Lexington MA-based VulnCheck, which combines vulnerability and exploit data, has announced the introduction of VulnCheck Canary Intelligence.
“VulnCheck is happy to announce our new offering – Canary Intelligence,” said Jacob Baines, Chief Technology Officer at VulnCheck. “This new solution captures real-world exploitation in real-time. Canary Intelligence data comes from our globally deployed network of vulnerable systems, or “canaries.” It starts with live attacker activity including payloads, IP addresses, geolocation data, and exploited CVEs. It also includes ground-truth visibility into what vulnerabilities are actively targeted in the wild, and verified exploitation telemetry from real attacks on real software.”
What do Canary Intelligence customers get? VulnCheck Canary Intelligence is a new offering that captures real-world exploitation as it happens. The dataset is built from a global network of intentionally vulnerable systems that we call canaries. Our canaries record live attacker activity including payloads, IP addresses, geolocation data, and exploited CVEs. This provides defenders with ground-truth visibility into what vulnerabilities are actively targeted in the wild. This isn’t theoretical, it’s verified exploitation telemetry from real attacks on real software.
So what does Canary Intelligence enhance in the VulnCheck Community. Links to relevant Canary observations in VulnCheck Known Exploited Vulnerability (KEV). Evidence of “First Canary Exploitation” in CVE views. And a window into the same Canary Intelligence dataset used by enterprise defenders
“VulnCheck believes the most important vulnerabilities are those actively exploited in the wild,” Baines stated. “Acting on that belief, we built Suricata and Snort rules for Initial Access Intelligence to detect exploitation in network traffic. It’s also why we’ve invested so heavily in curating our freely available VulnCheck Known Exploited Vulnerability (KEV) database. However, the public reporting that KEV relies on can sometimes trail behind real-world exploitation. Canaries close that gap by applying our network detection rules across the internet. Attacks observed by Canaries can appear in the VulnCheck KEV within minutes of exploitation, giving defenders critical time to respond to the vulnerabilities that actually matter.
“VulnCheck canaries are a natural evolution of our product offering,” Baines said. “Building on VulnCheck Initial Access Intelligence, which provides intentionally vulnerable Docker containers for customers to test exploits and detections, we’ve deployed these same systems across the Internet to observe how attackers interact with real software. Unlike a honeypot, which can be fingerprinted and intentionally evaded by threat actors, a canary always appears genuine, because it is.
VulnCheck Canary Intelligence delivers detailed exploitation telemetry and makes it possible to infer associated Command & Control (C2) infrastructure. With this visibility, defenders can distinguish low-effort scans (e.g., Nuclei) from more advanced or targeted attacks. For example, VulnCheck was the first to report real exploitation of CVE-2025-2611, an unauthenticated remote code execution vulnerability in ICTBroadcast call center software. The data we provide to VulnCheck Canary Intelligence customers looks like this:
Decoded and interpreted, the attacker base64-decodes a payload and pipes it back, yielding a reverse shell back to 159.65.227.190:9095. From a single record, Canary Intelligence customers can therefore:
Attribute activity to a source IP and country, and a targeted geography
Associate the IP with a specific CVE being exploited
Recover the raw payload and any embedded C2 addresses
Determine if the event was generated by a scanning tool like Nuclei or a true exploitation attempt
We expose Canary telemetry in five indices by retention window: vulncheck-canaries-3d, vulncheck-canaries-10d, vulncheck-canaries-30d, vulncheck-canaries-90d, and vulncheck-canaries (the full, historical index). Customers can query these indices via API or download offline backups for enrichment, correlation, and threat-hunting workflows.
VulnCheck Canary Intelligence seamlessly integrates across the existing VulnCheck product line, expanding context and precision across datasets.
Canary exploitation data is now surfaced directly in the freely available VulnCheck Known Exploited Vulnerability (KEV). Each CVE entry includes links to relevant Canary observations, a new Boolean field reported_exploited_by_vulncheck_canaries. Here is an example using the KEV entry for CVE-2025-2611:
VulnCheck Exploit & Vulnerability Intelligence customers will now see Canary data integrated into vulncheck-nvd, vulncheck-nvd2, and exploits indices. Each exploit record includes Canary observation links and the new boolean field “reported_exploited_by_vulncheck_canaries”, allowing users to instantly filter and prioritize CVEs that have been verified through real exploitation. Canary data is also incorporated into VulnCheck IP Intelligence. IPs associated with exploitation observed by Canaries are included alongside the corresponding CVE, attacker country, and first-seen timestamp.
Conclusion
VulnCheck Canary Intelligence gives defenders something they desperately need: verified, real-time visibility into active exploitation across the internet. It transforms exploitation from something discovered after the fact into something defenders can monitor as it happens. By integrating Canary data across VulnCheck products, customers gain:
Immediate awareness of CVEs being exploited in the wild
Earlier detection and prioritization of vulnerabilities that actually matter
Attribution insight linking attacker IPs, infrastructure, and payloads
Contextual enrichment across VulnCheck KEV, Exploit & Vulnerability Intelligence, and IP Intelligence datasets
Defenders can now act on ground-truth exploitation telemetry, not assumptions, not lab data, and not delayed reporting. VulnCheck Canary Intelligence turns live attacks into early warning.