Announced at VulnCon 2026 in Scottsdale, Arizona, Phoenix Blue consolidates all vulnerability intelligence sources, employs AI and neural network models for vulnerability classification and prediction, and uses agentic LLM pipelines to detect pre-disclosure vulnerabilities, score open source library risk, and identify malicious packages across npm, PyPI, Maven, and more.
SCOTTSDALE, Arizona / LONDON, UK — April 2026 — Phoenix Security today launched Phoenix Blue, a standalone vulnerability intelligence platform available at phxintel.security. Register today at https://phoenix.security/phoenix-blue-ai-driven-vulnerability-intelligence/ . With Phoenix Intelligence, we wanted to provide everyone access to fight an agentic attacker with the best intelligence for your agent, free for everyone forever. Announced at VulnCon 2026 in Scottsdale, Arizona, Phoenix Intelligence Blue gives security teams, researchers, and developers a single point of access to continuously enriched vulnerability data — covering CVEs, products, vendors, open source libraries, and malicious packages — with agentic AI analysis built into every record.
The platform indexes over 380,000+ records and 2,080,512 advisory references from 15+ authoritative sources, including NVD, CISA KEV, EPSS, VulnCheck, Shadowserver, GreyNoise, Zero Day Initiative, ransomware intel, and the OpenSSF Malicious Packages repository, plus active research from the Phoenix Security team on malware. Data refreshes continuously with AI-ML classifications, rescoring, full descriptions, vendor patch status, and six proprietary scoring systems developed by Phoenix Security.
Why Phoenix Blue Exists
Security teams today pull vulnerability data from a dozen disconnected sources: NVD for base records, CISA KEV for exploitation confirmation, EPSS for probability scores, GitHub for PoC exploits, vendor advisories for patch details, and OSV for open source mappings. Each source has gaps. None gives you the full picture.
Phoenix Blue eliminates that fragmentation. One platform. One query. One intelligence source for your agents. Every signal that matters for a given CVE, product, vendor, or library is scored, classified, and continuously updated.
Phoenix Blue is also available to power the decision logic for Phoenix Security ASPM clients, supercharging the scoring models with business context, attribution, and rescored reachability analysis.
Agentic Vulnerability Analysis
Phoenix Blue’s agentic advisory intelligence pipeline operates in three autonomous phases: centralizing intelligence from across the web, enriching records with LLM completion and ML neural network CWE reclassification, and extracting structured intelligence from advisory text. The extraction layer pulls dozens of structured fields across eight categories: root cause, affected scope, exploitation status, impact, remediation, detection indicators, timeline, and threat actor attribution.
LLMs make mistakes. Phoenix addresses this with a producer-judge architecture where a dual-LLM validation system catches hallucinations before they reach users. A separate reasoning-capable model scores every AI-generated analysis across multiple quality dimensions — including evidence discipline, technical accuracy, mapping correctness, and remediation practicality. Outputs below the quality threshold are rejected outright. Users can rate any AI-generated content, and that feedback feeds directly into ongoing quality monitoring.
Zero-Day Detection: Finding Fixes Before CVEs Exist
Phoenix Blue’s 0-Day Monitoring Service (preview) watches GitHub repositories for security-relevant commits that patch vulnerabilities before a CVE is assigned. Users register repositories to monitor — the Linux kernel, Apache httpd, OpenSSL, or any high-risk project. The system fetches commit history, extracts diffs, and sends them to an LLM classifier that evaluates whether the change is a security fix, what vulnerability type it addresses, and whether concrete evidence of exploitability exists. Each finding includes an introduction trace linking to the likely introducing commit and version context.
The detection pipeline supports multiple scan modes including live PR monitoring for real-time alerting, historical traversal for backfilling, and full-repo analysis. A verification workflow lets analysts mark findings as true or false positives, closing the feedback loop and improving detection accuracy over time. Budget management controls prevent runaway LLM costs, and users choose their preferred LLM provider.
