Skip to content

Alert Rules for Watchlist

Watchlist alerts notify you when new intelligence is published for a CVE you are tracking. Unlike environment alerts (which fire on new asset matches), watchlist alerts fire on changes to the exploitation landscape of a specific CVE.

When Watchlist Alerts Fire

A watchlist alert is triggered when any of the following changes occur for a watched CVE:

  • EPSS spike: The EPSS score increases significantly (crosses a percentile threshold).
  • New exploit code: A proof-of-concept or functional exploit is published for the CVE.
  • KEV catalog addition: The CVE is added to the Known Exploited Vulnerabilities catalog.
  • Exploit maturity change: The exploit maturity tier changes (e.g., from NONE to POC, or POC to FUNCTIONAL).
  • New patch or advisory: The vendor releases a patch or publishes a new security advisory for the CVE.
  • BCS score change: The BCS score changes significantly due to any of the above factors.

Configuring Watchlist Alert Destinations

Navigate to Integrations > Alert Rules and create a rule with the watchlist trigger:

  1. Click Add Rule.
  2. Name: Give the rule a descriptive name (e.g., "Watchlist updates to Slack").
  3. Trigger Event: Select watchlist.update.
  4. Destination Type: Choose from:
    • Email: Sends an alert email to specified addresses.
    • Microsoft Teams: Posts to a Teams channel via webhook.
    • Slack: Posts to a Slack channel via webhook.
    • Webhook: Sends an HTTP POST to any endpoint you configure.
  5. Destination Details: Fill in the destination-specific configuration (email address, webhook URL, etc.).
  6. Click Save Rule.

You can create multiple rules for the same trigger. For example, send watchlist updates to both email and Slack.

Alert Content

Watchlist alert notifications include:

  • CVE ID and BSID
  • What changed: A clear description of the intelligence update (e.g., "CVE-2025-32433 added to KEV catalog", "EPSS percentile increased from 45th to 92nd").
  • Current scores: Updated BCS, CVSS, EPSS values.
  • KEV status and exploit maturity
  • Direct link to the CVE detail page in BreachSpider.

Testing Watchlist Alerts

Before waiting for a real alert to fire, test your configuration:

  1. Navigate to Watchlist in the left sidebar.
  2. Find any watched CVE.
  3. Click the bell icon (test alert button) on that item.
  4. A test notification is sent to all destinations configured for the watchlist.update event.
  5. Verify the notification arrived in your email, Teams channel, Slack channel, or webhook endpoint.

Via API:

curl -X POST \
  -H "Authorization: Bearer bs_live_..." \
  "https://breachspider.com/api/v1/watchlist/42/test-alert"

If the test notification does not arrive, check your integration configuration under Integrations > Connections. For Teams and Slack, verify the webhook URL is correct and the channel allows incoming webhooks.

Best Practices

Keep your watchlist focused. A small, intentional watchlist (10-50 CVEs) produces clear, actionable alerts. A watchlist with hundreds of CVEs generates noise that reduces the signal value.

Review watchlist alerts promptly. A watchlist alert means something changed about a CVE you were already interested in. That change could be the trigger to escalate to operational action -- add assets to an environment, implement compensating controls, or alert your team.

Combine with environment alerts. Watchlist alerts cover CVEs you are tracking by choice. Environment alerts cover CVEs that match your assets automatically. Together, they provide comprehensive coverage: personal research intelligence and operational vulnerability management.

Remove stale entries. If a watched CVE is no longer relevant to your research or planning, remove it from the watchlist. This reduces alert noise and keeps the list actionable.