VIPER is your AI-powered co-pilot in the complex world of cyber threats, designed to provide actionable Vulnerability Intelligence, Prioritization, and Exploitation Reporting.
In an era of ever-increasing cyber threats, VIPER cuts through the noise. It ingests data from critical sources like NVD, EPSS, and the CISA KEV catalog, then leverages Google Gemini AI for deep contextual analysis and vulnerability prioritization. All this intelligence is centralized, enriched, and presented through multiple interfaces: an interactive Streamlit dashboard, a powerful CLI, and now integrated with Claude Desktop through MCP (Model Context Protocol) for natural language vulnerability analysis.
VIPER now includes a Model Context Protocol (MCP) server that integrates seamlessly with Claude Desktop, providing 12 powerful cybersecurity tools accessible through natural language:
perform_live_cve_lookup- Full CVE analysisget_nvd_cve_details- NVD dataget_epss_data_for_cve- Exploitation probabilitycheck_cve_in_cisa_kev- CISA KEV statussearch_public_exploits_for_cve- GitHub/Exploit-DB searchget_gemini_cve_analysis- AI analysisget_viper_risk_score- Risk scoringsave_cve_data_to_viperdb- Database storage- And 4 more...
Usage Examples:
"Analyze CVE-2024-3400 with full Viper analysis"
"Find exploits for CVE-2023-44487"
"Check if CVE-2024-1234 is in CISA KEV"
git clone https://github.com/ozanunal0/viper.git
cd viper
./setup.shcp env.example .env
# Edit .env with your settings:
# - GEMINI_API_KEY for Gemini AI (default provider)
# - Or set LLM_PROVIDER=ollama for local LLM{
"mcpServers": {
"ViperMCPServer": {
"command": "/FULL/PATH/TO/viper/run_mcp_clean.sh"
}
}
}
Claude Desktop (Recommended):
- Natural language vulnerability analysis
- Real-time CVE lookups
- Risk scoring and prioritization
Dashboard:
python main.py dashboardCLI:
python main.py cli --days 7For privacy-focused analysis without external API dependencies:
# 1. Set LLM provider to Ollama
echo "LLM_PROVIDER=ollama" >> .env
# 2. Start with Docker Compose (includes Ollama)
docker-compose up -d
# 3. Pull a model (run once)
docker exec -it viper_ollama ollama pull llama3:8b
# 4. Access VIPER at http://localhost:8501llama3:8b- Good balance of speed and quality (default)llama3:70b- Higher quality, requires more resourcescodellama:7b- Optimized for code analysismistral:7b- Fast and efficient
# In .env file
LLM_PROVIDER=ollama
OLLAMA_API_BASE_URL=http://localhost:11434 # or http://ollama:11434 in Docker
LOCAL_LLM_MODEL_NAME=llama3:8b- Multi-source data: NVD, EPSS, CISA KEV, Microsoft
- Flexible AI analysis: Choose between Gemini AI or local Ollama models
- Risk scoring: Weighted multi-factor scoring
- Live lookup: Real-time CVE analysis
- Multiple interfaces: Dashboard, CLI, Claude Desktop
- Privacy options: Local LLM support for offline/private analysis
- MCP Setup - Complete MCP configuration
- Development - Development setup
- Docker - Container deployment
- Database - Database configuration
Here's where we're headed:
β
Full NVD API Pagination: Ensure complete ingestion of all relevant CVEs from NVD by implementing robust pagination in nvd_client.py to handle large result sets (addressing current partial data fetching ).
β
Solidify Retry Mechanisms: Continuously refine and test tenacity based retry logic across all external API clients (nvd_client.py, epss_client.py, cisa_kev_client.py, microsoft_update_client.py, gemini_analyzer.py) for maximum resilience.
β Dashboard Usability & Features:
β
Refine real-time CVE lookup: Optimize display and ensure all enrichment (EPSS, KEV, MSData, Gemini re-analysis) is available for live queries.
