Tools we'd actually put in a colleague's hands.

Interactive

• Interactive tool

  Compliance impact lookup

  Type a CVE ID. If the editorial desk has written framework framing for it, we show what GDPR, HIPAA, SOC 2, PCI DSS, FedRAMP, SOX, or NIS 2 asks of a tenant. No fallback prose.

Tool reviews

• Utility · May 24, 2026 · GCHQ · Free, Apache 2.0

  CyberChef: GCHQ's data-mangling swiss army knife, runs in your browser

  A browser-based tool for encoding, decoding, hashing, parsing, decrypting, and otherwise mangling data. 300+ operations, chainable into shareable recipes, runs entirely client-side. Apache 2.0.

• Intel · May 24, 2026 · FIRST.org · Free, no key required

  EPSS: the score that lets you push back on 'patch CVSS 9.8 in 24 hours'

  A daily-updated probability that a given CVE will actually be exploited in the next 30 days. The tiebreaker for any CVSS-only patch policy.

• Scanner · May 24, 2026 · ProjectDiscovery · Free, MIT licensed

  Nuclei: the answer to 'is this CVE actually on our perimeter?'

  A fast, YAML-templated vulnerability scanner with 12,000+ community-maintained templates covering CVEs, misconfigurations, and exposed services. Closes the gap between 'this CVE is bad' and 'do we have it.'

• Inventory · May 24, 2026 · runZero · Free for up to 100 recent assets (no expiration)

  runZero Community Edition: the asset inventory that finds the printer running Tomcat

  Agentless network discovery and asset inventory for up to 100 recent assets, free with no expiration. Fingerprints obscure firmware most commercial scanners miss.

• Intel · May 24, 2026 · VulnCheck · Free with community registration

  VulnCheck: the KEV that's faster than CISA, and the NVD that actually works

  A free community catalog of exploited CVEs that spots them about 27 days earlier than CISA KEV, plus a mirror of the NIST NVD that doesn't have the NVD's enrichment backlog.

Editorial vs sponsored

The reviews above are editorial — written by the desk, not paid placements. When PatchDay Alert runs sponsored listings in the future, they will be clearly labeled Sponsored, visually distinct from editorial reviews, and kept out of the editorial feed. The compliance lookup and other interactive tools are built in-house. If a review here turns out to be worse than we said, it gets corrected or pulled.