Documentation

Vulnerability Managenemt

With thousands of vulnerabilities disclosed every year, security teams can’t patch everything. The challenge is knowing which CVEs matter most to your organization—especially those being actively exploited or targeted by threat actors.

How can Google Threat Intelligence helps?

Google Threat Intelligence (Google TI) helps teams move beyond static severity scores and prioritize vulnerabilities based on real-world threat activity. By combining threat actor intent, malware associations, exploitation telemetry, and exposure data, Google TI enables more effective, risk-informed patching decisions.

Google TI provides unique visibility into how vulnerabilities are being exploited in the wild. It connects CVEs to the threat actors and malware using them, and tracks the speed and scale of their campaigns. With AI-powered analysis and expert-curated intelligence, your team can focus on the vulnerabilities that matter most to your organization.

Exploring Vulnerabilities

In the Vulnerability Intelligence tab, you can search, filter, and analyze all vulnerabilities tracked by Google TI. The key is using the powerful filters to surface the most relevant threats.

How to do it

  1. Go to Vulnerabilty Intelligence tab.
  2. Apply Your Filters: Start by combining criteria to narrow the results. For example, to find recently disclosed and actively exploited threats, set the following:
  • Risk Rating: Critical AND High
  • Creation Date: Last two months
  • Exploitation State: Confirmed
  1. Review the Report: Click on any vulnerability card to access a report with technical details, a list of affected products, available fixes, and crucial intelligence on how the vulnerability is being used in the wild.

You can adjust filters to make your search broader or more specific. See the documentation for a full list of options.

Scan your externally exposed infrastructure for vulnerabilities

Use Attack Surface Management (ASM) capabilities in Google TI to identify vulnerabilities across your organization’s internet-facing assets—before attackers do.

How to do it

  1. Go to the Attack Surface Management tab.

  2. Select your project and create collections to scan your infrastructure.
    Example: External Discovery & Assessment collection with “acme.com” as a seed.

  3. Filter for vulnerabilities by querying: CATEGORY=VULNERABILITY and setting a First seen date

Pro tip: Use the Google TI API to programmatically check for vulnerabilities in your ASM collections or integrate alerts into your security tools.

Find Malware Related to a CVE

Understand how vulnerabilities are being weaponized by identifying associated malware samples in Google TI. This approach reveals malicious files, including those not yet flagged by antivirus engines.

How to do it

  1. Go to Google TI Search.
  2. Run a query like:
entity:file tag:exploit tag:cve-2025* fs:90d+

This query returns files tagged as exploits and related to 2025 CVEs, seen for the first time in the last 90 days.

You can narrow the results further using a specific CVE such as tag:CVE-2024-3400.
For more information on File modifiers click here.

Ask How a Vulnerability Is Being Exploited

With Google TI, you can use natural language to query specific vulnerabilities. Instantly access answers from Google's extensive threat intelligence, revealing who is abusing security flaws and how. This powerful insight enables you to strategically prioritize patches, proactively counter threats, and significantly reduce your attack surface.

How to do it

  1. Go to Google TI Search.
  2. Ask a vulnerability question: 
how is CVE-2020-1472 being exploited?

To know more about how to use Gemini inside Google Threat Intelligence, read the documentation.

Updated about 13 hours ago