β
Enhance filtering and sorting options on all data tables.
β
Implement detailed CVE view modals or dedicated pages for better readability of all enriched data.
π§ Automated Periodic Execution: Integrate APScheduler or configure system cron jobs to run the main_mvp.py data pipeline automatically at configurable intervals.
- [β
] Local LLM Support (Ollama Integration):
- β Implemented local LLM support through Ollama for enhanced privacy and offline capabilities.
- β AI-powered vulnerability analysis without external API dependencies.
- β Support for popular models like Llama3, Code Llama, and other Ollama-compatible models.
- β Configurable model selection and deployment options via environment variables.
β
Other CISA Products & Feeds: Explore and integrate other relevant CISA feeds beyond the KEV catalog (e.g., CISA Alerts, Industrial Control Systems Advisories if applicable).
Explore and integrate other relevant CISA feeds beyond the KEV catalog (e.g., CISA Alerts, Industrial Control Systems Advisories if applicable).
β
Comprehensive Microsoft Patch Tuesday Parsing: Further refine microsoft_update_client.py to ensure accurate and detailed extraction of product families, specific product versions, and direct links to KB articles/MSRC guidance from CVRF/CSAF to ensure accurate and detailed extraction of product families, specific product versions, and direct links to KB articles/MSRC guidance from CVRF/CSAF data.
- [π§] Semantic Web Search Integration (EXA AI):
- For high-priority CVEs or emerging threats, automatically search the web for technical analyses, blog posts, news articles, and threat actor reports.
- Store relevant article metadata (URL, title, snippet, source) linked to CVEs.
- [π§] AI-Powered Content Analysis (Gemini):
- Summarization: Use Gemini to summarize fetched articles and reports related to a CVE.
- Key Information Extraction: Extract TTPs (Tactics, Techniques, and Procedures), affected software/hardware, and potential mitigations from unstructured text.
- Cross-Validation Support: Assist analysts by comparing information from different sources regarding a specific threat.
- [π] Enhanced IOC Extraction:
- Expand IOC (IPs, domains, hashes, URLs, mutexes, registry keys) extraction from all ingested text sources (NVD descriptions, MSRC summaries, KEV details, fetched articles) using Gemini's advanced understanding or specialized libraries like
iocextract. - Create a robust, searchable IOC database.
- Expand IOC (IPs, domains, hashes, URLs, mutexes, registry keys) extraction from all ingested text sources (NVD descriptions, MSRC summaries, KEV details, fetched articles) using Gemini's advanced understanding or specialized libraries like
- [π] Natural Language to Query Translation (Advanced):
- Leverage Gemini to translate natural language threat hunting hypotheses (e.g., "Are there any Cobalt Strike beacons communicating with newly registered domains?") into structured query formats like OCSF, KQL (Azure Sentinel), or Splunk SPL.
- [π] Social Media Monitoring & Clustering (Advanced):
- Ingest data from platforms like Twitter/X or specific Reddit communities (e.g., r/netsec) for early signals of new vulnerabilities or exploits.
- Apply LLM-based semantic clustering (Gemini) to group discussions and identify emerging threat trends.
- [π] Threat Actor & Malware Profiling:
- Begin associating CVEs and IOCs with known threat actors and malware families (potentially integrating with MISP or other OSINT feeds).
- Visualize these relationships in the dashboard.
- [π] Advanced Dashboard Analytics:
- Implement more sophisticated trend analysis, predictive insights (beyond EPSS), and customizable reporting features.
- [π] User Accounts & Collaboration (Long-term): Allow multiple users, role-based access, and collaborative analysis features (e.g., shared notes, investigation assignments).
- [π] Notification System: Implement email or other notifications for high-priority alerts or newly discovered critical CVEs matching predefined criteria.
- [π] Database Optimization/Migration: For larger deployments, consider migrating from SQLite to a more scalable database like PostgreSQL.
Star β the repo if VIPER helps with your vulnerability management!