Precursor Joins the Shadowserver Alliance: Real Exploitation Data for UK Defenders
Precursor Security has joined the Shadowserver Alliance. As of today, our SOC, our pentest team, and the Precursor Intelligence platform all draw on Shadowserver's daily Known Exploited Vulnerabilities reports and global honeypot telemetry. That puts our clients ahead of the public KEV list by a meaningful margin, with direct evidence of what attackers are touching right now, not what they might touch in theory.
Why Shadowserver
The Shadowserver Foundation is the nonprofit Internet security foundation that most defenders have benefited from without realising it. Founded in 2004, incorporated as a US 501(c)(3) in 2007, with offices in Pleasanton, Amsterdam, and York, it runs at the scale that most commercial threat intel vendors only advertise:
- 4 billion IPv4 addresses scanned 122 times per day
- 4 million IP addresses sinkholed daily across 400+ malware families
- 2,750 Class C networks operating honeypot sensors
- 1 million new malware samples ingested and analysed per day
- 70 billion SSL certificates indexed
- 90+ daily threat intelligence feeds distributed for free to 7,000+ network owners and 201 National CSIRTs across 175 countries
Shadowserver charges nothing for the daily reports that underpin most national CERT operations. The Alliance is how the foundation funds that mission. Membership supports that work and gives us structured access to the intelligence feeds that matter most to our client base.
What Membership Gives Us
As a partner, Precursor now ingests two Shadowserver feed categories directly into our operational tooling.
Daily KEV feed. Shadowserver's daily Known Exploited Vulnerabilities data surfaces CVEs being actively exploited across their global sensor network. This is the upstream data source that much of the public KEV ecosystem draws from. Exploitation appears here days, sometimes weeks, before it propagates to the public catalogues most organisations watch.
Global honeypot data. Shadowserver operates honeypot sensors across 2,750 Class C networks. Every exploit attempt, every scanning pattern, every payload drop that lands on those sensors is evidence of live attacker behaviour. That data tells us which CVEs are under active exploitation right now, at the IP and payload level, not which ones might be exploited in theory.
How Clients See It
The intelligence reaches clients through three channels, and none of them require extra work from the buyer.
SOC portal. Shadowserver honeypot and KEV data is cross-referenced during alert triage. When a suspicious indicator matches a live exploitation pattern Shadowserver has observed in the past 72 hours, the alert is prioritised in the client portal with the supporting evidence attached. Analysts no longer need to guess whether a CVE is a real risk. The sensor data answers the question directly.
Pentest portal. Pentest findings now carry an exploitation-signal flag sourced from Shadowserver. When we identify a vulnerability during an engagement that matches a CVE currently under active exploitation, the finding is escalated and the remediation timeline in the report reflects that reality. Clients get a specific, evidenced reason for urgency rather than a generic CVSS score.
Precursor Intelligence. Our threat intelligence and attack surface management platform, precursorintelligence.com, now includes a "seen in the wild" indicator on discovered vulnerabilities, sourced directly from Shadowserver honeypot telemetry. The platform is available to anyone, not only clients of our managed services, so self-service users can map their exposures against live exploitation data without a sales call.
Why This Matters Operationally
Most vulnerability triage runs on a delay. A CVE is disclosed, a patch is released, a public advisory eventually publishes, and somewhere between those milestones the CVE starts showing real exploitation activity. Public KEV catalogues do valuable work, but they run days behind the attack data Shadowserver's sensors record.
For UK defenders working against NCSC CAF expectations and Cyber Security and Resilience Bill reporting timelines, that delay is material. A ransomware operator does not wait for a public KEV update before they weaponise a newly disclosed CVE. If the first time your team hears about active exploitation is from a public advisory, you are already behind the threat.
The combination of Shadowserver telemetry, our SOC context, and our pentest findings closes that gap. Clients get advance signal on exploitation activity and the operational tooling to respond to it in the same interface. That is what "defenders on the front foot" looks like in practice, measured in days rather than weeks.
"Shadowserver's data is the actual record of what attackers are doing, sourced from sensors that watch it happen. Plugging that into our SOC and pentest workflows means clients see which vulnerabilities demand action today based on live evidence, not a guessed risk score. That shortens the window between disclosure and defended state, which is where the real risk lives."
Jordan Carter, CTO, Precursor Security
What's Next
We will follow this announcement with a second piece in the coming weeks showing specific examples of vulnerabilities we surfaced for clients before they appeared in public KEV catalogues, once we have a meaningful sample of real cases.
In the meantime:
- Explore Precursor Intelligence. Live exploitation signal on discovered exposures at precursorintelligence.com. Free to use.
- Existing SOC or pentest clients. The Shadowserver-backed triage is active from today in your portal. No configuration required.
- Prospective clients. Book a scoping call to see how the integrated intelligence changes SOC alert triage and pentest prioritisation.
We are grateful to the Shadowserver Foundation for the work they do for the global security community, and proud to support that mission through the Alliance.
About the Shadowserver Foundation: Shadowserver is a nonprofit Internet security foundation dedicated to making the Internet more secure for everyone. It partners with national governments, network providers, enterprises, and law enforcement agencies worldwide to reveal Internet security vulnerabilities and expose malicious activity for remediation. Learn more at shadowserver.org.