NIST just made the enrichment gap official. We’ve been closing it all along.

NIST's recent announcement that it will no longer enrich all CVEs is the official acknowledgment of a reality Axonius has already been solving.

The National Institute of Standards and Technology (NIST) recently sent shockwaves through the cybersecurity community by announcing a formal shift in policy: they will no longer attempt to enrich every CVE in the National Vulnerability Database (NVD). By moving the massive backlog of thousands of vulnerabilities into a "Not Scheduled" status, NIST has turned what was once a "delay" into a permanent "data gap."

CVE volume is outpacing enrichment, and the gap is accelerating

The timing matters. CVE submissions to the NVD grew 263% between 2020 and 2025. Q1 2026 submissions are up another third over the same period last year. And that's before AI-driven vulnerability discovery scales further. Claude Mythos has already surfaced thousands of zero-days across every major OS and browser in a contained preview. The volume curve is moving in one direction.

For security teams, this creates a compounding problem. More CVEs disclosed, fewer enriched by NIST, faster exploit development, and shorter response windows. Programs that depend on NVD enrichment for severity scoring and asset mapping are now operating with a structural gap in their data.

This isn't a reason to panic. It's a reason to move past single-source dependency for vulnerability context. At Axonius, we never expected NIST to be the sole provider of truth. That’s why our platform is built to ingest, correlate, and enrich data from a diverse ecosystem of sources beyond just the NVD.

How Axonius handles the "un-enriched" CVE problem

NIST enrichment served two main purposes: severity scoring (CVSS) and product identification (CPE tags that map a CVE to affected software). Both helped security teams figure out how bad a vulnerability is and whether it affects them. When enrichment stops for a CVE, both inputs go missing from the NVD record.

Axonius customers are less exposed to this gap because the platform was never architected around the NVD as a single source of truth.

• Asset-to-vulnerability mapping doesn't depend on CPE. CPE matching has always been brittle – version strings don't align, product names are inconsistent, and the tags themselves lag behind disclosure. Axonius maps vulnerabilities to assets through reconciliation: correlating findings from your scanners, CNAPP tools, identity providers, and endpoint platforms with a continuously updated asset model built from 1,400+ sources. The match happens through your actual environment data, not through a standardized product identifier that may or may not exist yet.

• Severity context comes from multiple sources, not just NIST. Axonius ingests severity data from proprietary and third-party threat intelligence feeds that provide scoring independent of the NVD timeline, and pulls impact data directly from software vendors who are often the first to define the severity of a flaw. When NIST enrichment is delayed or absent, these sources fill the gap without waiting on a manual government review.

• AI-driven enrichment closes what remains. For CVEs where external scoring is incomplete or missing, Axonius uses AI models to analyze vulnerability descriptions, vendor advisories, and technical documentation to predict CVSS severity and map vulnerabilities to the correct assets, even when official NVD tags don't exist. This is how coverage stays continuous as the NVD gap widens.

• Contextual prioritization goes beyond what CVSS was ever designed to provide. A CVSS 9.8 on an isolated test server and a CVSS 7.2 on a production database with customer PII are different problems. Axonius layers asset criticality, ownership, control coverage, business impact, and dependency relationships onto every finding – context that determines whether a vulnerability actually matters in your environment.

• Exposure coverage extends past CVEs entirely. The NVD only tracks CVEs. Misconfigurations, coverage gaps, identity risks, and policy violations were never in the NVD to begin with. Axonius Exposures unifies findings across 150+ security sources and 40+ asset types, covering exposure categories the NVD was never designed to address.

Doubling down on AI-driven vulnerability enrichment

The NVD shift is one piece of a larger pattern. CVE volume is climbing, AI-driven discovery will accelerate it further, and the infrastructure the industry has relied on for enrichment and prioritization is not scaling at the same rate. Programs built around a single enrichment source are now operating with a structural delay they can't afford.

We anticipated this shift and are investing accordingly. Our multi-source enrichment pipeline, AI-driven scoring, and contextual prioritization capabilities will continue to expand as the gap between disclosure volume and centralized enrichment widens. The goal is for Axonius customers to see their full exposure and act on it, regardless of what any single external source provides or doesn't provide.