ZeroDayAttack - AppSec Intelligence Aggregator
A self-initiated security product I built and run - live at zerodayattack.net. The single real-time intelligence source an AppSec engineer checks: CVEs, CISA KEV, EPSS, exploit signals, threat actors, IOCs, vendor/PSIRT advisories and research - unified, normalized, deduplicated and pushed live from ~85 feeds. Plus an authenticated workspace that turns intel into action: asset profiles drive a personalized patch queue, with watchlists/alerts, triage, remediation SLAs and Jira/GitHub/SIEM hand-off.
Scope: Solo build: ~85-feed ingestion pipeline, normalization + trust ordering, realtime ISR site, authenticated remediation workspace, REST/STIX/TAXII federation and CLI.
A self-initiated security product I built and run - live at zerodayattack.net. The single real-time intelligence source an AppSec engineer checks: CVEs, CISA KEV, EPSS, exploit signals, threat actors, IOCs, vendor/PSIRT advisories and security research - unified, normalized, deduplicated, searchable and pushed live from ~85 feeds. Plus an authenticated workspace that turns intel into action: asset profiles drive a personalized patch queue, with watchlists/alerts, triage, remediation SLAs and Jira/GitHub/SIEM hand-off.
The Challenge
AppSec teams drown in fragmented intelligence: NVD in one place, CISA KEV in another, then EPSS, vendor PSIRTs, exploit PoCs, IOC feeds, MITRE ATT&CK and research RSS - each a different schema, cadence and trust level, and none prioritized for your specific stack. Turning that firehose into "what do I patch first, and is it actually being exploited" is manual, slow, and stale by the time it is finished. The opening was one normalized, real-time source of truth that reads as a public briefing and also drives a private remediation workflow - without a wall of false-urgency noise.
The Solution
Built on Next.js 15 (App Router), TypeScript, Tailwind and Supabase (Postgres + Realtime + RLS) on Vercel. ~85 feeds are ingested on tiered Vercel crons (5-min / 30-min / daily / EPSS) into an append-only event log and merged into canonical records through a source trust order (NVD > vulnrichment > ZDI > GHSA > OSV > … > KEV > EPSS), with every outbound fetch behind an SSRF host allowlist. High-traffic public pages are ISR - served from the CDN yet still updating live, because Supabase realtime changes are merged into the TanStack Query cache; a per-request CSP-nonce "strict" mode for the workspace and a constant "content" CSP for cached pages keep both fast and locked down (anon RLS reads only; service-role key server-only). Public surfaces: a threat briefing, CVE feed, emerging-exploitation signals, CISA KEV zero-days, threat actors, IOCs, vendors, news, CWE/CVE detail, compare, search and source-health/status. The authenticated workspace turns intel into action: asset profiles personalize the patch queue, plus watchlists and alert channels, a triage bench, investigations, a query builder, remediation metrics (MTTR / SLA / burn-down) and integrations (Jira / Linear / ServiceNow / GitHub / SIEM). Federation-ready: a versioned REST API (`/api/v1`), OpenAPI docs, STIX 2.1 bundles, a TAXII 2.1 server and a CLI.
Client
Kiril Urbonas
“I built ZeroDayAttack because triaging vulnerabilities meant juggling NVD, KEV, EPSS, vendor advisories and exploit feeds by hand. It unifies ~85 sources into one real-time, normalized briefing, then turns it into a personalized patch queue with SLAs and Jira/GitHub hand-off. The realtime-on-ISR architecture and the SSRF/RLS/CSP hardening are exactly the standard I bring to client work.”
Kiril Urbonas
Creator & Engineer, ZeroDayAttack
zerodayattack.net
Key Results
CVE, KEV, EPSS, advisories, IOCs, actors, research - unified
Supabase realtime → live updates on CDN-cached pages
Asset profiles → personalized patch queue, SLAs, triage
REST /api/v1, OpenAPI, STIX 2.1, TAXII 2.1, CLI
Timeline
Ongoing - live and updated continuously · 2026
Completed 2026
Scope: Solo build: ~85-feed ingestion pipeline, normalization + trust ordering, realtime ISR site, authenticated remediation workspace, REST/STIX/TAXII federation and CLI.
More case studies
Want results like these for your business?
I'll map out a clear plan, timeline, and realistic results for your project - no obligation.
