name: vulnerability-intelligence
description: >-
  Vulnerability-centric workflow using Shodan's CVEDB and search APIs.
  Look up a CVE, find affected CPEs, and quantify exposure across the
  Internet or a defined IP perimeter, then stream new banners matching
  the CVE as Shodan observes them.
provider: shodan
workflow:
  - capability: shodan-cvedb
    operation: getCve
    purpose: Fetch full details (CVSS, EPSS, KEV status, references, impacted CPEs) for a given CVE.
  - capability: shodan-cvedb
    operation: searchCves
    purpose: Filter CVEs by KEV status or EPSS score to prioritize remediation.
  - capability: shodan-cvedb
    operation: searchCpes
    purpose: Translate a product name into CPE 2.3 identifiers used by the Shodan index.
  - capability: shodan-rest
    operation: getHostCount
    purpose: Quantify how many Internet-exposed hosts match the affected CPE / version using `vuln:` and `cpe23:` filters.
  - capability: shodan-rest
    operation: searchHosts
    purpose: Enumerate the actual hosts exposing the vulnerable service.
  - capability: shodan-stream
    operation: streamBannersByVuln
    purpose: Tail the firehose for newly observed banners matching the CVE for continuous monitoring.
  - capability: shodan-internetdb
    operation: getInternetDbHost
    purpose: Spot-check whether specific external IPs are still flagged with the CVE in the free InternetDB dataset.