Overview
In modern vulnerability management, the biggest challenge is not identifying vulnerabilities—but knowing which ones to fix first. The Nucleus platform helps security teams solve this problem using two powerful features: Nucleus Insights and the Nucleus Threat Rating.
These intelligence-driven enrichments allow you to move from a reactive, severity-based VM program to a proactive, threat-informed one. Whether you’re using SSVC, EPSS, or a homegrown risk model, these fields deliver critical signals needed to drive smart decisions.
What is Nucleus Insights?
Nucleus Insights is our native threat enrichment feed, aggregating data from a curated list of sources such as:
Public and proprietary exploit telemetry
Commercial feeds and open-source intelligence
Why It Matters
Nucleus Insights flags vulnerabilities based on actual observed behavior in the wild:
Field Name field_id | Description |
|---|---|
Nucleus Ease of Exploitation nucleus_ease_of_exploitation | Indicates how easily a vulnerability can be exploited based on factors such as exploit complexity, required privileges, and user interaction. This field helps prioritize vulnerabilities that attackers can leverage with minimal effort or technical skill. |
Nucleus Exploit Weaponized nucleus_exploit_weaponized | Identifies whether a functional, weaponized exploit code exists for the vulnerability. Weaponized exploits are ready-to-use tools that significantly increase the likelihood of active exploitation in the wild. |
Nucleus Exploitation Consequence nucleus_exploitation_consequence | Describes the potential impact or outcome if the vulnerability is successfully exploited, such as data breach, system compromise, denial of service, or privilege escalation. This field helps assess the business risk associated with the vulnerability. |
Nucleus Exploited by Ransomware nucleus_exploited_by_ransomware | Flags vulnerabilities that are known to be actively exploited by ransomware groups or campaigns. This indicator is critical for prioritizing patches that could prevent ransomware attacks. |
Nucleus Fix Available nucleus_fix_available | Indicates whether a vendor-provided fix, patch, or remediation is currently available for the vulnerability. This field helps teams identify which vulnerabilities can be immediately addressed versus those requiring workarounds. |
Nucleus Media Mentions (180 days) nucleus_media_mentions_180day | Tracks the number of times the vulnerability has been mentioned in security media, blogs, news outlets, and public forums within the last 180 days. High media attention often correlates with increased attacker interest. |
Nucleus Media Mentions (30 days) nucleus_media_mentions_30day | Tracks the number of times the vulnerability has been mentioned in security media, blogs, news outlets, and public forums within the last 30 days. Recent spikes in mentions may indicate emerging threats or active exploitation campaigns. |
Nucleus Media Mentions (90 days) nucleus_media_mentions_90day | Tracks the number of times the vulnerability has been mentioned in security media, blogs, news outlets, and public forums within the last 90 days. This provides a medium-term view of sustained interest in the vulnerability. |
Nucleus Media Mentions (All Time) nucleus_media_mentions_alltime | Tracks the total number of times the vulnerability has been mentioned in security media, blogs, news outlets, and public forums since its disclosure. This provides historical context for the vulnerability's overall significance. |
Nucleus Patch Available nucleus_patch_available | Indicates whether an official patch has been released by the vendor to remediate the vulnerability. This field helps teams quickly identify vulnerabilities with available patches for immediate deployment. |
Nucleus Private Exploit Available nucleus_private_exploit_available | Identifies whether exploit code exists in private or underground markets, even if not publicly available. Private exploits indicate sophisticated threat actors may have the capability to exploit the vulnerability. |
Nucleus Remote Exploitation nucleus_remote_exploitation | Indicates whether the vulnerability can be exploited remotely over a network without requiring local access to the target system. Remote exploits pose higher risk as they can be leveraged from anywhere on the internet. |
Nucleus Threat Rating | The Threat Rating is Nucleus’ assessment of the risk of this vulnerability based on our insights and other feed information. |
Nucleus Zero Day nucleus_zero_day | Flags vulnerabilities that are currently being exploited in the wild before a patch or fix is available (zero-day exploits). These represent the highest priority threats requiring immediate attention and compensating controls. |
Nucleus Zero Day Previously nucleus_zero_day_previously | Identifies vulnerabilities that were previously exploited as zero-days before patches became available. This historical context helps understand the vulnerability's past threat level and attacker interest. |
Nucleus Exploited nucleus_exploited | Confirmed exploitation in real-world attacks. Vulnerability exploitation has been observed in the wild, but not necessarily restricted to malware or ransomware exploitation. |
Nucleus Exploited by Malware nucleus_exploited_by_malware | Used by malware or ransomware. Vulnerability exploitation has been observed in the wild by malware or ransomware (or both). |
Nucleus Impacts OT nucleus_impacts_ot | The vulnerability is confirmed as to affect Industrial Control Systems, SCADA, or IoT devices. |
Nucleus Likely to Be Exploited nucleus_likely_to_be_exploited | Predictive likelihood based on multi-source correlation. Vulnerability is likely to be exploited based on available exploit code, predictive scoring, and affected vendors. |
Nucleus Public Exploit Available nucleus_public_exploit_available | PoC or exploit code publicly accessible. There is exploit code publicly available that can be leveraged. |
These insights allow VM teams to instantly cut through the noise and home in on the ~1% of vulnerabilities that truly matter.
