Introducing Wazuh CTI

The Wazuh Cyber Threat Intelligence (CTI) service is a publicly accessible platform that collects, analyzes, and disseminates actionable information on emerging cyber threats and vulnerabilities.

The service launches with a focus on vulnerability intelligence, delivering timely updates on Common Vulnerabilities and Exposures (CVEs), severity scores, exploitability insights, and mitigation strategies. It aggregates and sanitizes data from trusted sources, including operating system vendors and major vulnerability databases, to ensure high-quality, relevant intelligence. This data enables Wazuh users and organizations to reduce their attack surface and minimize the risk of exploitation and data breaches.

Wazuh 5.0 will expand the CTI service to support additional threat intelligence domains, including Indicators of Compromise (IOCs) such as IP addresses, file hashes, and URLs. In this future release, Wazuh threat detection rules will also be provided directly from the Wazuh CTI platform.

In this blog post, we show how Wazuh CTI enhances your security operations with actionable threat intelligence, uncovering vulnerabilities and improving detection and response.

Vulnerability data sources

The Wazuh CTI platform gathers vulnerability data from a defined set of trusted sources, including official feeds from operating system vendors and reputable security databases. The sources include: 

• Operating system vendors – AlmaLinux, Amazon Linux, ArchLinux, Ubuntu (Canonical), Debian, Fedora, Oracle Linux, Red Hat Enterprise Linux (RHEL), Rocky Linux, SUSE Linux Enterprise.
• Security databases – Microsoft Security Updates (MSU), National Vulnerability Database (NVD), Open Source Vulnerabilities (OSV), Cybersecurity and Infrastructure Security Agency (CISA).

Vulnerability intelligence workflow

Wazuh CTI currently focuses on vulnerability intelligence, using a structured process to ensure the accuracy and consistency of the data it ingests.

• Collection and normalization: Vulnerability data originates from a variety of sources and formats, depending on the provider. All incoming data is normalized into a common structure using the CVE JSON 5.0 format to ensure consistency. This normalization enables the consolidation of diverse vulnerability information into a reliable, centralized repository.
• Validation: We perform in-depth research to validate which systems and package versions are truly affected by each vulnerability, ensuring the accuracy and reliability of the data.
• Refinement and enrichment: Our team also improves the consistency and completeness of vulnerability records by correcting format inconsistencies and filling in missing information.

After completing all these steps, the processed vulnerability data is merged and uploaded to the repository, then published through the Wazuh CTI API.

Accessing Wazuh CTI

The Wazuh CTI API powers both the public threat intelligence website and the vulnerability detection feature within the Wazuh XDR & SIEM unified platform. The service is accessible either through the Wazuh CTI website or from the Wazuh dashboard by navigating to the Vulnerability Detection section.

From the website

The Wazuh CTI website is open to the public and requires no Wazuh installation. It features a robust search tool for filtering vulnerabilities by CVE ID, affected application, CVSS score, severity, and publication date, with customizable sorting.

The image below shows the Wazuh CTI web interface. 

You can also explore CVE data by source, view yearly vulnerability trends, and see the most frequently searched vulnerabilities.

From the Wazuh dashboard

Starting with Wazuh 4.12, you can access Wazuh CTI directly from vulnerability alerts in the dashboard. To do this, just navigate to Vulnerability Detection > Inventory, and click the vulnerability.id of any unresolved issue to open detailed threat intelligence on the Wazuh CTI website. For example, clicking CVE-2025-0411 shows information related to a vulnerable 7-Zip package.

You will be redirected to the Wazuh CTI, where you can find more information on the detected vulnerability. This information includes description, affected operating systems and software versions, the severity metrics, and additional references about the vulnerability. 

The image below shows the detected CVE-2025-0411 vulnerability on the Wazuh CTI website. This vulnerability in 7-Zip allows remote attackers to bypass the Mark-of-the-Web (MotW) security mechanism.

Conclusion

The Wazuh CTI is a global threat intelligence service that collects, analyzes, and shares information about potential cyber threats and vulnerabilities. While it currently focuses on vulnerability intelligence, future updates will introduce broader threat intelligence domains. The CTI will also provide updates for the Wazuh ruleset to further enhance threat detection and response.

If you have any questions about this blog post or Wazuh, we invite you to join our community, where our team can assist you.