field helps teams identify which vulnerabilities can be immediately addressed versus those requiring workarounds. | | Nucleus Media Mentions (180 days) *nucleus_media_mentions_180day* | Tracks the number of times the vulnerability has been mentioned in security media, blogs, news outlets, and public forums within the last 180 days. High media attention often correlates with increased attacker interest. | | Nucleus Media Mentions (30 days) *nucleus_media_mentions_30day* | Tracks the number of times the vulnerability has been mentioned in security media, blogs, news outlets, and public forums within the last 30 days. Recent spikes in mentions may indicate emerging threats or active exploitation campaigns. | | Nucleus Media Mentions (90 days) *nucleus_media_mentions_90day* | Tracks the number of times the vulnerability has been mentioned in security media, blogs, news outlets, and public forums within the last 90 days. This provides a medium-term view of sustained interest in the vulnerability. | | Nucleus Media Mentions (All Time) *nucleus_media_mentions_alltime* | Tracks the total number of times the vulnerability has been mentioned in security media, blogs, news outlets, and public forums since its disclosure. This provides historical context for the vulnerability's overall significance. | | Nucleus Patch Available *nucleus_patch_available* | Indicates whether an official patch has been released by the vendor to remediate the vulnerability. This field helps teams quickly identify vulnerabilities with available patches for immediate deployment. | | Nucleus Private Exploit Available *nucleus_private_exploit_available* | Identifies whether exploit code exists in private or underground markets, even if not publicly available. Private exploits indicate sophisticated threat actors may have the capability to exploit the vulnerability. | | Nucleus Remote Exploitation *nucleus_remote_exploitation* | Indicates whether the vulnerability can be exploited remotely over a network without requiring local access to the target system. Remote exploits pose higher risk as they can be leveraged from anywhere on the internet. | | Nucleus Threat Rating *nucleus_threat_rating* | The Threat Rating is Nucleus’ assessment of the risk of this vulnerability based on our insights and other feed information. | | Nucleus Zero Day *nucleus_zero_day* | Flags vulnerabilities that are currently being exploited in the wild before a patch or fix is available (zero-day exploits). These represent the highest priority threats requiring immediate attention and compensating controls. | | Nucleus Zero Day Previously *nucleus_zero_day_previously* | Identifies vulnerabilities that were previously exploited as zero-days before patches became available. This historical context helps understand the vulnerability's past threat level and attacker interest. | | Nucleus Exploited *nucleus_exploited* | **Confirmed exploitation in real-world attacks.** Vulnerability exploitation has been observed in the wild, but not necessarily restricted to malware or ransomware exploitation. | | Nucleus Exploited by Malware *nucleus_exploited_by_malware* | **Used by malware or ransomware.**Vulnerability exploitation has been observed in the wild by malware or ransomware (or both). | | Nucleus Impacts OT *nucleus_impacts_ot* | The vulnerability is confirmed as to affect Industrial Control Systems, SCADA, or IoT devices. | | Nucleus Likely to Be Exploited *nucleus_likely_to_be_exploited* | **Predictive likelihood based on multi-source correlation.** Vulnerability is likely to be exploited based on available exploit code, predictive scoring, and affected vendors. | | Nucleus Public Exploit Available *nucleus_public_exploit_available* | **PoC or exploit code publicly accessible.** There is exploit code publicly available that can be leveraged. | These insights allow VM teams to instantly cut through the noise and home in on the ~1% of vulnerabilities that truly matter. ### **Where to Use It** #### Vuln Intelligence Analysis Similar to how you can use Mandiant, Shadowserver, and Vulncheck inside the analyst workbench in the Nucleus console, you can also see the VIP Insights fields available as well. ![](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/Nucleus Insights(1).png) #### Automation You can use VIP Insights fields when creating [Automation Workflows](/v1/docs/automation-workflows) in the Nucleus console as well, for use in prioritization, triage, and remediation workflows. For example, Change Severity if `Nucleus exploited is 'Yes'` ![](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/Automation Insights.png) #### Other locations - Filter