Open-source threat prioritization for SecOps teams.
SecPrior correlates cyber news, CVEs, incidents, and exposure context to help security teams focus on what matters first.
SecOps teams today face a familiar problem:
- Too much noise β dozens of RSS feeds, vendor advisories, CVE alerts, all mixed together
- No prioritization β a blog post and an actively-exploited KEV look the same in a feed reader
- No context β you know something is critical, but not why, and not for your environment
- Manual triage β analysts spend hours sorting signals instead of acting on them
SecPrior solves this by running every article through a 7-step intelligence pipeline that scores, deduplicates, correlates and contextualizes threats β then surfaces only what matters, with the evidence to act.
Every article is scored 0β100 using weighted signals:
| Signal | Weight | Source |
|---|---|---|
| CVSS severity | 30% | NVD API |
| EPSS exploitation probability | 25% | FIRST API |
| CISA KEV (known exploited) | 25% | CISA catalog |
| Source coverage (multi-feed) | 10% | Feed dedup |
| IOC indicators | 5% | In-text extraction |
| Keywords / attack patterns | 5% | Heuristics |
Articles sharing CVEs, vendors or attack patterns are grouped into consolidated incidents using a Union-Find algorithm β so you see a campaign, not 12 separate articles.
Configure vendors, products, technologies and keywords. Relevant articles receive the Matches you badge and surface to the top of your priorities.
- Daily briefing β structured digest with top threats, KEV count, EPSS leaders
- Exec View β CISO-ready posture summary, KPIs, top incidents and vendors
- PDF Report β printable weekly threat summary
- CSV / JSON export β feed into your SIEM, ticket system or reporting tools
Automatic extraction of IPs, domains, hashes and URLs from article content. Deep scan mode fetches full article text for richer extraction. Export to CSV/JSON/TXT.
Automatic tactic detection (Phishing, Ransomware, Lateral Movement, RCE, 0-Day...) from article text. Displayed as chips on every card.
Configurable remediation deadlines per priority level (Critical = 1 day, Investigate = 7 days, Watch = 30 days). SLA badges turn red when overdue. KPI bar shows overdue count at a glance.
| Persona | Use case |
|---|---|
| SOC analysts | Morning triage β what exploded overnight, what needs a ticket |
| CTI analysts | Threat correlation, watchlist monitoring, IOC extraction |
| SecOps leads | KPI overview, SLA tracking, briefing their team |
| CISOs / managers | Exec View β clean posture summary, no raw feeds |
| MSSPs | Multi-client profiles, persona presets, PDF/CSV exports |
| Blue team / homelabs | Self-hosted, no telemetry, full control |
| Layer | Technology |
|---|---|
| Frontend | Vanilla JS, HTML, CSS β zero framework, zero dependencies |
| Backend (optional) | Vercel Serverless Functions (Node.js β₯ 20) |
| Intelligence pipeline | 7-stage client-side: fetch β enrich β dedup β IOC β score β contextualize β prioritize |
| Data enrichment | NVD API, FIRST EPSS API, CISA KEV catalog |
| Alerting | Email (Resend / SendGrid / EmailJS), Slack, Discord, Webhooks, Zapier, Make, n8n |
| Integrations | Jira, Trend Vision One (watchlist sync) |
| Storage | LocalStorage (client-side) + Vercel KV (server-side dedup, optional) |
| Deployment | Vercel (recommended) or any static host + Node.js server |
No configuration required for the demo mode. Add environment variables for live feeds and alerts.
git clone https://github.com/dgiry/secprior.git
cd secprior
npm install # dev dependencies only (Jest for tests)
npm run dev # serves at http://localhost:3001Open http://localhost:3001 β runs in demo mode with sample data.
For live RSS feeds, deploy to Vercel (the feed proxy requires server-side execution to bypass CORS).
Any Node.js β₯ 20 host works. The api/ directory contains Vercel Serverless Functions that can be adapted to Express or any Node.js framework.
| Variable | Required | Description |
|---|---|---|
CRON_SECRET |
For alerting | Secures the scheduled digest endpoint |
RESEND_API_KEY |
For email | Resend email provider |
SENDGRID_API_KEY |
For email | SendGrid alternative |
EMAILJS_* |
For email | EmailJS client-side alternative |
SLACK_WEBHOOK_URL |
For Slack | Slack incoming webhook |
KV_REST_API_URL |
Recommended | Vercel KV β enables deduplication and run history |
KV_REST_API_TOKEN |
Recommended | Vercel KV token |
NVD_API_KEY |
Optional | Higher NVD rate limits (500 req/30s vs 5) |
RSS Feeds (20+ sources)
β
1. Fetch β parse RSS/Atom, normalize articles
2. Enrich β CVSS from NVD, EPSS from FIRST, KEV from CISA, vendor NER
3. Deduplicate β Union-Find on CVE IDs + Jaccard title similarity
4. IOC Extract β IPs, domains, hashes, URLs from article text
5. Score β composite 0-100 (CVSS 30% + EPSS 25% + KEV 25% + sources 10% + IOC 5% + keywords 5%)
6. Contextualize β watchlist matching, MITRE ATT&CK detection, trending signals
7. Prioritize β explainable priority level (Critical Now / Investigate / Watch / Low)
β
Dashboard β cards, KPIs, incidents, CVEs, vendors, briefings
- No telemetry β SecPrior sends no data anywhere except the APIs you configure
- Self-hosted β your watchlist, profiles and notes never leave your instance
- Client-side first β the intelligence pipeline runs in the browser; the server only proxies public APIs to bypass CORS
- No tracking β no analytics, no cookies beyond LocalStorage for your own settings
- SSRF guard β server-side API routes include an SSRF guard (
api/_lib/ssrf-guard.js) blocking requests to private IP ranges
- Multi-tenant support (per-user profiles, shared watchlists)
- Additional feed sources (MISP, OpenCTI, STIX/TAXII)
- AI-generated briefing summaries (opt-in)
- Mobile-responsive layout improvements
- i18n / localization framework
- Webhook inbound (receive alerts from external systems)
- Docker image for simplified self-hosting
Contributions are welcome. Areas where help is most valuable:
- New feed sources β add RSS feeds to
js/feeds-config.js - Enrichment integrations β new API sources (VirusTotal, Shodan, etc.)
- UI improvements β the frontend is vanilla JS, easy to modify
- Tests β
npm testruns Jest; coverage is currently focused on the pipeline - Documentation β deploy guides, use-case walkthroughs, video demos
Please open an issue before submitting a large PR.
MIT β free to use, modify and self-host. See LICENSE.
Built for the security community. If SecPrior is useful to your team, a β on GitHub helps others find it.