Intelligence Across CVEs, Products, Vendors, and Libraries
Phoenix Blue provides dedicated intelligence modules for each dimension of vulnerability exposure:
| Dimension | What Phoenix Blue Delivers |
| CVE Intelligence | 300K+ records enriched with CVSS v3.1/v4.0, CWE mapping, CPE association, KEV status, EPSS probability, exploit evidence from 10+ sources, ML-predicted root cause and impact classification, AI-generated executive advisories, and six proprietary scores. Every record refreshed on a 6-hour cycle. |
| Product Health | Product Health Score (PS-PHS) grades products A through F based on CVE severity distribution, KEV exposure, exploit availability, EPSS signals, ransomware association, patch coverage, and end-of-life status. Time-to-Exploit pressure modifiers flag products whose vulnerabilities are weaponized within hours of disclosure. |
| Vendor Risk | Vendor Score (PS-PVS) rolls up product-level data into vendor-level risk profiles with exploitation exposure analysis, threat type distribution, and zero-day rate tracking. Vendor-level TTE modifiers penalize vendors with fast exploitation patterns. |
| Library / OSS | Open Source Score (PS-OSS) risk-rates individual packages across Maven, npm, PyPI, NuGet, Cargo, RubyGems, and Go using multiple weighted components spanning exploitation evidence, predictive likelihood, severity, blast radius, researcher attention, license risk, package popularity, and compromise history. |
Malicious Package Detection for Open Source Libraries
Supply chain attacks targeting open source packages have escalated. Phoenix Blue addresses this with a combined static analysis and LLM-powered behavioral detection engine. Multiple pattern detectors scan for indicators including code obfuscation, network exfiltration patterns, credential harvesting, suspicious install hooks, dependency confusion signals, and typosquatting. Packages that trigger static alerts are escalated to LLM-based behavioral analysis for intent classification.
Phoenix Blue also integrates with the OpenSSF Malicious Packages repository, parsing advisories for confirmed malicious packages across all major ecosystems. All detections flow into a central compromised package intelligence database with IOC domains, affected version ranges, and compromise timelines. The platform surfaces this intelligence through supply chain badges, repeat-offender indicators, and compromise timelines on every affected package page.
AI and Neural Network Models with Six Proprietary Scoring Systems
Phoenix Blue runs multiple trained neural network models for automated vulnerability classification, covering root cause identification, impact prediction, CWE mapping from descriptions and keyphrases, and threat intelligence extraction.
Six proprietary scoring systems power the platform’s risk intelligence. PS-HP (High-Profile Score) identifies the most critical CVEs using a composite formula that weighs exploitation evidence, predictive likelihood, severity, enterprise blast radius, and additional risk signals. PS-EW (Enterprise Watchlist) flags enterprise-critical CVEs lacking exploitation evidence today but with high predicted potential. PS-OSS scores open source libraries. PS-PHS and PS-PVS grade products and vendors respectively. PS-ADQE rates advisory source reliability, feeding automated source prioritization across the platform.
Time-to-Exploit Analytics
Phoenix Blue computes Time-to-Exploit (TTE) metrics for every CVE with confirmed exploitation, measuring the gap between CVE publication and first known exploit from multiple sources. The platform classifies exploitation speed into tiers — zero-day, same-day, within-week, and within-month — and tracks aggregate trends including median TTE by year and zero-day rate changes. TTE speed pressure modifiers feed directly into the scoring systems, increasing urgency signals for products and libraries whose vulnerabilities get weaponized fast.
API-First Architecture with MCP Integration
Phoenix Blue was built agent-first, exposing its full intelligence through REST (200+ endpoints), GraphQL, and a Model Context Protocol (MCP) server. The MCP integration allows AI assistants — including Claude and ChatGPT — to query Phoenix Blue’s vulnerability intelligence, scoring, and threat analysis directly within developer workflows. Tier-based access control (Free, Registered, Pro, Enterprise) governs field-level visibility, with response transformation preventing reverse engineering of scoring algorithms.
