惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
Cyberwarzone
Cyberwarzone
The GitHub Blog
The GitHub Blog
云风的 BLOG
云风的 BLOG
P
Proofpoint News Feed
小众软件
小众软件
Recent Announcements
Recent Announcements
博客园 - 三生石上(FineUI控件)
Security Archives - TechRepublic
Security Archives - TechRepublic
W
WeLiveSecurity
Cloudbric
Cloudbric
博客园 - 司徒正美
美团技术团队
N
News and Events Feed by Topic
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
PCI Perspectives
PCI Perspectives
宝玉的分享
宝玉的分享
H
Help Net Security
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Google DeepMind News
Google DeepMind News
Help Net Security
Help Net Security
Last Week in AI
Last Week in AI
S
Schneier on Security
N
News | PayPal Newsroom
B
Blog RSS Feed
L
LINUX DO - 最新话题
T
Troy Hunt's Blog
S
Secure Thoughts
雷峰网
雷峰网
aimingoo的专栏
aimingoo的专栏
L
Lohrmann on Cybersecurity
G
Google Developers Blog
Microsoft Azure Blog
Microsoft Azure Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
T
Tenable Blog
S
Securelist
L
LangChain Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main
I
InfoQ
H
Heimdal Security Blog
Cisco Talos Blog
Cisco Talos Blog
F
Full Disclosure
Y
Y Combinator Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
K
Kaspersky official blog
T
Tailwind CSS Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
阮一峰的网络日志
阮一峰的网络日志
C
Cisco Blogs

