Recently, NIST announced an update to how the National Vulnerability Database (NVD) handles CVE enrichment to address the massive surge in vulnerability submissions. In the announcement, NIST indicated that the number of submissions increased by 263% between 2020 and 2025- requiring them to adopt a new, risk-based model to handle CVE prioritization.
This update includes new prioritization criteria, where NVD operations will prioritize enriching vulnerabilities that matter most, such as those in CISA’s Known Exploited Vulnerabilities (KEV) catalog and critical software.
While this changes the traditional flow of CVE severity scores and metadata, we see this as a positive signal for the cybersecurity industry, and as an opportunity for modernizing how vulnerability management teams approach risk.
The shift towards context-driven prioritization
For vulnerability management teams, this update is a pivotal moment. The era of relying heavily on static, standalone severity scores to drive patching cycles is giving way to a more mature, context-driven approach.
Historically, security and vulnerability management teams have been overwhelmed by endless lists of CVEs, often using static CVSS scores as the sole metric for prioritization. But as the NIST update highlights, treating all vulnerabilities equally- or relying on a single database to tell you what's critical - is no longer scalable. Instead of asking, "What is the assigned severity of this vulnerability?" teams are now empowered to ask, "What is the actual risk of this vulnerability in our specific environment?”. This shift pushes security programs to evolve from theoretical, checklist-driven vulnerability management to an agile, risk-based approach.
A signal of a broader industry transformation
This evolution at NIST reflects a broader transformation taking place across the cybersecurity landscape. The sheer volume of vulnerabilities today means it’s impossible for teams to patch everything- and that volume is only going to grow.
The recent announcement of Anthropic's new Claude Mythos model makes it clear that we are entering an era where AI can autonomously discover zero-days and rapidly develop exploits. In the short term, this means teams should expect a massive influx of AI-discovered CVEs hitting the market. This makes the CVE counts challenge even more prominent, with AI-led vulnerabilities that will break traditional, static vulnerability management workflows.
The shrinking window between "patch available" and "exploited in the wild" means we have reached a point where teams need to stop managing vulnerability counts based on static assigned severity and start managing true exposure based on true impact. Teams need to evaluate vulnerabilities in the context of their environment, rather than in isolation, and alongside misconfigurations, identity permissions, network reachability, and sensitive data. This is how teams can cut through the noise and focus our time on the issues that actually impact the business.
How Wiz supports the shift to risk-based prioritization
As the industry pivots toward this risk-based reality, the need for tools built for context has never been greater.
The Wiz platform was built from day 1 to solve this exact problem using context: moving beyond static CVE counts toward context-based risk prioritization. We believe security should be horizontal, unifying security data across the environment to provide the shared context necessary to make true risk-based decisions.
Wiz Exposure Management empowers teams to move away from managing CVE counts to prioritizing true exposures by enabling you to:
Prioritize with context on the Wiz Security Graph: The Wiz Security Graph correlates vulnerabilities with context such as network exposure, identities, misconfigurations, data sensitivity, and more to identify the true attack paths that pose a critical risk to your business.
Validate exploitability with Wiz ASM & the Red Agent: Wiz ASM and the AI-powered Red Agent continuously discover and validate exploitable risks from the attacker’s perspective to help you proactively remove exploitable risks. And by combining outside-in validation with inside environment context, you can prioritize exploitable risk based on its true impact.
Accelerate fixes with the Green Agent: Drive machine-speed remediation with actionable guidance and automated risk ownership. The Green Agent empowers developers to resolve risks at the root, drastically reducing your Mean Time to Remediate (MTTR).
Looking ahead
The NIST NVD update is an opportunity for security and vulnerability management teams to level up. By embracing a risk-based strategy, organizations can reduce friction with developer teams, eliminate the noise of non-critical CVEs, and measurably lower their real-world risk.
The future of security is horizontal, deeply contextual, and driven by actual environmental impact. At Wiz, we’re excited to help you navigate this transition and build a more secure, scalable future. To see Wiz in action, you can set up a live demo.
