Cyber Posture

CVE → Mitigating-control coverage

How many CVEs carry our LLM-authored NIST 800-53 control recommendations, why the number is what it is, and what triggers more.

The number today

Of the ~355,000 CVEs in the NVD record, roughly 5.5% carry a cve_mitigating_controls annotation — a per-CVE list of the strongest NIST 800-53 r5 controls our analysis identifies, with a coverage rating and lifecycle facets (prevent/detect/respond/recover).

That's not an accident — it's a cost gate. Each annotation consumes two to three Grok calls (security-summary synthesis, threat-actor attribution, and the control-mapping pass). At scale that's real money, and most low-EPSS CVEs don't warrant the spend.

What qualifies a CVE for the spend

On publication day, the pipeline annotates CVEs that exceed any of the per-CVE Risk Priority components:

About 19,400 CVEs have cleared one of those bars to date. Pages render with the annotation block live.

The late-bloomer problem

Some CVEs become important after publication: EPSS climbs as exploitation evidence accumulates; CISA adds a CVE to KEV weeks or months after it shipped; CVSS changes during a re-score. By default, the publication-day gate is final, so those CVEs never re-enter the annotation pipeline.

The daily trigger script dbadmin/trigger_mc_backfill.py catches them: it finds CVEs that now satisfy the EPSS-≥-0.05 or KEV-listed criteria but lack a cve_mitigating_controls row, and runs the synthesis-plus-annotation pipeline for each. The script passes --force-synthesis to bypass the global LLM master switch only for the CVEs that earned the spend.

Two cohorts

Two qualifying populations today:

The KEV cohort is the higher-priority backfill — KEV membership is a confirmed-exploited signal, not a model prediction. The EPSS-late cohort is bigger but noisier.

Reading a missing-annotation page

When you land on a CVE detail page with no Mitigating Controls section, it's not a bug — the CVE didn't clear the gate, or it's in the queue. The fallback "controls that address this CVE's CWE" path (via controls_to_cwe_proposals) appears instead when the CWE→control bridge has candidates. That's lower specificity than the per-CVE pass but covers the long tail.

Refresh cadence

The trigger runs on the same daily cron as the rest of the pipeline, with a per-run cap (default 50 CVEs) to keep spend predictable. Coverage grows by hundreds per month; catch-up backfills can be run manually with --all or --limit N when desired.

Last updated 2026-06-04. Coverage numbers re-tally on each daily build.