AttackerKB's public tier closes August 18
Rapid7 retires the public AttackerKB site and its open submissions on August 18. Analysis, writeups, and API access move behind curation and a customer login.
Rapid7 confirmed on Wednesday that its public AttackerKB platform will go dark on August 18, 2026. The sunset announcement, signed by Vulnerability Intelligence Director Douglas McKee, moves the platform’s remaining active parts — technical analysis, exploitation-context write-ups, and API access — into three destinations under Rapid7’s direct editorial control: the corporate blog, tagged “Technical Analysis”; the Rapid7 Vulnerability and Exploit Database, which the AttackerKB domain will auto-redirect to; and a restructured, customer-only API tier that existing API users will get individualized transition guidance for.
What isn’t moving is the model. AttackerKB was a public site that took public submissions — a lightweight community around vulnerability triage and real-world attacker-utility notes that ran alongside the Rapid7 blog for years. The submissions channel closes with the site. The API becomes a customer benefit rather than a public interface. The audience narrows.
Analysis: curation, and why now
Analysis, not incident reporting. What follows is a reading of a corporate change to a public resource. It is not a claim that anything at AttackerKB is currently broken, compromised, or under attack.
McKee’s post is direct about the reason. The move to a “more curated model” is framed as a way to “ensure users receive high-fidelity, verified vulnerability intelligence backed by our expert research teams,” and — more concretely — to reduce “the risk of inaccurate submissions (especially hastily AI-generated ones), and attempts to manipulate vulnerability information.” That is a candid statement, and the parenthetical is the interesting part. Rapid7 is not saying the community was bad. It is saying the moderation cost of separating good submissions from AI-generated dross had gotten high enough to change the shape of the platform.
Public vulnerability knowledge has drifted between public and private hosting for as long as it has existed, and the drift is usually in the same direction. Full-Disclosure and Bugtraq were the open lists of an earlier era; both are gone, folded up by their hosts after years of declining signal and growing noise. Open-source maintainers have spent the last two years describing, sometimes in exhausted detail, the specific pressure that AI-generated vulnerability reports place on volunteer triage — reports that look plausible on the surface and fall apart under any real investigation. AttackerKB was never a maintainer inbox, but it was in the same class of resource: a low-friction public channel where the cost of a bad submission was borne by whoever had to read it, and the volume of bad submissions is not what it was in 2022.
The gatekeepers of vulnerability context — vendors, PSIRTs, well-resourced research teams — have always had the option to run curated, private feeds. The interesting thing about the last two years is that the open, community-fed alternatives are the ones losing altitude. The AttackerKB retirement is the same class of decision: a public forum absorbed a signal-to-noise problem faster than moderation could handle it, and the sponsor decided the cost of filtering the noise was higher than the benefit of the community input. That is not a criticism of Rapid7 specifically. It is what usually happens.
What is being traded is not access to Rapid7’s own research — that stays public on the blog. What is being traded is the public submission channel and the public API. Those were the two features that made AttackerKB useful to people outside Rapid7’s customer base: independent researchers who wanted a place to publish a bounded, structured attacker-context writeup, and downstream tools that scraped the API for enrichment. Both audiences now route through a corporate blog and a customer contract instead.
What to do about the API
If your organization pulls from AttackerKB’s public API, McKee’s post promises “customer-specific guidance on available options, timing, and transition details.” If you have a Rapid7 customer relationship, that is the door to knock on. If you don’t, the practical path is to identify what fields you were consuming — Rapid7’s own attacker-utility notes, community-submitted assessments, or both — and pick the replacement accordingly. NVD and the CISA KEV catalog remain public. FIRST’s EPSS remains public. The community interpretation layer that sat on top of those, at least at this address, does not.
Sometimes “curated” is what a decade-old open resource becomes when it stops working. That doesn’t make the loss zero.
Sources
Found this useful? Share it.


