{"id":9994,"date":"2026-02-27T15:17:14","date_gmt":"2026-02-27T15:17:14","guid":{"rendered":"https:\/\/cyberwatch.fr\/?p=9994"},"modified":"2026-04-13T15:50:42","modified_gmt":"2026-04-13T15:50:42","slug":"vulnerability-management-in-the-age-of-generative-ai","status":"publish","type":"post","link":"https:\/\/cyberwatch.fr\/en\/news\/vulnerability-management-in-the-age-of-generative-ai\/","title":{"rendered":"Vulnerability management in the age of generative AI"},"content":{"rendered":"\n

At the Cyber-IA expo, Florian Wininger, CTO and co-founder of Cyberwatch, took stock of the current situation and shared his vision of how vulnerability management will evolve in the coming years. In 2025, no fewer than 48,000 CVEs were published, an average of 130 per day. Faced with this explosion, a growing number of them are not being enriched in time, making rapid remediation impossible. AI will become indispensable for identifying, enriching, and prioritizing risks, but also for automating remediation.<\/p>\n\n\n\n

Vulnerabilities on the rise: the end of centralization<\/h2>\n\n\n\n

Historically, vulnerability management relied on a central player: the National Vulnerability Database (NVD), managed by the National Institute of Standards and Technology (NIST). Its role was to list CVEs, assign them a severity score (CVSS), and link them to the products concerned (with CPE, Common Platform Enumeration, identifiers).<\/p>\n\n\n\n

However, with the explosion in the number of vulnerabilities, the NVD can no longer keep up, resulting in publication delays, missing criticality scores, and a lack of information on affected products. At its last quarterly meeting<\/a>, held in January 2026, NIST officials acknowledged that they were fighting a \u201clost battle\u201d and indicated that they wanted to switch to a model where enrichment would be entrusted to CVE Numbering Authorities (CNAs).<\/p>\n\n\n\n

CVE data enrichment: multiple sources<\/h2>\n\n\n\n

To enable the collection and enrichment of vulnerability-related information, an entire ecosystem has gradually been organized.<\/p>\n\n\n\n

CNAs (CVE Numbering Authorities)<\/h3>\n\n\n\n

There are now nearly 490 organizations authorized to document CVEs, including a dozen at the \u201croot\u201d level, with full authority to issue CVE numbers.<\/p>\n\n\n\n

Note: since November 2025, ENISA, the European cybersecurity agency, has been recognized as a root authority. In accordance with Article 12 of the NIS2 Directive, Europe finally has its own database, called EUVD<\/a> (European Union Vulnerability Database).<\/p>\n\n\n\n

ADPs (Authorized Data Publishers)<\/h3>\n\n\n\n

When a CNA publishes a CVE, it reports the existence of a vulnerability, but does not always provide the metadata essential for prioritization, such as the CVSS score or the CPE (affected product identifier). It is the role of ADPs (Authorized Data Publishers) to complete this information after the fact. Today, the US cybersecurity agency CISA is virtually the only ADP operating on a large scale.<\/p>\n\n\n\n

European and national CERTs<\/h3>\n\n\n\n

European and national CERTs play an essential role in qualifying and triggering alerts on the most critical vulnerabilities. However, no CERT covers the entire technological spectrum. For example:<\/p>\n\n\n\n