Skip to main content

Threat Dashboard

The Threat Dashboard is a real-time threat intelligence dashboard that aggregates CVE data, active exploitation information, EPSS exploit predictions, and AI-generated analysis into a single view. It is publicly accessible at /threats and does not require authentication, making it a resource you can share with your entire organization for threat awareness.

Threat Dashboard overview

tip

The Threat Dashboard is publicly accessible and does not require a Hawkra account. Share the link with your team for threat awareness -- anyone can view it without logging in.

How It Works

The Threat Dashboard pulls data from multiple threat intelligence sources and presents it in a structured layout. Data is refreshed automatically at regular intervals:

  • Threat statistics refresh every 5 minutes.
  • AI Daily Briefing refreshes every 15 minutes (generated once daily).
  • CVE listings refresh every 2 minutes.
  • KEV and visualization data refresh every 5 minutes.

The dashboard is server-side rendered for fast initial page loads and SEO, then hydrates with client-side data fetching for real-time updates.

Dashboard Sections

The Threat Dashboard is divided into several sections, each focused on a different aspect of the current threat landscape.

Threat Statistics Bar

At the top of the dashboard, a statistics bar provides a 24-hour snapshot of threat activity:

StatDescription
New CVEs (24h)Total number of new CVEs published in the last 24 hours
CISA KEV (24h)Number of vulnerabilities added to the CISA Known Exploited Vulnerabilities catalog
Critical (24h)Number of critical-severity CVEs published
High (24h)Number of high-severity CVEs published
Medium (24h)Number of medium-severity CVEs published
Low (24h)Number of low-severity CVEs published

These numbers give you an immediate sense of the day's threat volume and severity distribution.

AI Daily Threat Briefing

Below the statistics, an AI-generated daily briefing summarizes the most significant security threats from the past 24 hours. The briefing is generated automatically each day and includes narrative analysis of notable CVEs, exploitation trends, and affected vendors or products.

The briefing is rendered as formatted markdown and may include headings, bullet points, bold highlights, and code references for specific CVE identifiers.

AI Daily Threat Briefing

note

On new installations, the AI briefing may not be available immediately. It is generated once the threat intelligence data pipeline has run its first daily cycle. If you are self-hosting, ensure your AI API keys are configured in Admin Settings for briefing generation.

Exploited in the Past 48 Hours

This section highlights CVEs that have been added to the CISA Known Exploited Vulnerabilities (KEV) catalog in the last 48 hours. These are vulnerabilities with confirmed active exploitation in the wild, representing the highest-urgency threats.

Each KEV entry is displayed as a card showing:

  • CVE ID -- The vulnerability identifier
  • CVSS Score -- The severity score with color-coded badge (critical, high, medium, low)
  • Severity -- The qualitative severity rating
  • EPSS Score -- The Exploit Prediction Scoring System probability as a percentage
  • Affected Tagline -- A brief summary of who or what is affected
  • Description -- The full CVE description
  • Vendor and Product -- The specific vendor and product affected
  • KEV Added Date -- When the vulnerability was added to the KEV catalog

Active Threat Actors

Displayed alongside the KEV section, this panel shows MITRE ATT&CK groups linked to CVEs from the past 48 hours. Each threat actor entry includes:

  • Group Name -- The primary name of the threat group
  • Aliases -- Known alternative names for the group
  • Tactics -- The MITRE ATT&CK tactics associated with the group (e.g., Initial Access, Execution, Persistence), displayed as color-coded tags
  • CVE Count -- The number of recent CVEs linked to the group

Clicking a threat actor opens their MITRE ATT&CK page in a new tab for detailed analysis.

Exploit Prediction Risk Radar

The Risk Radar is a scatter plot visualization that maps KEV CVEs along two dimensions:

  • X-axis -- CVSS severity score (0 to 10)
  • Y-axis -- EPSS exploitation probability (logarithmic scale)

Points are color-coded by severity level, and actively exploited CVEs (on the KEV list) are highlighted with a white border and larger point size. Dashed quadrant lines at CVSS 7.0 and the median EPSS score help you quickly identify high-severity, high-probability threats in the upper-right quadrant.

