On April 15, 2026, NIST formally admitted what every honest vulnerability manager has been muttering for two years: the National Vulnerability Database can no longer keep up. From that day forward, NIST will only enrich CVEs that fall into one of three buckets — those listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, those affecting software used inside the federal government, and those covered by the Executive Order 14028 definition of "critical software." Everything else lands in the database as "Lowest Priority — not scheduled for immediate enrichment." NIST is also stepping out of the second-scorer role; if a CVE Numbering Authority already issued a CVSS score, NIST will no longer routinely overwrite or validate it.
Six days later, Anthropic's Mythos preview made it brutally clear why the timing matters. Mozilla testing reported by Help Net Security found that Mythos surfaced 271 vulnerabilities in a single Firefox build. Anthropic itself demonstrated Mythos autonomously writing a working remote code execution exploit for the FreeBSD NFS server, and described non-expert internal testers going to bed with a target and waking up to a complete exploit chain. In a controlled benchmark against historical Firefox vulnerabilities, Mythos produced functional exploits 181 times where earlier models had produced essentially none.
NIST tapping out. Mythos tapping in. Both inside the same week.
Either announcement on its own would be the most important vulnerability management story of the year. Together, they constitute a structural break. The plumbing that fed our scanners, dashboards, SLAs, and exception processes for the last fifteen years is being decommissioned at the exact moment a new generation of AI vulnerability discovery agents arrives to flood that plumbing with orders of magnitude more candidate flaws.
If you are responsible for vulnerability management in a federal agency, a Defense Industrial Base program office, a FedRAMP-authorized cloud service provider, or any organization that touches Controlled Unclassified Information, this is your inflection point.
The federal community has spent two years watching the NVD enrichment backlog grow. NIST itself reports that CVE submissions grew 263% between 2020 and 2025, that the agency enriched nearly 42,000 CVEs in 2025, and that first-quarter 2026 volume was already running roughly a third higher than the same quarter the year before. Tens of thousands of CVEs published after March 1, 2026 are now formally classified "Not Scheduled."
Strip the prose away and three things changed.
The first change is that NVD enrichment is now risk-triaged rather than universal. Enrichment is no longer a public good provided equally across the disclosure landscape; it is a finite resource reserved for what NIST and CISA judge most operationally important. If you operate niche industrial software, ICS firmware, mid-market SaaS, open-source libraries, or anything outside the EO 14028 list, your CVEs may sit in the database without normalized CPE strings, without a NIST-issued CVSS, and without the connective tissue that scanners and SOAR playbooks consume.
The second change is that NIST is no longer the second pair of eyes on severity. For decades, the NVD's adjudicated CVSS served as a quiet public arbitration layer. It was imperfect, sometimes slow, and occasionally contested, but it was there. It checked the vendor's homework. With that check withdrawn, severity now comes more directly from the entity disclosing the flaw, which is frequently the same entity that ships the affected product. Long-time vulnerability researchers have documented for years that vendor-issued scores skew lower than independent ones. That bias is about to become structural.
The third change is the most subtle and the most consequential: the National Vulnerability Database is no longer the universal translation layer that turned a raw CVE into an operationally legible object. For most enterprise vulnerability programs, the consumed artifact was never the CVE itself — it was the NVD-enriched CVE. That dependency was invisible, baked into ticket templates, ServiceNow workflows, scanner imports, and audit evidence. It is now partial.
NIST did not kill NVD. NIST killed the assumption that NVD would catch up.
The temptation is to treat Mythos as the latest AI hype cycle and discount the specifics. Don't. Mythos is not a chatbot writing pseudocode. It is an agent that takes a target, hunts for memory corruption and logic flaws, validates exploitability, and produces working proof-of-concept exploits — on a single overnight cycle, with human supervision optional.