Where to Use It
Vuln Intelligence Analysis
Similar to how you can use Mandiant, Shadowserver, and Vulncheck inside the analyst workbench in the Nucleus console, you can also see the VIP Insights fields available as well.
.png)
Automation
You can use VIP Insights fields when creating Automation Workflows in the Nucleus console as well, for use in prioritization, triage, and remediation workflows. For example, Change Severity if Nucleus exploited is 'Yes'
Other locations
Filter views in “Active Vulns”
Reports on real exposure to leadership
What is the Nucleus Threat Rating?
The Nucleus Threat Rating is a composite field calculated by Nucleus that expresses the threat level associated with a vulnerability. Every CVE in existence goes through a composite scoring process as well as an analysis by Nucleus’ proprietary scoring algorithms and team.
The scoring levels leverage:
Exploitation evidence
Ease of attack
Exploit consequence
Zero-day status
Malware association
Availability of mitigations
Threat Ratings are categorized with the following levels
Nucleus Threat Rating Levels
The Threat Rating in Nucleus is designed to communicate the likelihood and impact of real-world exploitation. It supplements traditional severity scores with a threat-centric perspective—focusing on how vulnerabilities are being weaponized in the wild.
Existential
Definition:
An Existential threat rating indicates a vulnerability that represents an immediate, organization-wide risk. These are rare but high-consequence issues, often with:
Active exploitation by advanced threat actors or malware
No effective mitigations or patches
Broad impact across critical business systems
VM Implication:
Treat as an incident. Coordinate with IR teams. Prioritize across all assets regardless of business unit or owner.
Critical
Definition:
A Critical threat rating is assigned to vulnerabilities with confirmed exploitation in the wild that pose severe impact or are widely weaponized.
Signals include:
Use in ransomware or malware campaigns
Inclusion in the CISA KEV catalog
Exploits integrated into public frameworks (e.g., Metasploit)
VM Implication:
Accelerated patching or compensating controls required. Enforce organizational SLAs.
High
Definition:
A High threat rating indicates a vulnerability with strong evidence of exploitability, such as:
Reliable public PoC exploits
Known exploitation by lower-sophistication actors
Privilege escalation or remote code execution with moderate effort
VM Implication:
Prioritize remediation based on business context and asset exposure.
Medium
Definition:
A Medium threat rating covers vulnerabilities with indicators of interest but limited observed exploitation. These may:
Have theoretical or low-reliability exploits
Be targets for reconnaissance or post-exploitation
Require user interaction or specific conditions
VM Implication:
Monitor for threat evolution. Triage based on asset criticality and business impact.
Low
Definition:Low threat vulnerabilities are not known to be exploited and pose limited immediate risk. They may:
Be outdated or niche
Have limited impact vectors
Require local or non-standard access conditions
VM Implication:
Defer remediation unless business-specific concerns dictate otherwise.
This rating helps you translate raw threat intelligence into a usable signal in your prioritization and remediation workflows.
How It’s Calculated
The Nucleus Threat Rating is derived from a curated blend of proprietary threat intelligence, public exploitation data, and advanced enrichment pipelines. We continuously analyze signals such as exploitation in the wild, availability of proof-of-concept code, malware associations, and attacker behavior to assign each vulnerability a real-world threat level, from Low to Existential. This dynamic rating system empowers security teams to focus on what’s being actively targeted, not just what’s technically severe. Every CVE gets analyzed regardless of whether or not NVD has analyzed it and applied a CVSS score.
Using Threat Rating + Insights Together
Combining Nucleus Insights fields with the Threat Rating in your VM workflows is a best practice:
Example 1: Identify Active Threats
nucleus_exploited = True OR nucleus_exploited_by_malware = True or nucleus_threat_rating = Existential
Example 2: Identify Potential Future Threats
nucleus_likely_to_be_exploited = True AND nucleus_threat_rating = Critical,High
Advantage: VIP Risk Levels
If you are an Advantage member, you also have access to the VIP console. Within the VIP console, you can also use the Insights fields in Searches, monitored vulnerabilities, or building custom risk levels.
.png "image(382).png")
For more information about Insights, and how to leverage it in your VM program, please reach out to your account manager, or email [email protected].