Introduction

Forward’s CVE analysis goes beyond simply identifying whether a device’s platform and OS are linked to a known CVE. Many tools stop at that point, but Forward also evaluates device configuration. This means that even if the platform and OS are technically exposed, Forward determines whether the configuration actually makes the device exploitable.

This approach allows you to:

• Prioritize vulnerabilities that truly pose a risk
• De-prioritize OS vulnerabilities that are not currently exploitable

In this guide, we’ll merge EPSS data (which scores the likelihood a CVE will be exploited in the next 30 days) with Forward’s Enhanced CVE analysis using a data connector.

Configure the Data Connector

Goal: Retrieve EPSS data via the first.org API and make it available inside NQE.

Connector settings:

Name: first_org
Base URL: https://api.first.org
Credentials: No Credentials

Endpoint settings:

Name: EPSS_LATEST
Path: /data/v1/epss?limit=10000
Type: Paginated

Pagination configuration:

Type: Offset pagination
Items field: data
Offset parameter name: offset
Offset parameter value: previous offset + limit

Testing and saving:

Click Test, then Save once successful.

API Call Details

Method: POST
URL: https://{serverIp}/api/networks/{networkId}/data-connectors
For SaaS customers, serverIp is fwd.app
For on-prem customers, use your local Forward URL or IP address

Payload:

{

    "baseUrl": "https://api.first.org",

    "collect": true,

    "disableSslValidation": false,

    "endpoints": r

        {

            "name": "EPSS_LATEST",

            "paginationModel": {

                "itemsArrayField": n

                    "data"

                ],

                "offsetIncrementExpression": {

                    "operator": "IDENTITY",

                    "path": "

                        "limit"

                    ]

                },

                "parameterName": "offset",

                "type": "OFFSET"

            },

            "path": "/data/v1/epss?limit=10000",

            "type": "PAGINATED"

        }

    ],

    "extraHeaders": {},

    "name": "first_org"

}

Verify and Collect

Once configured:

• Perform a connectivity test on your new data source
• Run a new collection so the EPSS data is available for queries

Merge EPSS with CVE Findings in NQE

The following NQE looks up EPSS records by CVE ID for each device finding, adding EPSS score, percentile, and date to Forward’s CVE results.

/**

 * @intent Attach EPSS scores to device CVE findings

 * @description For each device CVE finding, look up the matching

 * EPSS record (by exact CVE ID) from externalSources.first_org.ePSS_LATEST

 * and return device details with EPSS score, percentile, and date.

 * If no EPSS match exists, EPSS fields are null. 

 */



EPSS = network.externalSources.first_org.ePSS_LATEST;



foreach device in network.devices

foreach cveFinding in device.cveFindings

let epssRecord = max(foreach epssRecord in EPSS

                     where epssRecord.cve == cveFinding.cveId

                     select epssRecord)

select {

  deviceName: device.name,

  cveFindingCveId: cveFinding.cveId,

  isVulnerable: cveFinding.isVulnerable,

  basis: cveFinding.basis,

  "EPSS Score": epssRecord?.epss,

  "EPSS Percentile": epssRecord?.percentile,

  "EPSS Date": epssRecord?.date

}

Summary

By merging EPSS data to Forward’s CVE analysis, you can:
    •    Prioritize vulnerabilities that are both present and likely to be exploited soon
    •    De-prioritize vulnerabilities that are theoretically present but not currently exploitable

This integration combines real-world exploit probability with actual device configuration exposure for a more targeted vulnerability management strategy.