SecID: Label It. Find It. Use It.

The Problem

Security knowledge exists — discovering and navigating it is the hard part

• CVE records can contain links, but it's ad-hoc — no centralized way to discover all views of a vulnerability across MITRE, NVD, Red Hat, GitHub
• Navigating from CVE → CWE → ATT&CK → NIST controls is painful and fragile
• AI agents can browse websites, but we need resolution to be fast, reliable, and structured
• No one system makes it easy to discover connections between advisories, weaknesses, techniques, controls, and regulations

The problem isn't that the knowledge doesn't exist — it's that there's no easy way to discover it, to navigate across it, and to link and enrich it.

What SecID Is

A phone book for security knowledge

• One consistent format to reference anything:
  secid:advisory/mitre.org/cve#CVE-2024-1234
• A registry that tells you where to find it — URLs, APIs, lookup patterns
• Not a new authority — identifiers come from their sources. SecID indexes them.

We don't replace CVE, CWE, or ATT&CK — we connect them.

Familiar Building Blocks

No new concepts to learn

The innovation is applying proven infrastructure to security knowledge — not inventing new infrastructure.

v1.0 — What's Live Today

Released April 5, 2026

v1.0 — Multiple Views of the Same Thing

One CVE, many perspectives

secid:advisory/mitre.org/cve#CVE-2024-1234      → cve.org (canonical record)
secid:advisory/nist.gov/nvd#CVE-2024-1234       → nvd.nist.gov (CVSS, CPE enrichment)
secid:advisory/redhat.com/cve#CVE-2024-1234     → Red Hat (affected products, patches)
secid:advisory/github.com/advisories/ghsa#...    → GitHub (affected repos, PRs)

Same vulnerability. Different context. All findable. No ambiguity about which view.

Also applies to: regulations in different languages, frameworks across versions, standards across jurisdictions.

v1.0 — "Who Do I Report This To?"

502 CVE Program partners with structured CNA data

secid:disclosure/redhat.com/cna
  → cve.role: ["cna"]
  → cve.cna_id: CNA-2005-0006
  → cve.assignerOrgId: 53f830b8-...
  → cve.last_assigned_cve: CVE-2026-3184
  → disclosure_policy: access.redhat.com/articles/red_hat_cna_vulnerability_disclosure_policy
  → security_txt: redhat.com/.well-known/security.txt
  → contact: secalert@redhat.com

Structured fields on every CNA: formal CNA ID, CVE Program org UUID, last assigned CVE (staleness indicator), disclosure policy URL, security.txt status. All machine-queryable.

Am I safe? → Check safe_harbor. Will I get a CVE? → Check cve.role. Is there a bounty? → Check bug_bounty. What's the timeline? → Check disclosure_policy.

v1.0 — Cloud Security Capabilities

What can you configure? How do you audit it? How do you fix it?

secid:capability/amazon.com/aws/s3#default-encryption
  → options: SSE-S3, SSE-KMS, DSSE-KMS
  → default: AES256 (since January 2023)
  → audit: aws s3api get-bucket-encryption --bucket {bucket}
  → fix: aws s3api put-bucket-encryption ...
  → terraform: aws_s3_bucket_server_side_encryption_configuration

428 capabilities across 54 cloud services — neutral facts about what products provide. Separate from what frameworks say you MUST do (controls) or what the law requires (regulations).

Capabilities are facts. Controls are opinions. SecID catalogs both.

v1.0 — AI-Native from Day One

Three interfaces for three audiences

The MCP server gives AI agents 3 tools: resolve, lookup, describe. Responses include context, disambiguation guidance, and cross-references — agents can reason about security knowledge without external documentation.

One URL. Three tools. Every AI assistant becomes security-aware.

v1.0 — Security Methodologies

The process behind every mapping, score, and assessment

secid:methodology/nist.gov/ir-8477#strm
  → Set Theory Relationship Mapping — highest evidentiary weight
  → "Was this mapping done via STRM or a simple crosswalk?"

secid:methodology/first.org/cvss@4.0
  → CVSS v4.0 vulnerability scoring methodology

secid:methodology/cmu.edu/ssvc@2.0
  → Stakeholder-Specific Vulnerability Categorization

39 methodologies across 18 namespaces — scoring (CVSS, SSVC, EPSS), mapping (IR 8477, CTID), risk (ISO 27005, FAIR, NIST RMF), threat modeling (STRIDE, PASTA), testing (OWASP, PTES, OSSTMM), and more.

