CAUSALITY is an intrusion prediction model that is successfully predicting CVEs being watchlisted with lead times ranging from days to months. Every incident response we turn into incident avoidance allows us to actually get "left of boom" and live our best lives. Risk avoidance gives time back to busy DevOPS teams, in addition to security teams, while producing greater CVE risk reduction velocity than conventional or manual processes.
Results contains a history of the provable correct predictions.
web contains a streamlit app with a search interface for the ratings data. Search by CVE (exact match) or other fields. Ratings are available for CVEs between January 2024 - August 2025. I have not yet rated years before 2024; hit me up if you would like me to.
causality.ipynb: a Jupyter notebook for processing vuln data and adding ratings generated by the CAUSALITY model. This can be run wherever your data lives and does not require running a model or shipping your data anywhere. The published ratings are loaded from text files which are in this repo. No data flows back out of the user organization. The model is not yet open sourced at this time but you don't need it to use the ratings.
2025 : CVEs from calendar 2025 that have been rated by the CAUSALITY model. There are two rating levels now, hot and warm. This is being done with a multi-stage pipeline of models and algos and has nothing to do with severity, CVSs, EPSS, or the other conventional metrics.
HOT CVEs have more potential to become a widely exploited vuln with more impact. If you can target these it will reduce risk.
WARM CVEs still have potential but they're less likely to become something we hear about. A possible B-list of priorities for more risk reduction.
Everything else was rated cold by the model, meaning they have some potential, but probably won't be the ones that we hear about. Note I am talking about risk reduction, not risk eradication. Use these ratings in concert with local data. I am rating nearly all current CVEs - over 17k in this latest run - but there may be a few stragglers that were not processed. Let me know if you're looking for a specific CVE. I am not rating Wordpress vulns because I get better results keeping them out of the model so if you're running Wordpress, let me know if you want ratings for those. I have not gone back further than 2024 but if you want me to rate the entire population over the past two decades, hit me up.
2024: Ratings runs for calendar 2024 CVES that came out of the model rated 'hot.' It is possible to predict most of the watch-listed CVEs will be in a subset of 6-12% of the population.
BASC: A project presentation and accompanying notebook from the OWASP 2025 Boston Application Security Conference.