Skip to main content
Use this sample when a user asks whether a known CVE needs action. The example keeps the workflow bounded: resolve the CVE, retrieve focused evidence, pivot relationships, run the assessment, then produce a recommendation with caveats.

Scenario

A security engineer asks:
Should we prioritize CVE-2024-3094 for a Linux fleet that includes developer workstations and build infrastructure?

REST Flow

Set request-scoped IDs once so each API call can be tied back to the same investigation.
export KYBERIS_BASE_URL="https://api.kyberis.ai"
export RUN_ID="run-cve-3094-sample"

1. Resolve the CVE

curl -sS -X POST "$KYBERIS_BASE_URL/v2/entity-resolution" \
  -H "Authorization: ApiKey $KYBERIS_API_KEY_ID:$KYBERIS_API_KEY_SECRET" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_context": {
      "objective": "Resolve CVE-2024-3094 before risk assessment.",
      "requested_outcome": "Canonical CVE entity for downstream evidence and assessment calls.",
      "workflow_stage": "resolve",
      "run_id": "run-cve-3094-sample",
      "step_id": "resolve-cve"
    },
    "query": "CVE-2024-3094",
    "expected_types": ["cve"],
    "resolution": {
      "max_results": 5,
      "include_aliases": true,
      "include_metadata": true
    }
  }' | jq .
Representative response excerpt:
{
  "request_id": "req_sample_cve_resolve",
  "resolution": {
    "status": "resolved",
    "confidence": "high"
  },
  "entity_type": "cve",
  "canonical_id": "cve--CVE-2024-3094",
  "canonical_name": "CVE-2024-3094"
}

2. Retrieve Active Exploitation Evidence

curl -sS -X POST "$KYBERIS_BASE_URL/v2/evidence" \
  -H "Authorization: ApiKey $KYBERIS_API_KEY_ID:$KYBERIS_API_KEY_SECRET" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_context": {
      "objective": "Check whether CVE-2024-3094 has exploitation evidence.",
      "requested_outcome": "Bounded evidence for active exploitation or observed abuse.",
      "workflow_stage": "evidence",
      "run_id": "run-cve-3094-sample",
      "step_id": "evidence-active-exploitation"
    },
    "subject": {
      "entity_type": "cve",
      "canonical_id": "cve--CVE-2024-3094",
      "canonical_name": "CVE-2024-3094"
    },
    "claim_type": "active_exploitation",
    "max_results": 5
  }' | jq .
Representative response excerpt:
{
  "request_id": "req_sample_cve_evidence",
  "claim_type": "active_exploitation",
  "items": [
    {
      "evidence_id": "report--sample-xz-backdoor",
      "evidence_type": "report",
      "confidence": "high",
      "summary": "Reporting describes a supply-chain backdoor in affected XZ Utils versions."
    }
  ]
}

3. Pivot Relationships

curl -sS -X POST "$KYBERIS_BASE_URL/v2/relationships" \
  -H "Authorization: ApiKey $KYBERIS_API_KEY_ID:$KYBERIS_API_KEY_SECRET" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_context": {
      "objective": "Find related entities for CVE-2024-3094.",
      "requested_outcome": "Actors, malware, campaigns, indicators, and techniques relevant to the CVE.",
      "workflow_stage": "relationships",
      "run_id": "run-cve-3094-sample",
      "step_id": "relationships-cve"
    },
    "subject": {
      "entity_type": "cve",
      "canonical_id": "cve--CVE-2024-3094",
      "canonical_name": "CVE-2024-3094"
    },
    "relationship_types": ["campaign", "malware", "sector", "ioc", "technique"],
    "max_results": 10
  }' | jq .
Representative response excerpt:
{
  "request_id": "req_sample_cve_relationships",
  "relationships": [
    {
      "relationship_type": "technique",
      "target_name": "Supply Chain Compromise",
      "confidence": "medium",
      "supporting_evidence": ["report--sample-xz-backdoor"]
    }
  ]
}

4. Run the CVE Assessment

curl -sS -X POST "$KYBERIS_BASE_URL/v2/cve-assessments" \
  -H "Authorization: ApiKey $KYBERIS_API_KEY_ID:$KYBERIS_API_KEY_SECRET" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_context": {
      "objective": "Decide whether CVE-2024-3094 requires immediate action.",
      "requested_outcome": "Deterministic risk guidance with evidence references.",
      "workflow_stage": "assessment",
      "run_id": "run-cve-3094-sample",
      "step_id": "assessment-cve"
    },
    "query": "CVE-2024-3094",
    "context": {
      "known_targets": ["XZ Utils 5.6.0", "XZ Utils 5.6.1"],
      "targeted_industries": ["technology"],
      "intel_confidence": "medium"
    }
  }' | jq .
Representative response excerpt:
{
  "request_id": "req_sample_cve_assessment",
  "recommendation": "validate_exposure",
  "priority": "high",
  "confidence_score": 0.86,
  "evidence_refs": ["report--sample-xz-backdoor"],
  "caveats": ["Confirm whether affected package versions exist in the environment."]
}

Final Answer Example

Recommendation: Validate exposure immediately and patch or roll back affected XZ Utils versions if found. Why now: Kyberis resolved CVE-2024-3094 with high confidence and found high-confidence evidence describing supply-chain backdoor activity. The affected package family can matter to developer workstations and build infrastructure. Confidence: High for the CVE match and public risk signal. Environment-specific confidence depends on whether XZ Utils 5.6.0 or 5.6.1 is present. Supporting evidence: report--sample-xz-backdoor. Request IDs: req_sample_cve_resolve, req_sample_cve_evidence, req_sample_cve_relationships, req_sample_cve_assessment. Next actions: Inventory package versions, isolate or rebuild affected hosts, and document whether the vulnerable versions were ever deployed.

Decision Gates

  • If resolution is ambiguous, retry with expected_types: ["cve"] or ask for the exact CVE.
  • If evidence is sparse, recommend exposure validation instead of emergency remediation.
  • If the assessment cites evidence IDs, hydrate critical evidence with GET /v2/evidence/{evidence_id} before a high-impact final report.