Early actors
Probing before the exploit was public
Some IPs probe a CVE's exact exploit path days or weeks before an NVD entry or any public exploit tooling exists. Whoever they are, they did not learn about the bug from the places everyone else does. This table is every actor currently earning that flag, recomputed hourly from live honeypot traffic.
Loading…
How a row earns its place
Most "pre-disclosure" claims die under scrutiny: the signature was generic, the scanner sweeps everything, or the measurement started mid-campaign. Every signature we track runs a gauntlet of four checks designed to kill it, and almost everything does.
Loading the pipeline…
The four checks
The probe matches a discriminating signature
The request has to hit the CVE's specific exploit path, not a generic endpoint. Signatures that match half the internet (/, /.env, common admin panels) are excluded from attribution entirely, and only medium-or-better confidence signatures count.
It lands before the earliest public signal
The reference date is the earlier of the CVE's NVD publication and the first public exploit template for it (the Nuclei template's first git commit). Measuring against NVD alone flatters the data; tooling often exists weeks earlier, so we anchor on whichever came first.
Our sensors were already watching
If the earliest matching probe sits within three days of the start of our coverage for that signature, the CVE is not assessable: we may have joined an already-running campaign, and an artifact of when we started looking is not a lead.
The actor is focused, not a mass scanner
An IP that swept fifty or more distinct paths across our sensors is a broad scanner; one of its hits landing on this CVE's path is expected, not interesting. Only IPs with narrow path breadth earn a row. The breadth is shown so you can judge it yourself.
The lead time in the table is the gap between the actor's first matching probe and the reference date from check 02. Probing proves neither a working exploit nor insider knowledge; it proves early, narrow interest. Treat each row as a lead to investigate, starting with the IP's full report.
Free, no account needed. The same data is JSON at /api/pre-disclosure/actors; only CVEs published after our sensor coverage began can be assessed.