VulnCheck Launches Canary Intelligence to Provide Verified Evidence of Active Exploitation

LEXINGTON, Mass.--(BUSINESS WIRE)--VulnCheck, the exploit intelligence company, today announced the launch of Canary Intelligence, a new product that provides first-party, validated exploitation data from vulnerable systems deployed around the world, enabling defenders to prioritize faster, patch smarter and stay ahead of breaches.

VulnCheck continuously observes exploitation within these intentionally vulnerable systems, providing customers with early indicators of real-world exploitation activity. Unlike traditional reporting based on honeypots or second-hand data, each event captured by Canary Intelligence contains verified data on the attacking host, the targeted CVE and the payload used.

“Canary Intelligence replaces speculation with certainty,” said Jacob Baines, CTO, VulnCheck. “Security teams can now confirm which vulnerabilities are being exploited in the wild, by whom, and with what payloads. This verified telemetry enables organizations to prioritize remediation and detection based on real-world attacker behavior, not observed attempts or theoretical severity scores.”

VulnCheck Canary Intelligence enables security teams to:

• Correlate real attacker activity with threat actor behavior, ransomware families and in-the-wild exploits to enrich response workflows and tooling.
• Confirm when exploits are used by known threat actors by extracting encoded commands, payload variations, and enrich connections to infrastructure.
• Accelerate deployment of coverage for zero-day or n-day exploits by testing rule resilience against variants of attacker payloads.

VulnCheck recently published a report showcasing Canary Intelligence in action, documenting how the product detected active exploitation of XWiki CVE-2025-24893. The findings detail a two-stage attack chain that delivers a coinminer via a template-injection vulnerability. The tool not only confirmed the exploitation chain and infrastructure, but also provided concrete indicators defenders can use to identify related activity quickly and effectively.

Today, VulnCheck Canaries have observed exploit activity for 231 VulnCheck KEVs, 20 of which had no prior publicly reported exploitation evidence. VulnCheck Canary Intelligence also includes in-the-wild detections of more than 500 CVEs, just over 230 of which are on CISA KEV.

All events captured by Canary Intelligence are ingested, enriched, and integrated into VulnCheck’s broader suite of intelligence products, including VulnCheck KEV, Exploit and Vulnerability, and IP Intelligence datasets, providing unified and comprehensive visibility across the platform. Verified exploitation data from the new product is also available through API, UI and machine-readable data streams, ensuring seamless intelligence ingestion into existing tools, workflows and products.

VulnCheck Canary Intelligence is now generally available. For more information on the new product and other capabilities, visit https://www.vulncheck.com/product/canary-intelligence.

About VulnCheck
VulnCheck is the exploit intelligence company helping enterprise, global government organizations and cybersecurity vendors respond to new vulnerabilities and emerging threats faster with more context. Trusted by the world's largest organizations, VulnCheck protects hundreds of millions of systems and people worldwide, enabling them to outpace adversaries with threat intelligence solutions purpose-built for machine-level consumption and response actioning at scale. VulnCheck’s threat intelligence offerings equip teams with comprehensive, real-time exploit and vulnerability intelligence, first-party attack visibility and essential detections that are autonomously correlated and machine-readable, enabling emerging threat response in software vs human analysis. Follow the company on LinkedIn or X.

To learn more about VulnCheck, visit https://vulncheck.com/.