Content Packs
Infracast uses signed and encrypted content packs to deliver threat intelligence, compliance rules, and CVE data — even to air-gapped environments.
Overview
Content packs are versioned bundles containing:
- Vulnerability data — CISA KEV, EPSS scores, NVD cache
- Compliance rules — CIS benchmarks, NIST controls, CMMC requirements
- Threat intelligence — Active campaign indicators
- MITRE mappings — ATT&CK and D3FEND technique mappings
Security
All content packs are:
- Signed with Ed25519 for authenticity verification
- Encrypted with AES-256-GCM (key derived from license)
- Versioned with SHA-256 integrity checks
Delivery Methods
Pull (Automatic)
By default, Infracast syncs content from the CDN every 6 hours:
CONTENT_CDN_URL=https://<your-cdn>.cloudfront.net
Push (API)
Managed instances can receive content updates via API:
POST /api/v1/content/sync
Authorization: Bearer <admin-token>
Offline Import
For air-gapped deployments, export content packs and import manually:
# On connected system
vulcan content export --output ./content-bundle/
# Transfer to air-gapped system
scp -r ./content-bundle/ airgap:/opt/infracast/
# On air-gapped system
vulcan content import --file ./content-bundle/vulndb-kev-2026.04.02.pack
CLI Commands
# List installed content packs
vulcan content list
# Check for available updates
vulcan content check
# Download updates from CDN
vulcan content sync
# Show pack details
vulcan content show <pack-id>
# Export for offline transfer
vulcan content export --output ./export/
# Import offline bundle
vulcan content import --file <pack-file>
# Generate signing keys (pack authors only)
vulcan content genkey
# Create a content pack (pack authors only)
vulcan content create --id <id> --name <name> --input <json> --output <file>
API Endpoints
# List installed packs
GET /api/v1/content/packs
# Get pack details
GET /api/v1/content/packs/{packId}
# Check for updates
GET /api/v1/content/updates
# Get manager statistics
GET /api/v1/content/stats
# Trigger sync (admin only)
POST /api/v1/content/sync
# Import bundle (admin only)
POST /api/v1/content/import
Available Packs
| Pack ID | Description | Tier | Update Frequency |
|---|---|---|---|
vulndb-kev | CISA Known Exploited Vulnerabilities | Free | Daily |
vulndb-epss | FIRST EPSS Exploit Prediction Scores | Free | Daily |
compliance-cis | CIS Benchmark Rules | Pro | Weekly |
compliance-nist-800-53 | NIST 800-53 Controls | Pro | Monthly |
compliance-nist-800-171 | NIST 800-171 r2 — 114 rules for CUI protection | Enterprise | Monthly |
compliance-dfars | DFARS 252.204-7012 — 19 rules for CDI safeguarding | Enterprise | Monthly |
compliance-far | FAR 52.204-21/23/25/27 — 30 rules for federal contractors | Enterprise | Monthly |
compliance-cmmc | CMMC Level 1-3 Requirements | Enterprise | Monthly |
compliance-fedramp | FedRAMP Controls | Federal | Monthly |
mitre-attack | MITRE ATT&CK Mappings | Enterprise | Weekly |
mitre-defend | MITRE D3FEND Mappings | Enterprise | Weekly |
Environment Variables
| Variable | Description | Default |
|---|---|---|
CONTENT_CDN_URL | Content CDN base URL | https://<your-cdn>.cloudfront.net |
CONTENT_PUBLIC_KEY | Ed25519 public key for verification | (built-in) |
CONTENT_CACHE_DIR | Local cache directory | /tmp/infracast-content |