All posts

Why We Built Free Patch and CVE Trackers

Senserva free vulnerability and patch trackers for Microsoft 365 and the whole stack: exploited CVEs, Microsoft patches, exploited this week, end-of-life, CVE management, and by vendor

With the big Microsoft patch day this June, I set out to add simple support for it on our site. Then I saw how many people were searching for KB numbers, CVE details, and the one question hiding behind both of them: is this actually being exploited, and do I have to move now? So I built something bigger than a single page. It is a set of free trackers that pull the authoritative sources together and rank by real risk.

The rules I set for myself

Before writing a line of it, I set a few ground rules. No login. No payment. Updated multiple times a day. And everything exportable to CSV and JSON, with RSS and JSON feeds so you can wire it into your own tooling. I found every free, authoritative source I could and pulled them together, giving each of them the credit they deserve.

The point was to be useful on its own, not a gate in front of a sign-up form. You should be able to land on it, get your answer, and leave, or subscribe to a feed and never come back to the page at all.

What is in the tracker set

Each tracker answers a different version of "what do I patch, and when."

Full non-Microsoft CISA KEV coverage, one page per CVE

Every actively exploited third-party CVE has its own permanent reference page. That page carries the EPSS score, the CISA due date and required action, whether it is tied to ransomware, the vendor advisory that fixes it, and the other exploited CVEs from the same vendor. So instead of pasting a raw NVD URL into a ticket, you can drop a clean link that already has the triage context attached. It is the entity-page model applied to the KEV catalog: one indexable, linkable page for every exploited vulnerability.

A Senserva AI read and a copy-paste AI prompt on every tracker

Two things make the trackers more than a static list. First, each page carries a short plain-language risk read: what changed, what is worth your attention, written from that day's live data, not invented. Second, each page has a ready-to-paste AI prompt built from the same live data, so you can drop the current exploited-CVE set into Claude, ChatGPT, or Copilot and triage it in your own words. No account, nothing to install. See Claude and the Senserva MCP if you want to go further and query your own environment.

Where the data comes from

The trackers pull from CISA KEV, NVD, FIRST.org EPSS, and Microsoft MSRC, cross-referenced with VulnCheck KEV and the ENISA EUVD. Every source is credited on the feeds and API page. The trackers do not replace those sources; they stitch them together and rank the result so you are not tab-hopping between five catalogs at eight in the morning.

Where this comes from

This work is not a bolt-on. I built HfNetChk, which became the foundation for Microsoft's Baseline Security Analyzer, and then Shavlik Technologies, which helped invent automated patch management as an industry before it was acquired. Ranking vulnerabilities by what is actually being exploited, and tying each one back to the update that fixes it, is the problem I have spent a career on. These trackers are that instinct made public and free. More on the Shavlik patch heritage.

Try it, and tell me what is missing

Everything above is live right now, free, with no sign-in. I would rather it be genuinely useful than a landing page, so if there is a source you want added, a column you wish it had, or a feed shape that would fit your tooling better, I want to hear it.

Open the full set of trackers, grab the JSON and RSS feeds, or run Senserva against a free demo tenant.

All posts