Skip to main content

cve2capec

The cve2capec tool plays a critical role in automated security workflows by allowing teams to query a pre-built CVE2CAPEC database. It maps Common Vulnerabilities and Exposures (CVEs) to Common Weakness Enumeration (CWE), CAPEC attack patterns, MITRE ATT&CK techniques, and D3FEND strategies, enabling fast lookups from a frequently updated threat intelligence database. It can also produce interactive visual diagrams to support reporting and analysis.

Ideal Use Cases & Fit

cve2capec excels in scenarios requiring structured threat intelligence mapping, such as:

  • Vulnerability triage: Linking discovered CVEs to known weaknesses, attack patterns, and defensive countermeasures.
  • Threat modelling: Understanding the full attack chain from a vulnerability through to applicable MITRE ATT&CK techniques.
  • Reporting and visualization: Generating interactive Sankey flow diagrams and MITRE ATT&CK Navigator heatmaps for stakeholder communication.

It is particularly effective when fed with lists of CVEs from prior vulnerability scanning stages. The tool is less suitable for real-time exploitation assessments or environments lacking a clear focus on CVE analysis.

Value in Workflows

Integrating cve2capec into security workflows enhances the efficacy of vulnerability analysis by providing actionable insights directly related to identified CVEs. It positions itself at the early reconnaissance and analysis stages of threat intelligence workflows, enabling analysts to understand vulnerabilities in context and make informed decisions regarding incident response and mitigation strategies. The optional diagram generation capabilities allow teams to produce visual outputs suitable for technical reports and executive summaries without additional tooling.

Input Data

The cve2capec tool expects a newline-separated list of CVE IDs as input. This data is essential for driving the querying process against the CVE2CAPEC database.

Example:

CVE-2023-1234
CVE-2023-5678
CVE-2024-9012

Configuration

  • generate-sankey: Produces an interactive Sankey flow diagram visualizing the full mapping chain (CVE → CWE → CAPEC → ATT&CK → D3FEND). When enabled, the output format switches from JSONL to HTML.
  • generate-mitre: Produces an interactive MITRE ATT&CK Navigator heatmap showing technique coverage and frequency. When enabled, the output format switches from JSONL to HTML.

When both parameters are enabled, the tool merges both diagrams into a single HTML dashboard with collapsible sections. When neither parameter is set, the tool outputs structured JSONL chain data suitable for downstream processing.

  • timeout: Controls the duration before the tool aborts the process, ensuring that lengthy queries do not hinder workflow efficiency. Updated: 2026-03-04