The 271 vulnerabilities Mythos surfaced in Firefox 150 are not all critical, and many will resolve to duplicates, low-impact issues, or false positives. That is not the point. The point is the rate. A discovery process that previously required a senior security researcher with months of context can now be run on demand against arbitrary targets by anyone with the agent and the compute. The cost of finding a vulnerability is collapsing toward zero. The cost of triaging, normalizing, and operationalizing one is not.
This is precisely the asymmetry that Kodem Security and Latio Pulse have been articulating in recent weeks. Discovery is becoming cheaper than interpretation. Vulnerability disclosure is scaling faster than vulnerability meaning.
And Mythos is just the public artifact. OpenAI is already in private testing with its own cybersecurity-tuned model. Google's Big Sleep program has been quietly producing zero-day discoveries at scale for months. Inside well-resourced offensive teams — state-aligned and otherwise — the same techniques are already running on adversarial timelines. The Zero Day Clock, maintained by researchers who track time-to-exploit, now estimates the mean window from disclosure to active exploitation will reach roughly one hour this year and could approach one minute by 2028. It was 2.3 years in 2018.
Patch cadences built around quarterly maintenance windows were already inadequate. They are now negligent.
Walk into a typical agency or DIB contractor today and ask how vulnerabilities are prioritized. The honest answer in the majority of cases: "we patch everything CVSS 7.0 and above within thirty days." That practice is now actively dangerous, for three reasons.
It is dangerous because the CVSS score on a 2026 CVE will increasingly come from a single source — the CNA — without independent review, and with no accountability for downplaying severity. It is dangerous because patching every CVSS 7+ flaw will become combinatorially impossible as discovery accelerates. And it is dangerous because the actual exploit risk in your environment depends on factors CVSS never modeled: whether the affected code path is reachable, whether the vulnerable component is internet-exposed, whether the asset holds CUI, whether the misconfiguration that compounds the flaw is present, and whether your detection telemetry would catch the resulting behavior.
The mature alternative is not exotic. It is the prioritization stack that the most capable federal vulnerability programs and FedRAMP-authorized providers have been quietly building for three years.
KEV is the floor. CISA's Known Exploited Vulnerabilities catalog represents flaws with confirmed in-the-wild exploitation. Under Binding Operational Directive 22-01, federal civilian agencies are already required to remediate KEV-listed CVEs within prescribed timelines. KEV-listed flaws are not negotiable — they get patched, mitigated, or compensating-controlled, full stop. Mature programs go further, blending CISA KEV with private KEV-equivalent feeds from VulnCheck, Flashpoint, and similar providers, because CISA KEV captures perimeter-facing exploitation well and open-source library exploitation poorly. Only about half a percent of disclosed CVEs land in KEV at all, so KEV alone is a floor, not a ceiling.
EPSS is the prioritization spine. The Exploit Prediction Scoring System, governed by FIRST, is a probabilistic model that estimates the likelihood of a given CVE being exploited in the wild over the next thirty days. EPSS scores are published daily, derived from machine-learning models trained on actual exploitation telemetry, and applied across the entire CVE population — including CVEs that NVD will never enrich. Anthropic's own guidance for defenders preparing for AI-accelerated offense is unambiguous: patch CISA KEV first, then everything above a chosen EPSS threshold. EPSS is now embedded in more than 120 commercial security products, including the platforms most federal customers already license.
There are legitimate critiques. Cloudflare's chief cyber solutions officer Ramy Houssaini has argued that both CVSS and EPSS are insufficient in a world where time-to-exploit is collapsing, because EPSS uses a thirty-day forward window and AI-accelerated exploitation can compress that to minutes. The critique is fair as far as it goes. But the answer is not abandoning EPSS — the answer is layering EPSS with the next two stages of the stack.
Local context is the multiplier. A CVE matters in your environment based on whether the affected component is actually deployed, whether the vulnerable code path is reachable from a network or identity surface you expose, whether compensating controls in your boundary, identity, and runtime layers neutralize the exploit primitive, and whether the affected asset holds data that justifies the cost of remediation. This is where asset inventory, software bill of materials, runtime reachability analysis, and exposure management stop being aspirational and start being mandatory.
