VulnTriage is an AI-powered vulnerability and CVE triage lookup tool built for security and development teams. Instead of wading through dense NVD advisories or raw Contrast Security findings, you paste in a vulnerability and get back a structured, plain-English triage report in seconds.
It tells you what the vulnerability actually is, how an attacker would exploit it in practice, how risky it is given your specific stack and environment, and what to do about it — in priority order. It also notes how Contrast Security's IAST, ADR, and SCA tooling would detect or block that class of vulnerability.
It runs entirely in the browser — no backend, no accounts, no data stored. Just your browser, your API key, and Gemini.
Getting started
1
Get a free Google Gemini API key
VulnTriage is powered by Google Gemini. You'll need a free API key — no credit card required.
Go to aistudio.google.com/apikey, sign in with your Google account, and click Create API key. It's instant and completely free.
AIzaSyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2
Enter your key in the app
Paste your API key into the Google Gemini API Key field at the bottom of the form. Your key is used directly in the browser and is never sent to any third-party server — it goes straight from your browser to Google's API.
3
Pick an input mode
Choose the tab that matches your input:
CVE Lookup
Enter a CVE ID and hit "Fetch CVE" to auto-populate the description, or paste advisory text manually.
Contrast Finding
Paste a finding directly from the Contrast dashboard — rule name, route, evidence, stack trace.
Freeform
Describe any vulnerability or security concern in plain language — pen test notes, incident reports, anything.
4
Add context for better results
The more context you provide, the more actionable the triage. In CVE mode, fill in your tech stack (e.g. Java Spring Boot 3.1, PostgreSQL) and set the exposure level. In Contrast Finding mode, add the app name, environment, and any notes about data sensitivity or authentication.
5
Click Analyze and read your report
Hit Analyze Vulnerability and your triage report will appear in a few seconds.
Understanding the output
!
What this is
Plain-English explanation of the vulnerability — no jargon, just what it is and why it matters.
△
Attack scenario
A realistic, concrete description of how an attacker would actually exploit this in practice.
i
Context assessment
Risk evaluated against your specific stack, exposure, and environment — not generic boilerplate.
✓
Remediation steps
Numbered, actionable fix steps ordered by priority. Start from step 1.
C
Contrast notes
How Contrast Security's IAST, ADR, or SCA would detect or block this class of vulnerability.
Tips
More context = better triage. Telling the tool your framework, whether the endpoint requires auth, and how sensitive the data is will produce a dramatically more useful risk assessment than a bare CVE ID.
Try the CVE Fetch button. It works great for any CVE from the last few years — it uses Gemini to write a clear, human-readable summary so you don't have to wade through NVD XML.
Privacy: Nothing you enter is stored anywhere. The app has no backend — your input goes directly from your browser to Google's Gemini API, and that's it.