Summary
For each CRITICAL or HIGH finding with reachability_status == REACHABLE, determines whether a known working exploit exists in the wild.
Lookup order (stops at first match)
- KEV table — CVE in CISA's catalog ->
WEAPONIZED (strongest signal)
- Exploit-DB table — verified entry ->
WEAPONIZED; unverified -> POC_EXISTS
- GitHub Search API — Metasploit module found ->
WEAPONIZED; public repos with >5 stars -> POC_EXISTS
- ExploitResearchAgent — Tavily web search + URL fetch. Called only when 1-3 return nothing.
Result
Sets Finding.exploit_availability (WEAPONIZED / POC_EXISTS / NO_KNOWN_EXPLOIT / UNKNOWN) and Finding.exploit_details. Sets SBOMSnapshot.status = "EXPLOIT_DONE".
Critical constraint
Only HIGH + CRITICAL findings with REACHABLE status are processed. A not-reachable finding's exploit status is irrelevant to prioritisation.
Verify
- Log4Shell (CVE-2021-44228) ->
WEAPONIZED via KEV/Exploit-DB lookup, no LLM call made
- Finding with no known exploit ->
NO_KNOWN_EXPLOIT
- NOT_REACHABLE findings are skipped entirely
Summary
For each CRITICAL or HIGH finding with
reachability_status == REACHABLE, determines whether a known working exploit exists in the wild.Lookup order (stops at first match)
WEAPONIZED(strongest signal)WEAPONIZED; unverified ->POC_EXISTSWEAPONIZED; public repos with >5 stars ->POC_EXISTSResult
Sets
Finding.exploit_availability(WEAPONIZED / POC_EXISTS / NO_KNOWN_EXPLOIT / UNKNOWN) andFinding.exploit_details. SetsSBOMSnapshot.status = "EXPLOIT_DONE".Critical constraint
Only HIGH + CRITICAL findings with
REACHABLEstatus are processed. A not-reachable finding's exploit status is irrelevant to prioritisation.Verify
WEAPONIZEDvia KEV/Exploit-DB lookup, no LLM call madeNO_KNOWN_EXPLOIT