Toxic combinations are where the breach actually lives. Latio Pulse and others have been hammering on this for a year, and they are right. A medium-severity CVE on an unpatched library, combined with an over-permissioned IAM role, on an internet-reachable workload that ships logs to a SIEM you do not actively triage, is not three medium findings. It is one critical breach waiting to happen. The discipline of mapping these compound conditions, rather than enumerating individual CVEs, is what separates programs that reduce risk from programs that close tickets.
Runtime detection is the safety net. No prioritization model patches faster than an autonomous exploit chain can run. The only defense against AI-accelerated exploitation of disclosed and undisclosed flaws is real-time visibility into application-layer behavior, identity behavior, and lateral movement — backed by a 24/7 capability staffed to act in minutes rather than business days.
At Quzara, our Cybertorch™ vulnerability management practice is FedRAMP High Authorized and staffed exclusively by U.S. citizen analysts. We have been operating it against federal, DIB, and regulated commercial environments long enough that the April 15 NIST announcement did not change our doctrine — it validated it.
Three concrete examples of how that doctrine plays out.
Our vulnerability enrichment pipeline already consumes NVD, CVE.org, CISA KEV, and EPSS as primary feeds, with a per-asset and per-device vulnerability inventory maintained continuously rather than scraped on a scan cadence. When NIST stops enriching a CVE, our pipeline does not stop — we fall back to CNA-issued metadata, our own normalization, and EPSS-driven prioritization. The customer never sees the seam.
Because Cybertorch™ is FedRAMP High Authorized, customers inherit the underlying controls rather than building them. That matters in this new environment because the compensating controls that catch what your patch cadence does not — continuous monitoring of cloud identity, virtual machines, API access, and configuration drift — are inherited along with the practice. A federal civilian agency or DIB contractor that adopts Cybertorch™ inherits 24/7 incident response, continuous vulnerability enrichment and prioritization, exposure mapping across cloud and on-premises assets, and a remediation reporting layer that closes the loop with their own engineering teams. The architectural cost of building any of that in-house has always been high. After Mythos, that cost is prohibitive.
And because NISTCompliance.AI — our AI-native compliance automation platform — ingests vulnerability and configuration evidence from the same telemetry plane that feeds the vulnerability practice, the path from "Cybertorch™ detected this" to "your SSP and POA&M reflect this within hours" is engineered, not manual. In a world where NIST is no longer the upstream metadata source, an automated downstream compliance fabric matters more, not less.
We are not claiming this practice solves the bugpocalypse. We are claiming it is the architecture the bugpocalypse demands.
The strategic doctrine is one thing. The actions that begin Monday morning are another. Five concrete moves.
Audit every dependency on NVD enrichment. Look at every scanner import, every SIEM lookup, every SOAR playbook, every ticket template, every exception workflow, and every audit artifact that assumes a properly formatted NVD CPE string or a NIST-adjudicated CVSS. Those assumptions are now fragile. Treat CNA-issued advisories, vendor advisories, GitHub Security Advisories, and CISA KEV as first-class inputs rather than precursors to eventual NVD blessing.
Move prioritization from CVSS-floor to KEV-plus-EPSS-plus-context. If your program SLA today is "patch everything CVSS 7+ within thirty days," replace it with tiered SLAs anchored to CISA KEV (twenty-four to seventy-two hours per BOD 22-01), high EPSS scores (defined by your risk appetite, but typically the top decile), and local-context multipliers including internet exposure, identity blast radius, and data sensitivity. The vendor scanner you already own probably exposes EPSS today — turn it on.
Map and remediate toxic combinations, not just individual CVEs. Stand up a quarterly exercise that pairs your asset inventory, identity inventory, network exposure map, and known-vulnerability list. Look for the compounds: a vulnerable component, plus over-permissive identity, plus an exposed network path, plus inadequate logging. Each compound is a breach scenario. Track the count of open toxic combinations as a leading indicator alongside open CVE count.