Executive Commentary
| “We built Phoenix Blue because vulnerability intelligence is broken into too many pieces. You check NVD for the base record, CISA KEV for exploitation status, EPSS for probability, GitHub for proof-of-concept code, vendor sites for patches, and OSV for open source mappings. By the time you’ve assembled the picture, the window to act has already narrowed. Phoenix Blue puts all of that in one place, scored and classified, and adds layers that didn’t exist before — agentic advisory extraction, pre-CVE zero-day detection, and malicious package monitoring. We want security teams spending time on decisions, not on data assembly.”— Francesco Cipollone, CEO & Co-Founder, Phoenix Security |
Six Proprietary Scoring Systems: Real-Time Evidence Meets Predictive Intelligence
Most vulnerability scoring relies on a single dimension. CVSS tells you how bad a flaw could be in theory. EPSS indicates how likely exploitation is within the next 30 days. CISA KEV tells you what is already being exploited. Each is useful. None is sufficient on its own. Phoenix Blue’s six proprietary scoring systems fuse real-time exploitation telemetry with predictive signals into composite risk scores that update continuously as new data arrives.
The design principle is deliberate: confirmed evidence carries the heaviest weight, and prediction amplifies rather than replaces it. Every score recalculates as fresh data flows in from CISA KEV, VulnCheck KEV, Shadowserver honeypot telemetry, GreyNoise internet-wide scan traffic, EPSS daily updates, and GitHub proof-of-concept repositories. When a vulnerability moves from theoretical to actively exploited, Phoenix Blue’s scores reflect that shift within hours, not days.
| Score | Real-Time Signals | Predictive / Contextual Signals |
| PS-HPHigh-Profile | Confirmed exploitation signals from honeynets, CISA KEV, VulnCheck KEV, in-the-wild telemetry, ransomware association, and weaponized exploit status — weighted as the dominant component in the score. | EPSS probability, Exploit Acceleration Index, CVSS severity, enterprise deployment blast radius, researcher attention, bug bounty signals, and end-of-life status. TTE Speed Pressure modifiers increase urgency for zero-day and same-day exploitation patterns. |
| PS-EWEnterprise Watchlist | Monitors enterprise-critical CVEs with zero exploitation evidence today but with historical repeat-offender patterns. Rechecked continuously for status changes. | Historical Time-to-Exploit cohort analysis predicts exploitation likelihood. Entries classified as highest-risk can graduate to PS-HP when real-time evidence confirms the prediction. |
| PS-OSSOpen Source | KEV status, ransomware flags, zero-day evidence, GitHub PoC counts, and compromise recidivism with time-decay — weighted as the two largest components in the score. | EPSS likelihood, CVSS severity, blast radius via dependent count and criticality metrics, license risk classification, package download popularity, and ecosystem-wide TTE risk cohort analysis. |
| PS-PHSProduct Health | KEV ratios, real-time exploitation intelligence, PS-HP tier counts, exploit kit ratios, and ransomware CVE ratio — collectively the largest input to the product risk calculation. | EPSS-high ratio, vulnerability density, bug bounty ratio. A–F letter grades computed from a composite Product Risk Score. Hard overrides enforce minimum risk floors when critical exploitation thresholds are exceeded. TTE Product Pressure increases the score when median exploitation time is near zero. |
| PS-PVSVendor Risk | KEV, ransomware, and verified exploit counts aggregated across all vendor products. Classified CRITICAL / HIGH / MEDIUM / LOW in real time. | TTE Vendor Modifier penalizes vendors with high zero-day rates or fast exploitation patterns. Requires a statistically meaningful sample of TTE data before modifiers activate. |
| PS-ADQESource Quality | Timeliness penalties for stale sources, reference integrity checks, noise risk scoring by source type, and a user upvote feedback loop. | Authority scoring based on source type and disclosure ownership, data quality metrics, and a PoC Confidence sub-model that evaluates GitHub repo relevance, freshness, and substance. Feeds automated source prioritization platform-wide. |
How Real-Time and Prediction Work Together
The scoring architecture is built around a simple operational reality: you cannot wait for confirmed exploitation to start acting, but you also cannot prioritize on prediction alone. Phoenix Blue handles this by giving real-time exploitation evidence the largest single weight in every score, then using predictive signals like EPSS, TTE cohort analysis, and the Exploit Acceleration Index to boost urgency for CVEs trending toward exploitation. When a vulnerability has both a high EPSS probability and confirmed honeypot observations, the scores compound. When EPSS predicts high exploitation probability but no real-time evidence exists, the score rises but stays below the threshold of confirmed threats.