views in “Active Vulns” - Reports on real exposure to leadership --- ## What is the Nucleus Threat Rating? The **Nucleus Threat Rating** is a composite field calculated by Nucleus that expresses the *threat level* associated with a vulnerability. Every CVE in existence goes through a composite scoring process as well as an analysis by Nucleus’ proprietary scoring algorithms and team. The scoring levels leverage: - Exploitation evidence - Ease of attack - Exploit consequence - Zero-day status - Malware association - Availability of mitigations **Threat Ratings are categorized with the following levels** ### Nucleus Threat Rating Levels The **Threat Rating** in Nucleus is designed to communicate the *likelihood and impact of real-world exploitation*. It supplements traditional severity scores with a threat-centric perspective—focusing on how vulnerabilities are being weaponized in the wild. #### Existential **Definition:** An `Existential` threat rating indicates a vulnerability that represents an **immediate, organization-wide risk**. These are rare but high-consequence issues, often with: - Active exploitation by advanced threat actors or malware - No effective mitigations or patches - Broad impact across critical business systems **VM Implication:** Treat as an incident. Coordinate with IR teams. Prioritize across all assets regardless of business unit or owner. --- #### Critical **Definition:** A `Critical` threat rating is assigned to vulnerabilities with **confirmed exploitation in the wild** that pose **severe impact** or are widely weaponized. **Signals include:** - Use in ransomware or malware campaigns - Inclusion in the CISA KEV catalog - Exploits integrated into public frameworks (e.g., Metasploit) **VM Implication:** Accelerated patching or compensating controls required. Enforce organizational SLAs. --- #### High **Definition:** A `High` threat rating indicates a vulnerability with **strong evidence of exploitability**, such as: - Reliable public PoC exploits - Known exploitation by lower-sophistication actors - Privilege escalation or remote code execution with moderate effort **VM Implication:** Prioritize remediation based on business context and asset exposure. --- #### Medium **Definition:** A `Medium` threat rating covers vulnerabilities with **indicators of interest** but limited observed exploitation. These may: - Have theoretical or low-reliability exploits - Be targets for reconnaissance or post-exploitation - Require user interaction or specific conditions **VM Implication:** Monitor for threat evolution. Triage based on asset criticality and business impact. --- #### Low **Definition:** `Low` threat vulnerabilities are not known to be exploited and pose **limited immediate risk**. They may: - Be outdated or niche - Have limited impact vectors - Require local or non-standard access conditions **VM Implication:** Defer remediation unless business-specific concerns dictate otherwise. This rating helps you translate raw threat intelligence into a usable signal in your prioritization and remediation workflows. ### **How It’s Calculated** The Nucleus Threat Rating is derived from a curated blend of proprietary threat intelligence, public exploitation data, and advanced enrichment pipelines. We continuously analyze signals such as exploitation in the wild, availability of proof-of-concept code, malware associations, and attacker behavior to assign each vulnerability a real-world threat level, from Low to Existential. This dynamic rating system empowers security teams to focus on what’s being actively targeted, not just what’s technically severe. Every CVE gets analyzed regardless of whether or not NVD has analyzed it and applied a CVSS score. ## Using Threat Rating + Insights Together Combining Nucleus Insights fields with the Threat Rating in your VM workflows is a best practice: **Example 1: Identify Active Threats** `nucleus_exploited = True OR nucleus_exploited_by_malware = True or nucleus_threat_rating = Existential` **Example 2: Identify Potential Future Threats** `nucleus_likely_to_be_exploited = True AND nucleus_threat_rating = Critical,High` ### Advantage: VIP Risk Levels If you are an Advantage member, you also have access to the [VIP](/v1/docs/what-is-vip) console. Within the VIP console, you can also use the Insights fields in Searches, monitored vulnerabilities, or building custom risk levels. ![](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/image(382).png) For more information about Insights, and how to leverage it in your VM program, please reach out to your account manager, or email [support@nucleussec.com](mailto:support@nucleussec.com).