Empirical Security Empirical Security

Menu

Menu

Request Demo

Log In

Search Syntax

Building Search Queries

Search queries are built from search terms, separated by spaces. Search terms are built from a key and a value, joined with a colon.

When used with the Search API the querystring portion must be URL-encoded. For example, cURL users can specify -G --data-urlencode "q=score:>90" as part of their command to correctly encode and append the search query.

The result of a search query are those CVEs that match all terms in the query. In other words, terms are combined using AND.

Supported Terms

KeyValue

score

Search against a CVE’s current score. If you are an Empirical.Models.Global customer, the current global score will be used. If you are an Empirical.Models.EPSS customer, the current EPSS score will be used. In both situations, scores from the latest version of the model will be used.

Syntax for specifying score constraints (all scores are specified on a 0-100 scale and may contain decimals):

  • >N
  • >=N
  • <N
  • <=N
  • [N M] Alias for score:>=N score:<=M

If multiple score terms are given for a constraint, the final term is used. For example, score:>80 score:>60 is equivalent to score:>60.

published_at

Search against a CVE’s publication date.

Syntax for specifying publication date constraints (should be in the format YYYY-MM-DD):

  • >N
  • >=N
  • <N
  • <=N
  • [N M] Alias for published_at:>=N published_at:<=M

If multiple published_at terms are given for a constraint, the final term is used. For example, published_at:>2025-01-01 published_at:>2025-02-01 is equivalent to published_at:>2025-02-01.

exp_activity

Alias for exploitation_activity

exploitation_activity

One of the following values:

  • true Return CVEs for which Empirical has observed exploitation activity at any time.
  • cisa_kev Return CVEs that appear in the CISA Known Exploited Vulnerabilities list.
  • 0-7 Return CVEs for which Empirical has observed exploitation activity 0 to 7 days ago.
  • last_7_days Alias for 0-7.
  • 8-30 Return CVEs for which Empirical has observed exploitation activity 8 to 30 days ago.
  • 31-90 Return CVEs for which Empirical has observed exploitation activity 31 to 90 days ago.
  • 91-365 Return CVEs for which Empirical has observed exploitation activity 91 to 365 days ago.
  • 366+ Return CVEs for which Empirical has observed exploitation activity over 365 days ago.

vendor

The name of the software vendor responsible for the affected software. Spaces in vendor names should be replaced with underscores, for example: trend_micro

product

The name of the affected software product. Spaces in product names should be replaced with underscores, for example: airflow_hive_provider

recently_updated

  • past_day Return CVEs which Empirical has updated in the past 24 hours.
  • past_week Return CVEs which Empirical has updated in the past 7 days.
  • past_month Return CVEs which Empirical has updated in the past 1 month.

malware

  • true Return CVEs for which Empirical has associated malware hashes.