Built for security engineers who triage CVEs at scale
Stop reading CVSS scores.
Start knowing what to patch first.
NVD gives you raw data. CISA KEV gives you a list. Neither tells you whether that 9.8 CVE is actually reachable in your environment — or if the vendor already has a fix deployed. RiskScore does the synthesis so you don't have to.
Real example — CVE-2024-3400
✗ Before — manual triage
1. Pull CVE from scanner alert
2. Look up NVD → CVSS 10.0, no context
3. Check CISA KEV → listed, but why?
4. Search vendor advisory → 3 tabs, 20 min
5. Ask Slack if anyone knows if we're exposed
6. Guess a priority, move on
Time: ~25 min per CVE
✓ After — one API call
→ Risk score: 97/100 (exploited in wild)
→ CISA KEV: Yes, added 2024-04-12
→ Patch: Available — PAN-OS 11.1.2-h3
→ Plain-English summary + remediation link
Time: <1 second
Why not just use free sources?
Free is good for raw data. You still need to connect the dots yourself.
Free
Explore the API before committing
- ✓ 100 req/day · 5 req/min
- ✓ CVE risk scores
- ✓ CISA KEV data
- ✓ Basic search
- ✗ Bulk lookups
- ✗ Full CVE explanations
- ✗ Watchlist / Webhooks
No credit card required
Basic
Solo engineer or small team doing weekly triage
- ✓ 1,000 req/day · 30 req/min
- ✓ Full CVE explanations + remediation
- ✓ CISA KEV + EPSS enrichment
- ✓ Bulk lookup (50 CVEs/batch)
- ✓ Watchlist (up to 200 CVEs)
- ✓ MCP access
- ✗ Webhooks
- ✗ Email support
Cancel anytime · No lock-in
Pro
Security teams with automated pipelines
- ✓ 10,000 req/day · 120 req/min
- ✓ Everything in Basic
- ✓ Bulk lookup (500 CVEs/batch)
- ✓ Unlimited watchlist
- ✓ Webhooks (real-time alerts)
- ✓ Email support (<48h)
Team
Custom volume, SLA, and dedicated support
- ✓ Everything in Pro
- ✓ Custom rate limits
- ✓ Custom batch sizes
- ✓ Priority support (<24h SLA)
- ✓ Annual invoicing available
- ✓ On-call for critical incidents
Is Basic worth $9.99/month?
If you spend more than 20 minutes a week manually cross-referencing NVD, CISA KEV, and vendor advisories — Basic pays for itself in the first triage session. At 1,000 requests/day, it covers a team pulling CVE context programmatically without writing your own data pipeline.
Full Feature Comparison
Frequently Asked Questions
What counts as an API call?
Every HTTP request to the RiskScore API counts as one API call, regardless of the CVE queried. Requests that return a 4xx or 5xx error (server-side failures) do not count against your quota. Requests returning a 429 (rate limit exceeded) are not charged.
What happens when I hit my daily limit?
Requests over your daily limit receive a 429 response with a Retry-After header indicating when your quota resets (midnight UTC). Your application should handle 429s gracefully. Unused daily requests do not roll over to the next day.
Can I cancel anytime?
Yes. Cancel from your account dashboard — no support ticket, no runaround. Cancellation takes effect at the end of your current billing period. You keep full access until then.
What payment methods do you accept?
All major credit and debit cards via Stripe (Visa, Mastercard, Amex, Discover). Team plan customers can arrange annual invoicing — email [email protected].
How does upgrading or downgrading work?
Upgrades take effect immediately and are prorated. Downgrades take effect at the end of your billing period — you keep full access until then.
Do you offer open source or non-profit discounts?
Yes. Open source projects and registered non-profits can apply for a free Pro plan. Email [email protected] with a link to your repository or non-profit registration.
Ready to cut triage time?
Start free. Upgrade to Basic when you need bulk lookups and full enrichment.
Free plan: 100 requests/day · No credit card · Cancel Basic anytime