why not just NVD?

A Better CVE API Than NVD

NVD is the most comprehensive public vulnerability database available. It is also built for human analysts, not automated systems. If you are building a CI/CD pipeline, an AI agent, or any automated system that needs to make decisions about software risk, querying NVD directly creates more work than it solves.

the core difference

NVD describes vulnerabilities. attestd describes operational risk state.

Querying NVD directly gives you CVE IDs, CVSS scores, and prose descriptions. That data is accurate and comprehensive. It is written for human analysts, not automated systems.

To turn an NVD record into an action your system can take, you need to parse CVSS vectors, cross-reference CISA KEV to check active exploitation status, normalize version ranges across inconsistent CPE namespaces, handle multi-range CVEs, filter sentinel records, and reconcile conflicting data across sources. That is significant engineering work and it needs to be maintained as NVD format and enrichment levels change.

attestd does that work continuously, for every supported product. Your system sends a version string and gets back a structured verdict.

the difference

NVD direct

CVE-2021-44228
CVSS: 10.0
Description: Apache Log4j2 2.0-beta9 through 2.15.0...
[847 words of prose advisory]

Requires parsing CVSS, reading prose, and cross-referencing KEV before an automated system can form a conclusion.

attestdmachine-readable

{
  "risk_state": "critical",
  "actively_exploited": true,
  "remote_exploitable": true,
  "authentication_required": false,
  "patch_available": true,
  "fixed_version": "2.17.1"
}

No parsing. No cross-referencing. No interpretation.

feature comparison

What you get from each

Feature	NVD	attestd
Structured for automated systems	No	Yes
Single risk_state field (critical / high / elevated / low / none)	No	Yes
Active exploitation status pre-synthesized	Raw KEV data	Yes
Multi-source conflict resolution	Manual	Automatic
Supply chain integrity signals	No	Yes
Version range normalization	Manual	Automatic
Works without parsing or interpretation	No	Yes

when to use each

When NVD is the right choice

NVD is the right tool when you need full advisory text, historical CVE data for audit or compliance reporting, or coverage for products not yet in Attestd's coverage list.

When attestd is the right choice

→An automated system needs to branch on a security condition
→You are building a CI/CD gate that blocks deployments of vulnerable software
→You are adding security awareness to an AI agent or LLM tool
→You need to know whether a vulnerability is actively exploited, not just reported
→You want CVE risk state and supply chain integrity in a single API call

get started

Try it in 30 seconds

The demo key works without signup and covers all 39 supported products.

bash

curl "https://api.attestd.io/v1/check?product=nginx&version=1.20.0" \
  -H "Authorization: Bearer attestd_demo_key"

Get your free API key Read the docs

Why Attestd: Technical Architecture All products API reference Homepage