At the Cyber-IA expo, Florian Wininger, CTO and co-founder of Cyberwatch, took stock of the current situation and shared his vision of how vulnerability management will evolve in the coming years. In 2025, no fewer than 48,000 CVEs were published, an average of 130 per day. Faced with this explosion, a growing number of them are not being enriched in time, making rapid remediation impossible. AI will become indispensable for identifying, enriching, and prioritizing risks, but also for automating remediation.
Vulnerabilities on the rise: the end of centralization
Historically, vulnerability management relied on a central player: the National Vulnerability Database (NVD), managed by the National Institute of Standards and Technology (NIST). Its role was to list CVEs, assign them a severity score (CVSS), and link them to the products concerned (with CPE, Common Platform Enumeration, identifiers).
However, with the explosion in the number of vulnerabilities, the NVD can no longer keep up, resulting in publication delays, missing criticality scores, and a lack of information on affected products. At its last quarterly meeting, held in January 2026, NIST officials acknowledged that they were fighting a “lost battle” and indicated that they wanted to switch to a model where enrichment would be entrusted to CVE Numbering Authorities (CNAs).
CVE data enrichment: multiple sources
To enable the collection and enrichment of vulnerability-related information, an entire ecosystem has gradually been organized.
CNAs (CVE Numbering Authorities)
There are now nearly 490 organizations authorized to document CVEs, including a dozen at the “root” level, with full authority to issue CVE numbers.
Note: since November 2025, ENISA, the European cybersecurity agency, has been recognized as a root authority. In accordance with Article 12 of the NIS2 Directive, Europe finally has its own database, called EUVD (European Union Vulnerability Database).
ADPs (Authorized Data Publishers)
When a CNA publishes a CVE, it reports the existence of a vulnerability, but does not always provide the metadata essential for prioritization, such as the CVSS score or the CPE (affected product identifier). It is the role of ADPs (Authorized Data Publishers) to complete this information after the fact. Today, the US cybersecurity agency CISA is virtually the only ADP operating on a large scale.
European and national CERTs
European and national CERTs play an essential role in qualifying and triggering alerts on the most critical vulnerabilities. However, no CERT covers the entire technological spectrum. For example:
- CERT-FR will be particularly relevant for tools that are widely used in France, such as the open-source GLPI solution, but less so for technologies such as SAP or AIX.
- The Belgian CERT recently issued highly responsive alerts on emerging products such as Moltbot and OpenClaw.
The Vulnrichment open source initiative
To collectively enrich CVE data on a global scale, the open source project Vulnrichment (a contraction of Vulnerability + Enrichment) was also launched on GitHub, with around ten active contributors, including Cyberwatch.
AI for automatic CVE enrichment
To conduct broad-spectrum monitoring and accelerate the identification of new CVEs, Cyberwatch leverages the complementary nature of all these public sources: NVD, CNA, ADP, CERT, open source contributions, etc.
Beyond monitoring vulnerabilities and their level of criticality, one of the major challenges is to associate the right CPEs with each CVE, i.e., to precisely identify the products and versions concerned. Without this information, it is impossible to detect whether a vulnerability affects a given information system.
However, in 2025, a significant proportion of CVEs did not benefit from this enrichment in a timely manner, sometimes for several days, sometimes never.
This is where artificial intelligence comes into play.
Faced with the multiplicity of information sources on CVEs, Cyberwatch has developed an AI-powered automatic enrichment model that enables:
· Automatically identify CPEs associated with published CVEs;
· Reconcile product and vendor names with CPE nomenclatures;
· Process vulnerabilities on an hourly basis, without waiting for NVD updates.
The result: of the 48,000 vulnerabilities in 2025, 13,000 were automatically enriched, with a relatively low false positive rate. AI does not create the data, but it makes it usable in real time, where waiting for a human update would take days or even weeks.
LLM-assisted CVE identification, prioritization, and remediation
In addition, Cyberwatch has integrated an MCP (Model Context Protocol) server into its vulnerability management solution. This allows users to interact with our platform directly from an LLM client (Claude, Copilot, ChatGPT, etc.) using natural language.
In concrete terms, users can ask questions such as “What are the latest critical vulnerabilities on my Fortinet equipment?” and obtain the following in real time:
- A list of recent CVEs affecting Fortinet assets;
- Identification of affected machines in the fleet (e.g., 6 FortiOS assets, 3 FortiAnalyzers, 3 FortiManagers, 1 FortiWeb);
- The criticality level of each vulnerability;
- A proposed remediation plan.
The advantage of this approach, compared to a search performed using an LLM that queries the web, is that Cyberwatch consults its database directly in real time and returns vulnerabilities published in the last few hours, without the risk of a delay of several weeks.
It is even possible to go further with autonomous AI agents capable of summarizing new vulnerabilities on a daily basis, identifying priority actions to be taken, and executing them automatically, without human intervention. This approach could well revolutionize CVE detection, prioritization, and remediation workflows in the coming years.
Want to learn more? Contact our teams.