Hovering over a point reveals the CVE ID, exact CVSS and EPSS scores, severity, and KEV status.

Exploit Prediction Risk Radar

CVE Dashboard

The main CVE dashboard presents a searchable, filterable listing of recently published and modified CVEs.

Search and Filters

  • Search -- Free-text search by CVE ID, vendor, product, description, or affected entities. Search is debounced (300ms delay) for responsive filtering.
  • Severity -- Filter by severity level: All, Critical, High, Medium, or Low.
  • EPSS Min -- Set a minimum EPSS score threshold (0.00 to 1.00) to focus on CVEs with higher exploitation probability.
  • Recency -- Filter by time window: 1 day, 7 days, 14 days, 30 days, or 90 days.

CVE Cards

Each CVE is displayed as an expandable card showing:

  • CVE ID -- The unique identifier
  • Actively Exploited badge -- A red warning badge for CVEs on the CISA KEV list
  • CVSS Score -- Numeric score with severity-colored badge
  • Severity -- Qualitative rating (Critical, High, Medium, Low)
  • EPSS Score -- Exploitation probability as a percentage, with percentile ranking
  • Affected Tagline -- AI-generated summary of affected vendors/products
  • Description -- The full vulnerability description (truncated with "Show more" toggle)

Expanding a card reveals additional details including CWE identifiers, KEV vendor/product information, and the publication date.

Results are paginated with configurable page size. The total result count is displayed above the grid.

CVE Dashboard with filters

Threat Intelligence Visualizations

The bottom section of the dashboard contains advanced visualizations:

MITRE ATT&CK Heatmap

A heatmap showing the distribution of recent CVEs across MITRE ATT&CK tactics and techniques. Cells are color-coded by CVE density, helping you identify which attack techniques are most actively targeted.

Threat Relationship Graph

An interactive graph visualization showing relationships between CVEs, threat actors, techniques, and affected products. Nodes represent different entity types and edges represent the relationships between them. This visualization helps you understand the connections between seemingly unrelated vulnerabilities.

Key Actions

ActionHow
View the dashboardNavigate to /threats in your browser (no login required)
Check daily briefingScroll to the AI Daily Threat Briefing section
Find actively exploited CVEsReview the "Exploited in the Past 48 Hours" section
Search for a specific CVEType a CVE ID (e.g., CVE-2024-1234) in the search bar
Filter by severityClick a severity button (Critical, High, Medium, Low)
Set EPSS thresholdEnter a minimum EPSS score in the "EPSS Min" field
Change time windowSelect a recency option (1, 7, 14, 30, or 90 days)
Expand CVE detailsClick "Show more" on a CVE card to see full details and CWE IDs
View threat actor detailsClick an actor name in the Active Threat Actors panel to open their MITRE ATT&CK page
Navigate CVE pagesUse the Previous/Next buttons or page numbers at the bottom of the CVE list

Tips and Notes

  • Share with your team. The Threat Dashboard requires no authentication. Bookmark it or share the URL so security team members, developers, and management can stay informed about the current threat landscape.
  • Daily briefing cadence. The AI briefing is generated once per day. Check it each morning as part of your threat intelligence routine for a high-level summary of what changed overnight.
  • Focus on KEV entries. The "Exploited in the Past 48 Hours" section shows CVEs with confirmed active exploitation. These should be your highest-priority items for patching and mitigation.
  • Use EPSS for prioritization. EPSS scores predict the probability of a CVE being exploited in the next 30 days. Combine EPSS with CVSS severity to prioritize remediation -- a medium-severity CVE with a high EPSS score may be more urgent than a critical CVE with low exploitation probability.
  • Cross-reference with workspace data. When you find a relevant CVE on the Threat Dashboard, check your workspace assets to determine if any of your systems are affected.
  • Self-hosted data pipeline. On self-hosted deployments, the threat intelligence data is populated automatically by a background worker. If the dashboard shows no data, verify that the threat intelligence worker is running and that outbound connections to NVD, CISA KEV, and EPSS data sources are permitted.