PS-EW exists specifically to catch the gap between those two states. It monitors enterprise-critical CVEs where exploitation evidence is currently zero but historical TTE cohort patterns indicate risk is high. When real-time signals appear for a PS-EW entry — a CISA KEV listing, a Shadowserver observation, a GreyNoise detection — the CVE graduates from watchlist to active PS-HP scoring within the next refresh cycle. That feedback loop between prediction and confirmation runs automatically and continuously.
PS-HP weights are calibrated against real-world ground truth exploitation data, with floor evaluation ensuring the scoring aligns with observed exploitation patterns. This is not a static formula. It is a calibrated, continuously refreshed intelligence layer that reflects the actual state of threats as they evolve.
Availability
Phoenix Blue is available now at phxintel.security with Free, Registered, Pro, and Enterprise tiers. The Free tier provides basic CVE lookup. Registered users access ML classifications and base scoring. Pro unlocks full scoring components, exploit data, and advisory extractions. Enterprise delivers full advisory quality data and API access. Live product demonstrations are being conducted at VulnCon 2026 in Scottsdale, Arizona.
Phoenix Blue by the Numbers
| 300K+ | CVE records indexed and enriched |
| 2,080,512 | Advisory references in the registry |
| 15+ | Authoritative intelligence sources |
| 6 | Proprietary scoring systems (PS-HP, PS-EW, PS-OSS, PS-PHS, PS-PVS, PS-ADQE) |
| 5 | Trained AI neural network models for classification |
| 200+ | API endpoints across REST, GraphQL, and MCP |
| 8 | Major package ecosystems covered (Maven, npm, PyPI, NuGet, Cargo, RubyGems, Go, Linux) |
About Phoenix Security
Phoenix Security is an Actionable Attack Surface Management (ASPM-ASM) platform that correlates vulnerability data from code to cloud into a single, prioritized remediation flow. The platform reduces alert fatigue, eliminates duplicate findings through contextual deduplication, attributes vulnerabilities to the right teams, and accelerates remediation with AI-assisted analysis. Phoenix Security serves financial services, technology, and retail organizations globally from offices in London and the United States.
ASPM Platform: phoenix.security
Vulnerability Intelligence: phxintel.security
![Phoenix Security infographic: Claude Code Critical Vulnerability — CI/CD Nightmare, 3 Command Injection Flaws. Dark navy and orange background with circuit-board pattern. Center: terminal window showing attack chain [config] | [shell] | [exfil] with three red arrows pointing to attack targets — CI/CD Pipeline Compromise (top right), Cloud Key Exfiltration via AWS (middle right), and Developer Workstation Compromise leading to Server-to-Server lateral movement (bottom right). Phoenix Security logo at top. Bottom text: "CLAUDE CODE / CRITICAL VULNERABILITY / CI/CD NIGHTMARE / 3 COMMAND INJECTION FLAWS / Credential Exfiltration · CWE-78 · Confirmed / Shell Injection in CLI, Editor, and Auth Helpers."](https://phoenix.security/media/Gemini_Generated_Image_abcn46abcn46abcn.jpeg)