Recorded Future

The Threat Isn’t the Frontier Model Iran-Nexus TAG-182 Disseminates MarkiRAT Surveillance Tool Where Expertise Meets Algorithm: The Insikt Group® Intelligence Edge Evaluating Mexico’s New Cybersecurity Plan The Purchase Scam Tactic Headed for the World Cup | Recorded Future FortiBleed Campaign Exposing Credentials for 73,932 FortiGate Systems The Klue Security Incident and Its Impact on Recorded Future State Digital Surveillance Risk Landscape The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine Cyber-Enabled Maritime Sanctions Evasion Recorded Future Launches Impact and Metrics Dashboard 2026 FIFA World Cup: What Public Safety Officials Need to Know China's Noncombatant Evacuation Operations: 2005–2025 Russia’s Defense-Based Economy Risks Forcing Putin to Fight Wars May 2026 CVE Landscape Why Holistic Sourcing Wins: The Numbers Behind the Recorded Future Advantage Threats to the 2026 FIFA World Cup Remembering Sir Alex Younger Iran Expands Handala Brand to Physical Threats The Vulnerability Flood Is Now a Board Conversation. Here's How to Lead It. At Mythos Speed: A Defender's Playbook for the AI Vulnerability Surge in 2026 April 2026 CVE Landscape Beyond Acceleration and Automation: How AI + Intelligence Changes Cyber Defense A Complete History of Cybersecurity: From Early Viruses to AI-Powered Threats The Different Types of Payment Fraud and How to Prevent Them Digital Citizenship Glossary: Key Terms Every Internet User Should Know Quantum Risk Explained Threat Activity Enablers: The Backbone of Today’s Threat Landscape Recorded Future Named a Leader in the 2026 Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies. And there’s more. Hacking Embodied AI Working in London at the World’s Largest Intelligence Company Risk Scenarios for the US’s Strategic Pivot Building with AI: Here's What No Briefing Will Tell You Lazarus Doesn't Need AGI The Money Mule Solution: What Every Scam Has in Common From Overwhelmed to Autonomous: Rethinking Threat Intelligence in 2026 Critical minerals and cyber operations Today, trust is the superpower that makes innovation possible AI Hype vs. Reality: Is AI Really Rewriting the Vulnerability Equation? Evolution of Chinese-Language Guarantee Telegram Marketplaces Emerging Enterprise Security Risks of AI From Bazooka to Fake Nikes Your Supply Chain Breach Is Someone Else's Payday 4 Essential Integration Workflows for Operationalizing Threat Intelligence Recorded Future Iran War: Future Scenario and Business Implications A New Way to Buy Recorded Future: Solutions and Packages Built for the 2026 Threat Landscape March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day VIP Credential Monitoring Blog Third-Party Risk Is an Intelligence Operation. It's Time We Treated It Like One. Understanding and Anticipating Venezuelan Government Actions The Iran War: What You Need to Know Day in the Life: Product Manager at Recorded Future Panorama del cibercrimen en América Latina y el Caribe Latin America and the Caribbean Cybercrime Landscape Panorama do cibercrime na América Latina e Caribe Industrialization of the Fraud Ecosystem Blog The Shift: An Era of Quantum Geopolitics ClickFix Campaigns Targeting Windows and macOS 2025 Year in Review: Malicious, Infrastructure 2025 Identity Threat Landscape Report: Inside the Infostealer Economy: Credential Threats in 2025 February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January Latin America's Cybersecurity Turning Point: From Reactive Defense to Threat Intelligence Recorded Future Expands Coverage of Scams and Financial Fraud with Money Mule Intelligence from CYBERA January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day Preparing for Russia’s New Generation Warfare in Europe 2025 Cloud Threat Hunting and Defense Landscape GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack Network Intelligence: Your Questions, Global Answers Fragmentation Defined 2025's Threat Landscape. Here's What It Means for 2026 State of Security Report | Recorded Future From 27 Steps to 5: How Recorded Future Reimagined Threat Hunting with Autonomous Threat Operations Rublevka Team: Anatomy of a Russian Crypto Drainer Operation Autonomous Threat Operations in action: Real results from Recorded Future’s own SOC team | Recorded Future PurpleBravo’s Targeting of the IT Software Supply Chain Threat and Vulnerability Management in 2026 Best Ransomware Detection Tools December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity Practitioners Reveal What Makes Threat Intelligence Programs Mature GRU-Linked BlueDelta Evolves Credential Harvesting New ransomware tactics to watch out for in 2026 Digital Threat Detection Tools & Best Practices BlueDelta’s Persistent Campaign Against UKR.NET The $0 Transaction That Signaled a Nation-State Cyberattack China’s Zero-Day Pipeline: From Discovery to Deployment Cyber on the Geopolitical, Battlefield: Beyond the, “Big Fourˮ What’s Next for Enterprise Threat Intelligence in 2026 Palestine Action: Operations and Global Network Implications of Russia-India-China Trilateral Cooperation GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October 5 Real-Word Third-Party Risk Examples When the Digital World Turns Physical: The Expanding Role of Threat Intelligence in Executive Protection Critical React2Shell Vulnerability Under Active Exploitation by Chinese Threat Actors The Bug That Won't Die: 10 Years of the Same Mistake The Hidden Cascade: Why Law Firm Breaches Destroy More than Data Intellexa’s Global Corporate Web The Maturity Gap: The Next Frontier in Threat Intelligence Inside the CopyCop Playbook: How to Fight Back in the Age of Synthetic Media AI Malware: Hype vs. Reality
NIST NVD Enrichment Policy Change: Prioritizing Vulnerabilities with Attacker Behavior Signals
Geraghty Anne Ellis · 2026-05-14 · via Recorded Future

As of April 15, 2026, NIST enriches only CVEs that appear in the CISA Known Exploited Vulnerabilities catalog, federal government software, or software designated critical under Executive Order 14028. Everything else carries a "Lowest Priority" status: no CVSS score, no affected product mappings, no weakness classification. NIST enriched roughly 42,000 CVEs in 2025, and submissions in early 2026 are running about a third higher year-over-year. Industry estimates suggest the prioritized categories will cover only 15–20% of anticipated CVE volume going forward.

For teams whose vulnerability management workflows depend on CVSS scores from NVD, this could create an operational gap. The CVEs in the unenriched backlog can signify real vulnerabilities affecting real software. They don't necessarily stop mattering because NIST didn't get to them.

Recorded Future does not believe that the solution is to source CVSS scores faster. Instead, Recorded Future endeavors to provide the signals that actually reflect attacker behavior. CVSS was designed to characterize the technical properties of a vulnerability — attack vector, complexity, required privileges, potential impact. CVSS was not designed with patch prioritization as a prime concern. This distinction has always existed; the growing gap in NVD enrichment increases the importance of the right intelligence and insights that can capture attacker behavior in real time.

