CVE → Mitigating-control coverage
How many CVEs carry our LLM-authored NIST 800-53 control recommendations, why the number is what it is, and what triggers more.
The number today
Of the ~355,000 CVEs in the NVD record, roughly 5.5%
carry a cve_mitigating_controls annotation — a
per-CVE list of the strongest NIST 800-53 r5 controls our
analysis identifies, with a coverage rating and lifecycle
facets (prevent/detect/respond/recover).
That's not an accident — it's a cost gate. Each annotation consumes two to three Grok calls (security-summary synthesis, threat-actor attribution, and the control-mapping pass). At scale that's real money, and most low-EPSS CVEs don't warrant the spend.
What qualifies a CVE for the spend
On publication day, the pipeline annotates CVEs that exceed any of the per-CVE Risk Priority components:
- Critical or High CVSS (≥ 7.0 baseScore)
- EPSS at publication ≥ 0.05
- CISA KEV listing
About 19,400 CVEs have cleared one of those bars to date. Pages render with the annotation block live.
The late-bloomer problem
Some CVEs become important after publication: EPSS climbs as exploitation evidence accumulates; CISA adds a CVE to KEV weeks or months after it shipped; CVSS changes during a re-score. By default, the publication-day gate is final, so those CVEs never re-enter the annotation pipeline.
The daily trigger script dbadmin/trigger_mc_backfill.py
catches them: it finds CVEs that now satisfy the EPSS-≥-0.05
or KEV-listed criteria but lack a
cve_mitigating_controls row, and runs the
synthesis-plus-annotation pipeline for each. The script
passes --force-synthesis to bypass the global
LLM master switch only for the CVEs that earned the spend.
Two cohorts
Two qualifying populations today:
- KEV gap: ~1,400 CVEs are KEV-listed but not yet annotated (CVEs added to KEV after their publication-day window).
- EPSS-late gap: ~32,000 CVEs currently sit at EPSS ≥ 0.05 but lack annotation. This is a larger cohort and churns daily as EPSS updates land.
The KEV cohort is the higher-priority backfill — KEV membership is a confirmed-exploited signal, not a model prediction. The EPSS-late cohort is bigger but noisier.
Reading a missing-annotation page
When you land on a CVE detail page with no Mitigating
Controls section, it's not a bug — the CVE didn't clear the
gate, or it's in the queue. The fallback "controls that
address this CVE's CWE" path (via
controls_to_cwe_proposals) appears instead when
the CWE→control bridge has candidates. That's lower
specificity than the per-CVE pass but covers the long tail.
Refresh cadence
The trigger runs on the same daily cron as the rest of the
pipeline, with a per-run cap (default 50 CVEs) to keep
spend predictable. Coverage grows by hundreds per month;
catch-up backfills can be run manually with
--all or --limit N when desired.
Last updated 2026-06-04. Coverage numbers re-tally on each daily build.