Security Intelligence Briefing: NVD Updates & AI-Driven Threats

Topic: NIST NVD Operations, CVE Management, and AI Discovery

The cybersecurity landscape is currently undergoing a structural shift, defined by two converging forces: a massive influx of reported vulnerabilities managed by the NVD, and the rapid acceleration of AI-driven discovery.

In April 2026, the National Institute of Standards and Technology (NIST) announced a significant overhaul of the National Vulnerability Database (NVD). These changes coincide with an unprecedented surge in CVEs—many of which are being discovered at “machine speed” by AI systems—forcing the industry to adopt new triage strategies and risk-scoring models.

1. Major Operational Overhaul at NIST NVD

Since 2020, the NVD has witnessed a staggering 263% increase in CVE submissions. This surge has created a substantial backlog that began accumulating in early 2024, necessitating a fundamental change in how NIST processes vulnerability data.

New Prioritization Model

To manage this volume, NIST is moving away from the practice of enriching every submission. The new operational model prioritizes resources for high-impact and critical vulnerabilities only.

• Unscheduled Categorization: CVEs that do not meet high-risk criteria will be categorized as “unscheduled.” This classification aims to streamline the database and clear the accumulated backlog.
• Direct Request Process: Security teams retain the ability to escalate critical flaws. Teams can prioritize critical flaws marked as “unscheduled” by submitting requests via email to nvd@nist.gov.

2. The AI-Driven “Bug Surge” & Anthropic’s Strategy

The sheer volume of new vulnerabilities is largely attributed to the rise of AI-driven vulnerability discovery. Traditional human-led triage methods are struggling to keep pace with the speed of these automated discoveries.

Anthropic’s Mythos

Industry leader Anthropic has deployed its AI system, Mythos, to discover software flaws at “machine speed.” This capability far outstrips traditional discovery methods, significantly contributing to the CVE volume that is currently overwhelming the NVD.

The Role of EPSS (Exploit Prediction Scoring System)

To cope with the influx, Anthropic strongly advocates for the Exploit Prediction Scoring System (EPSS) as a primary triage tool.

• What it is: A machine-learning model developed by Empirical Security that predicts the probability of a vulnerability being exploited in the wild within the next 30 days.
• How it helps: EPSS allows security teams to filter through thousands of CVEs based on the likelihood of exploitation rather than just severity scores (CVSS). This ensures resources are focused where they matter most.
• Industry Adoption: EPSS has seen rapid adoption, now integrated by over 120 security vendors, including CrowdStrike, Cisco, Palo Alto Networks, and Tenable.

3. Future Outlook & Limitations

While EPSS is currently a vital triage tool for managing the “bug surge,” experts warn of a potential “prediction gap.” As offensive AI capabilities continue to accelerate, a static 30-day prediction window may become too slow to effectively manage risks.

The industry is expected to evolve toward real-time risk scoring and broader, more dynamic exposure management strategies to keep pace with machine-speed threats.

---

Sources & Further Reading

• NIST Official Announcement: Updates to NVD Operations
• The Hacker News: NIST Limits CVE Enrichment After 263% Surge
• Cybersecurity Dive: NIST limits vulnerability analysis as CVE backlog swells
• CSO Online: Anthropic bets on EPSS for the coming bug surge