> ## Documentation Index
> Fetch the complete documentation index at: https://developer.kyberis.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Sample CVE Investigation

> Investigate a CVE with REST calls, evidence checks, relationship pivots, and a deterministic assessment.

Use this sample when a user asks whether a known CVE needs action. The example keeps the workflow bounded: resolve the CVE, retrieve focused evidence, pivot relationships, run the assessment, then produce a recommendation with caveats.

## Scenario

A security engineer asks:

> Should we prioritize CVE-2024-3094 for a Linux fleet that includes developer workstations and build infrastructure?

## REST Flow

Set request-scoped IDs once so each API call can be tied back to the same investigation.

```bash theme={null}
export KYBERIS_BASE_URL="https://api.kyberis.ai"
export RUN_ID="run-cve-3094-sample"
```

### 1. Resolve the CVE

```bash theme={null}
curl -sS -X POST "$KYBERIS_BASE_URL/v2/entity-resolution" \
  -H "Authorization: ApiKey $KYBERIS_API_KEY_ID:$KYBERIS_API_KEY_SECRET" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_context": {
      "objective": "Resolve CVE-2024-3094 before risk assessment.",
      "requested_outcome": "Canonical CVE entity for downstream evidence and assessment calls.",
      "workflow_stage": "resolve",
      "run_id": "run-cve-3094-sample",
      "step_id": "resolve-cve"
    },
    "query": "CVE-2024-3094",
    "expected_types": ["cve"],
    "resolution": {
      "max_results": 5,
      "include_aliases": true,
      "include_metadata": true
    }
  }' | jq .
```

Representative response excerpt:

```json theme={null}
{
  "request_id": "req_sample_cve_resolve",
  "resolution": {
    "status": "resolved",
    "confidence": "high"
  },
  "entity_type": "cve",
  "canonical_id": "cve--CVE-2024-3094",
  "canonical_name": "CVE-2024-3094"
}
```

### 2. Retrieve Active Exploitation Evidence

```bash theme={null}
curl -sS -X POST "$KYBERIS_BASE_URL/v2/evidence" \
  -H "Authorization: ApiKey $KYBERIS_API_KEY_ID:$KYBERIS_API_KEY_SECRET" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_context": {
      "objective": "Check whether CVE-2024-3094 has exploitation evidence.",
      "requested_outcome": "Bounded evidence for active exploitation or observed abuse.",
      "workflow_stage": "evidence",
      "run_id": "run-cve-3094-sample",
      "step_id": "evidence-active-exploitation"
    },
    "subject": {
      "entity_type": "cve",
      "canonical_id": "cve--CVE-2024-3094",
      "canonical_name": "CVE-2024-3094"
    },
    "claim_type": "active_exploitation",
    "max_results": 5
  }' | jq .
```

Representative response excerpt:

```json theme={null}
{
  "request_id": "req_sample_cve_evidence",
  "claim_type": "active_exploitation",
  "items": [
    {
      "evidence_id": "report--sample-xz-backdoor",
      "evidence_type": "report",
      "confidence": "high",
      "summary": "Reporting describes a supply-chain backdoor in affected XZ Utils versions."
    }
  ]
}
```

### 3. Pivot Relationships

```bash theme={null}
curl -sS -X POST "$KYBERIS_BASE_URL/v2/relationships" \
  -H "Authorization: ApiKey $KYBERIS_API_KEY_ID:$KYBERIS_API_KEY_SECRET" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_context": {
      "objective": "Find related entities for CVE-2024-3094.",
      "requested_outcome": "Actors, malware, campaigns, indicators, and techniques relevant to the CVE.",
      "workflow_stage": "relationships",
      "run_id": "run-cve-3094-sample",
      "step_id": "relationships-cve"
    },
    "subject": {
      "entity_type": "cve",
      "canonical_id": "cve--CVE-2024-3094",
      "canonical_name": "CVE-2024-3094"
    },
    "relationship_types": ["campaign", "malware", "sector", "ioc", "technique"],
    "max_results": 10
  }' | jq .
```

Representative response excerpt:

```json theme={null}
{
  "request_id": "req_sample_cve_relationships",
  "relationships": [
    {
      "relationship_type": "technique",
      "target_name": "Supply Chain Compromise",
      "confidence": "medium",
      "supporting_evidence": ["report--sample-xz-backdoor"]
    }
  ]
}
```

### 4. Run the CVE Assessment

```bash theme={null}
curl -sS -X POST "$KYBERIS_BASE_URL/v2/cve-assessments" \
  -H "Authorization: ApiKey $KYBERIS_API_KEY_ID:$KYBERIS_API_KEY_SECRET" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_context": {
      "objective": "Decide whether CVE-2024-3094 requires immediate action.",
      "requested_outcome": "Deterministic risk guidance with evidence references.",
      "workflow_stage": "assessment",
      "run_id": "run-cve-3094-sample",
      "step_id": "assessment-cve"
    },
    "query": "CVE-2024-3094",
    "context": {
      "known_targets": ["XZ Utils 5.6.0", "XZ Utils 5.6.1"],
      "targeted_industries": ["technology"],
      "intel_confidence": "medium"
    }
  }' | jq .
```

Representative response excerpt:

```json theme={null}
{
  "request_id": "req_sample_cve_assessment",
  "recommendation": "validate_exposure",
  "priority": "high",
  "confidence_score": 0.86,
  "evidence_refs": ["report--sample-xz-backdoor"],
  "caveats": ["Confirm whether affected package versions exist in the environment."]
}
```

## Final Answer Example

**Recommendation:** Validate exposure immediately and patch or roll back affected XZ Utils versions if found.

**Why now:** Kyberis resolved CVE-2024-3094 with high confidence and found high-confidence evidence describing supply-chain backdoor activity. The affected package family can matter to developer workstations and build infrastructure.

**Confidence:** High for the CVE match and public risk signal. Environment-specific confidence depends on whether XZ Utils 5.6.0 or 5.6.1 is present.

**Supporting evidence:** `report--sample-xz-backdoor`. Request IDs: `req_sample_cve_resolve`, `req_sample_cve_evidence`, `req_sample_cve_relationships`, `req_sample_cve_assessment`.

**Next actions:** Inventory package versions, isolate or rebuild affected hosts, and document whether the vulnerable versions were ever deployed.

## Decision Gates

* If resolution is `ambiguous`, retry with `expected_types: ["cve"]` or ask for the exact CVE.
* If evidence is sparse, recommend exposure validation instead of emergency remediation.
* If the assessment cites evidence IDs, hydrate critical evidence with `GET /v2/evidence/{evidence_id}` before a high-impact final report.