When someone says "this control maps to that framework" — the methodology type lets you ask how that mapping was established.

v1.0 — Tools Ecosystem

Four ways to use SecID

SDKs: Python · TypeScript · Go — all call the same API

Self-hosted storage: in-memory, Redis, memcached, SQLite — pluggable backends, same resolver

From "paste a URL" to "run your own resolver" — pick the level that fits your needs.

v1.0 — Cross-Source Search

Don't know which database? Just give the type and the ID.

secid:advisory/CVE-2024-1234
  → MITRE CVE    (weight: 100, url: cve.org/...)
  → NVD          (weight: 80,  url: nvd.nist.gov/...)
  → Red Hat      (weight: 80,  url: access.redhat.com/...)
  → SUSE         (weight: 80,  url: suse.com/...)
  → GitHub GHSA  (weight: 70,  url: github.com/advisories/...)

One query. Every source that knows about this CVE. Sorted by authority.

Works for any type: secid:weakness/CWE-79, secid:ttp/T1059.003, secid:control/AC-1.

v2.0 — What's Coming Next

From URLs to content. From links to knowledge.

v1.0 tells you where to look. v2.0 gives you the answer.

v2.0 — Data Federation

Three rules for hosting data

Rule 0: Respect the license. ISO standards? Registry entry only. CWE (MITRE ToU)? Host with attribution. US government work? Public domain, host freely.

Data repos: CloudSecurityAlliance-DataSets/SecID-weakness/, SecID-control/, SecID-regulation/, etc.

v2.0 — The Full Security Picture

One query, complete context

"Tell me about CVE-2024-1234"

→ CVE description + severity (from cvelistV5, cached)
→ CWE-79 weakness description + mitigations (from SecID-weakness data)
→ ATT&CK T1059 technique + detection methods (from STIX)
→ NIST 800-53 SI-4 control text (from SecID-control data)
→ CCM LOG-01 CSA control text (from SecID-control data)
→ AWS CloudTrail capability + audit CLI (from SecID-capability data)
→ CIS Benchmark 3.1 check (from SecID-control data)
→ Prowler automated check (from SecID-control data)
→ All vendor advisories with patch status

Today: 10 databases, manual navigation, hope you don't miss a connection.
v2.0: One traversal. Complete picture. Actual content at every node.

v2.0 — Capabilities as the Anchor

Facts vs. opinions

FACT (capability):
  secid:capability/amazon.com/aws/s3#default-encryption
  "S3 has encryption. Options: SSE-S3, SSE-KMS, DSSE-KMS."

OPINIONS (controls — may conflict):
  CIS says: "Must be enabled" (any option)
  DISA says: "Must use KMS specifically"
  PCI-DSS says: "Cardholder data must be encrypted"
  Your CISO says: "DSSE-KMS only, no exceptions"

The capability is neutral. The controls are opinions from different authorities. SecID catalogs all of them — the engineer compares and decides.

Capabilities don't change when a new regulation comes along. Opinions swirl around them. SecID makes both visible.

What SecID Enables at CSA

Infrastructure for the next generation of security programs

SecID is infrastructure. These programs are the products built on it.

Try It → Integrate It → Contribute

1. Try it
secid.cloudsecurityalliance.org — paste any CVE, CWE, ATT&CK ID, or type secid: to browse

2. Add to your AI assistant
MCP server: https://secid.cloudsecurityalliance.org/mcp — one URL, no config

3. Integrate it
REST API: GET /api/v1/resolve?secid=... — no auth, CORS enabled
SDKs: Python (pip install secid), TypeScript (npm install secid), Go

4. Contribute
Found something missing? github.com/CloudSecurityAlliance/SecID/issues
Adding a source is one JSON file. AI agents can help.