Where vulnerability risk actually originates

Exploit code surfaces on GitHub. Proof-of-concept development gets discussed in offensive security forums and underground communities. Ransomware operators evaluate which vulnerabilities fit their deployment pipelines. Threat actors incorporate specific CVEs into their toolkits and begin scanning in search of exploitable targets.

At some point during or after that sequence, a CVE gets assigned and, under the previous policy, would eventually be enriched by NVD. By the time a practitioner sees a CVSS score in their scanner, the risk may already have materialized.

The delay between attacker use and the assignment of a CVE and CVSS score is not a new dynamic. For this reason, Recorded Future's vulnerability Risk Scores were never built to depend on NVD enrichment.

The intelligence that determines whether a vulnerability is dangerous originates in the technical communities, underground markets, exploit repositories, and malware ecosystems where attackers work. It does not come from institutional databases processing CVEs up to weeks or months post-assignment. NVD's policy change doesn't create a gap in Recorded Future's coverage because NVD is not the primary signal behind Recorded Future Vulnerability Intelligence.

What the model actually weighs

Recorded Future's risk scoring maps directly to the vulnerability weaponization lifecycle. Many of the signals fire based on where a CVE sits on that path, not on what NIST has or hasn't scored.

Figure 1: The vulnerability weaponization lifecycle, as displayed on Recorded Future’s Vulnerability Intelligence dashboard

Figure 1: The vulnerability weaponization lifecycle, as displayed on Recorded Future’s Vulnerability Intelligence dashboard (Source: Recorded Future).

The signals that carry the most weight are those tied to active exploitation in the wild — malware samples observed by Recorded Future's collection infrastructure, ransomware operations validated by Insikt Group® analysts, and other direct evidence of attacker use. Confirmed exploitation activity carries the most weight in the model, regardless of a CVE's CVSS score. These are the signals that answer the question practitioners actually need answered: is someone using this right now?

Below active exploitation, the model tracks proof-of-concept availability, including the distinction between a verified and unverified PoC. Verified exploit code that demonstrates remote execution is a materially different signal from an unverified proof of concept of unknown reliability. As an example, exploit code on GitHub is not theoretical risk; it usually compresses the time between disclosure and weaponization. Recorded Future Risk Scores treat it accordingly.

In addition to these collection and analytic capabilities, Recorded Future tracks web reporting about a CVE before NVD has published enrichment data. For the majority of new CVEs going forward, this pre-NVD signal may be the earliest structured intelligence available anywhere. A CVE that NIST has marked Lowest Priority can still accumulate signals across many dimensions. As a result, the absence of a CVSS score in NVD doesn't create a blind spot in Recorded Future's assessment.

CVSS still matters. It just isn't the foundation.

CVSS scores flow into the model from multiple sources. Many CVE numbering authorities (CNAs) supply CVSS scores at the point of submission, and CVSS coverage across published CVEs remained above 90% in 2025 even as NVD's independent enrichment narrowed. That doesn't mean CNA-supplied scores are interchangeable with NVD's. Academic analyses of dual-scored CVEs have documented divergence rates above 50% throughout the past decade, reaching 70% in 2023, with disagreements sometimes large enough to move a vulnerability across severity tiers. For CVEs where neither NVD nor a CNA has provided scoring, Recorded Future independently assigns scores through its own analysis. CVSS occupies one position in the model, alongside signals grounded in observable attacker behavior, and those signals operate independently of whether a CVSS score exists at all.

What to do with this

Audit where your prioritization signals come from. If your program is relying entirely or primarily on CVSS scores pulled from NVD, you may have exposure, not just from the existing backlog, but from every new CVE entering the ecosystem under the new policy.

Recorded Future Vulnerability Intelligence, as a part of the Cyber Operations solution, scores every CVE against the full signal set — exploitation activity, malware and ransomware associations, proof-of-concept availability, threat actor targeting, and analyst-validated intelligence. All independent of NVD's enrichment pipeline. See this prioritization and automation in action with this click-through tour.

See how Vulnerability Intelligence integrates with your existing vulnerability management workflow — request a demo.