Security Audit Any Website's Dependencies with CPE Data
Every technology on a website is a potential attack surface. An outdated jQuery version, an unpatched WordPress plugin, a web server with a known CVE — these are the entry points attackers look for.
The problem is visibility. How do you know what technologies a website runs, and which of those have known vulnerabilities? Traditionally, this required manual inspection or expensive enterprise tools. Now you can automate it.
DetectZeStack returns CPE (Common Platform Enumeration) identifiers for detected technologies when available. CPE is the standard naming scheme used by NIST's National Vulnerability Database (NVD) to link software products to their known vulnerabilities (CVEs).
How CPE-Based Security Auditing Works
Detect Technologies
Scan a website to identify all technologies, frameworks, and infrastructure
Extract CPE IDs
Detected technologies include CPE identifiers when available
Query NVD
Look up each CPE in the National Vulnerability Database for known CVEs
Assess Risk
Prioritize findings by CVSS score and generate actionable reports
Step 1: Detect Technologies with CPE Data
When you analyze a website with DetectZeStack, the response includes a cpe field for detected technologies when available:
curl -s "https://detectzestack.com/analyze?url=example.com" \
-H "X-Api-Key: YOUR_KEY" | jq '.technologies[] | {name, cpe}'Example response:
[
{ "name": "Nginx", "cpe": "cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*" },
{ "name": "jQuery", "cpe": "cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:*" },
{ "name": "WordPress", "cpe": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*" },
{ "name": "PHP", "cpe": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*" },
{ "name": "MySQL", "cpe": "cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*" }
]What's a CPE? CPE is a structured naming scheme for IT products. cpe:2.3:a:wordpress:wordpress:* means "application (a), vendor wordpress, product wordpress, any version (*)." The NVD uses CPEs to link products to CVE entries.
Step 2: Query the NVD for Vulnerabilities
The NVD provides a free API for querying CVEs by CPE. Here's a Python script that takes DetectZeStack output and checks each technology for known vulnerabilities:
import requests
import time
DETECTZESTACK_URL = "https://detectzestack.com/analyze"
NVD_API_URL = "https://services.nvd.nist.gov/rest/json/cves/2.0"
API_KEY = "your-detectzestack-key"
def audit_website(domain):
# Step 1: Detect technologies
resp = requests.get(DETECTZESTACK_URL, params={"url": domain}, headers={
"X-Api-Key": API_KEY
})
techs = resp.json().get("technologies", [])
findings = []
for tech in techs:
cpe = tech.get("cpe")
if not cpe:
continue
# Step 2: Query NVD for CVEs matching this CPE
nvd_resp = requests.get(NVD_API_URL, params={
"cpeName": cpe,
"resultsPerPage": 10
})
time.sleep(0.6) # NVD rate limit: 5 req/30s without API key
vulns = nvd_resp.json().get("vulnerabilities", [])
if vulns:
findings.append({
"technology": tech["name"],
"cpe": cpe,
"cve_count": len(vulns),
"cves": [{
"id": v["cve"]["id"],
"description": v["cve"]["descriptions"][0]["value"],
"cvss": extract_cvss(v)
} for v in vulns[:5]] # Top 5
})
return findings
def extract_cvss(vuln):
"""Extract the highest CVSS score from a CVE entry."""
metrics = vuln["cve"].get("metrics", {})
for version in ["cvssMetricV31", "cvssMetricV30", "cvssMetricV2"]:
if version in metrics:
return metrics[version][0]["cvssData"]["baseScore"]
return None
# Run the audit
findings = audit_website("target-site.com")
for f in findings:
print(f"\n{f['technology']} ({f['cpe']})")
print(f" {f['cve_count']} known vulnerabilities")
for cve in f['cves']:
score = f"CVSS {cve['cvss']}" if cve['cvss'] else "No score"
print(f" - {cve['id']} ({score})")
print(f" {cve['description'][:100]}...")Sample output:
jQuery (cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:*)
4 known vulnerabilities
- CVE-2020-11023 (CVSS 6.1)
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0...
- CVE-2020-11022 (CVSS 6.1)
In jQuery versions greater than or equal to 1.2 and before 3.5.0...
- CVE-2019-11358 (CVSS 6.1)
jQuery before 3.4.0, as used in Drupal, Backdrop CMS...
WordPress (cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*)
47 known vulnerabilities
- CVE-2024-31210 (CVSS 7.6)
WordPress is an open publishing platform for the Web...Note on versions: DetectZeStack detects technology presence but not always the exact version. CPE queries without version constraints return all known CVEs for that product. For more precise results, cross-reference detected version information when available.
Step 3: Automate Continuous Monitoring
Security isn't a one-time scan. Combine batch analysis with webhooks to monitor your attack surface on an ongoing basis:
# Scan all your domains weekly
curl -X POST "https://detectzestack.com/analyze/batch" \
-H "X-Api-Key: YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{"urls": ["app.yourcompany.com", "api.yourcompany.com",
"blog.yourcompany.com", "docs.yourcompany.com"]}'
# Set up webhook to receive results when domains are analyzed
curl -X POST "https://detectzestack.com/webhooks" \
-H "X-Api-Key: YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"domain": "app.yourcompany.com",
"webhook_url": "https://your-siem.com/webhook/techstack",
"secret": "hmac-secret-for-verification"
}'Each time you analyze a domain with webhooks configured, you'll receive a notification with the current tech stack. Combine this with scheduled scans to detect changes over time and check for newly introduced risks.
Practical Security Use Cases
Vendor Risk Assessment
Before onboarding a SaaS vendor, audit their website's technology stack. Outdated frameworks or missing security headers are red flags. Use the batch endpoint to audit an entire vendor portfolio in seconds.
Supply Chain Monitoring
Track technology changes across your critical suppliers. If a partner's site suddenly drops HTTPS or switches to an unknown CDN, you want to know immediately. Webhooks make this passive monitoring effortless.
Penetration Test Reconnaissance
Start engagements with a comprehensive technology inventory. DetectZeStack's four detection layers (HTTP fingerprinting, DNS CNAME, TLS certificates, custom headers) surface infrastructure that manual inspection misses. The /compare endpoint can reveal shared infrastructure across multiple targets.
Compliance Reporting
Generate evidence that your web properties are using current, patched technologies. Automate monthly scans and produce reports mapping each technology to its vulnerability status for SOC 2, ISO 27001, or PCI DSS audits.
Building a Full Security Pipeline
Here's how the pieces fit together for a production security workflow:
- Inventory: Use
/analyze/batchto scan all your domains and third-party vendors - Enrich: Map each detected CPE to NVD CVEs with severity scores
- Prioritize: Rank findings by CVSS score and asset criticality
- Alert: Set up webhooks to get notified each time critical assets are analyzed
- Report: Generate compliance evidence showing current tech inventory and vulnerability status
- Remediate: Feed high-severity findings into your ticketing system (Jira, Linear, etc.)
Why not just use a vulnerability scanner? Traditional scanners (Nessus, Qualys) require network access and authenticated scans. DetectZeStack works from the outside — you can audit any public website, including vendor sites you don't control. They're complementary tools.
Cost of External Security Auditing
Manual vendor security assessments typically cost $500-2,000 per vendor. Automated tools like BitSight or SecurityScorecard charge $15,000-50,000/year.
With DetectZeStack at $9/month (1,000 requests), you can audit 1,000 domains per month — enough for continuous monitoring of your entire vendor portfolio. That's the kind of coverage that was previously only available to enterprises.
Start Your Security Audit
100 requests/month free. Detect technologies and get CPE identifiers for NVD mapping.
Get Your API Key