The Iru Blog

NVD's shift to risk-based prioritization: how Iru Vulnerability Management stays ahead of the limitations

NIST formally transitioned the National Vulnerability Database to a risk-based enrichment model in April 2026, meaning only CVEs that meet specific criteria, like those in CISA's KEV catalog or affecting federal software, will be prioritized for enrichment. Everything else gets deferred. This leaves a significant gap for security teams that depend on NVD data for vulnerability management. Iru VM was built to operate independently of NVD's limitations, drawing from multiple sources and providing its own human-in-the-loop enrichment. To date, Iru's Security Research team has enriched close to 2,000 CVEs and corrected around 170 inaccurate NVD records, with 66% of all vulnerability detections across customer endpoints driven by Iru-enriched data. The CVE program has long been a vital part of vulnerability intelligence and protecting critical infrastructure. For the past couple of decades, the National Vulnerability Database (NVD), run by NIST, has served as a foundational reference for vulnerability intelligence, providing severity scores, product metadata, and structured enrichment that security teams and tooling depend on every day.