Invest in runtime detection and 24/7 response, not just preventive patching. Patching alone is now insufficient. Mature programs are pairing static vulnerability management with application-layer runtime detection (Cloud Application Detection and Response, or CADR), continuous identity-threat monitoring, and a 24/7 capability that can execute detection-to-containment in minutes. For federal and DIB customers without the budget to staff a U.S. citizen 24/7 capability in-house, FedRAMP High Authorized managed offerings like Cybertorch™ are no longer a luxury — they are an architectural prerequisite.
Plan for AI-accelerated exploitation as a steady state. Update your incident response plans to assume that the window between disclosure and active exploitation can be hours rather than weeks. Tabletop a scenario in which a previously unknown vulnerability in a widely deployed component is disclosed Friday at 5 p.m. with a working PoC, and an automated exploit chain is observed in your environment by Saturday morning. If your IR plan does not function in that scenario, it does not function.
The disclosure pipeline that fed enterprise vulnerability management for the last fifteen years was not really designed for an adversary, much less for an adversary armed with autonomous exploit-development agents. It was designed for a relatively orderly research community, an NVD with enough humans to keep up, and patch cadences measured in weeks. Each of those assumptions failed quietly over the last three years. NIST's April 15 announcement and Anthropic's Mythos preview, together, simply made the failure undeniable.
The work ahead is real, but it is not unprecedented. The same federal cyber community that absorbed FedRAMP, OMB M-22-09 zero trust, EO 14028, and the CMMC rollout knows how to absorb a structural shift. The shift this time is from a database-centric vulnerability practice to an evidence-centric one — from waiting on upstream normalization to producing local meaning, from patching what NVD told you to patch to patching what your environment, your telemetry, and your prioritization models tell you to patch.
At Quzara, we built Cybertorch™ for an operating environment that looks exactly like this one. Sovereign infrastructure. U.S. citizen analysts. Inheritable FedRAMP High controls. AI-native compliance evidence pipelines. And a vulnerability management practice that treats EPSS, KEV, asset context, and toxic combinations as the four legs of the stool, not optional extras bolted onto CVSS.
If you are a federal CIO, a DIB CISO, a FedRAMP authorizing official, or a program manager trying to make sense of what comes next, we are open for the conversation. The bugpocalypse is real. The doctrine is knowable. The infrastructure exists.
You just have to choose to inherit it.
Sources and further reading. NIST's April 15, 2026 announcement on NVD operations; the EO 14028 critical software definition; CISA Binding Operational Directive 22-01; Anthropic's Mythos preview and "Preparing your security program for AI-accelerated offense" guidance; CSO Online, "Anthropic bets on EPSS for the coming bug surge" (Brumfield, April 22, 2026); Kodem Security, "The NIST NVD update changes vulnerability management more than most teams realize" (Babu, April 23, 2026); Latio Pulse, "Building an AI-Ready Vulnerability Management Program After NVD Changes and Claude Mythos" (Berthoty, April 21, 2026); Risky Business, "Risky Bulletin: NIST gives up enriching most CVEs" (Cimpanu, April 17, 2026); Resilient Cyber, "The NVD just threw in the towel — now what?" (Hughes, April 22, 2026); Help Net Security, Mozilla/Mythos coverage (Kovacs, April 22, 2026); the FIRST EPSS model documentation; and the Zero Day Clock project.
Quzara LLC is a FedRAMP High Authorized cybersecurity firm headquartered in Vienna, Virginia. Cybertorch™ is Quzara's FedRAMP High Authorized managed detection and response platform with a U.S. citizen-only 24/7 capability. NIST Compliance.AI is Quzara's AI-native compliance automation platform, supporting NIST SP 800-53 Rev 5, FedRAMP, FISMA, and CMMC. To discuss how Cybertorch™ and NIST Compliance.AI can accelerate your vulnerability management and compliance operations, contact Quzara at info@quzara.com or (800) 218-8528.