Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
In February, we called the gap between CVE disclosure and scanner signatures the “breach zone.” On April 15, 2026, NIST made that gap permanent — and signatureless detection stopped being an advantage. It became a requirement.
This post updates Attackers Don’t Need Signatures. Neither Should Your Defense. (Feb 17, 2026). Read the original for full context on the signature-first detection gap.
Two months ago, we argued the backlog would get worse before it got better. We were half right. It got worse — and then it got formalized.
The original post made three claims. Traditional vulnerability management tools are architecturally dependent on signatures — scanner plugins, QIDs, and CVE enrichment data. There is a 24–72 hour window between disclosure and signature availability where defenders are effectively blind. And the NVD enrichment backlog had grown large enough that even after scanners caught up, the underlying CVE data was often incomplete or missing.
We called that blind window the breach zone. We said it was where sophisticated attackers operate. We said signatureless detection — correlating software inventory directly against threat intelligence and exploit advisories — was how defenders close it.
The number we used to size the problem was 100,000+ CVEs in backlog awaiting classification and integration.
That number is now wrong. What replaced it is worse.
At VulnCon 2026 in Scottsdale, NIST announced that the National Vulnerability Database will no longer attempt to enrich every CVE it receives. The old backlog-clearance goal was abandoned. In its place: a risk-based prioritization model that enriches only three categories of CVEs.
Everything else still gets a CVE identifier. But it ships without a NIST CVSS score, without CPE mapping, and without CWE classification. The label NVD now applies is Lowest Priority — Not Scheduled. And the existing backlog of unenriched vulnerabilities published before March 1, 2026 was moved into that same “Not Scheduled” bucket in a single administrative action.
In February, we described the breach zone as a 14-day gap — the time between disclosure and scanner signature. It was a temporary blindness. Uncomfortable, dangerous, but bounded.
That framing no longer holds. For any CVE that doesn’t meet NIST’s new prioritization criteria, there is no catch-up date. No enrichment pipeline running in the background. No eventual CPE mapping that scanners can ingest. The CVE exists as a bare identifier and stays that way.
The breach zone used to be a window that closed. Now, for the majority of CVEs, it’s the default state.
Think of it this way. Before April 15, the NVD was the post office that eventually stamped, sorted, and delivered every letter — slowly, sometimes very slowly, but eventually. After April 15, the post office announced it would only deliver certified mail to federal addresses. Everything else still gets dropped in the bin, but nobody’s sorting it. You can ask for a specific letter to be processed, and maybe someone gets to it.
That’s the system US defenders now operate in. And it directly impacts every vulnerability management tool that depends on NVD enrichment to function.
Traditional scanners match detections to affected software using CPE strings supplied by NVD enrichment. No CPE mapping means no automated match. The CVE exists; the scanner doesn’t know what product it applies to. The vulnerability is effectively invisible to any tool that can’t correlate beyond CPE.
Going forward, NIST will defer to the CVSS score provided by the submitting CVE Numbering Authority rather than publishing its own. CNA quality varies significantly. Vulnerability management programs that sort queues by NVD CVSS will increasingly be sorting against scores NIST never reviewed — or against no score at all.
The 29,000 backlogged CVEs moved to “Not Scheduled” include two years of accumulated disclosures. Many affect software still running in production environments today. That data isn’t coming back unless someone explicitly requests enrichment on a per-CVE basis.
Advisory drops. Scanner catches up in ~14 days.
The breach zone was a temporary visibility gap. Organizations relying on signature-first detection were blind during the window but eventually got coverage. Risk was time-bounded.
Advisory drops. Scanner may never catch up.
If the CVE doesn’t hit KEV, federal-use, or EO 14028 critical software, NIST doesn’t enrich it. The signature pipeline that scanners depend on never runs. Visibility gap is open-ended.
The case for signatureless detection in February was performance — close the gap faster than your scanner vendor can. The case for signatureless detection in April is existence — close gaps your scanner vendor may never address.
Uni5 Xposure’s signatureless engine doesn’t wait for NIST enrichment. It operates on four continuous inputs that don’t depend on the NVD pipeline:
The mechanism didn’t change on April 15. What changed is how much of the defender’s coverage now depends on it.
~21 — Approximate size of the NVD program team against a projected 70,000 CVE-2026 submissions. The math does not work, and NIST is no longer pretending it does.
Funding gap and staffing pressure cause a backlog to begin accumulating. Approximately 90% of new submissions start going unenriched.
NIST enriches a record 42,000 CVEs in 2025 — 45% more than any prior year — but submission rate rises faster than throughput.
We frame the breach zone as a 14-day visibility gap and cite the NVD backlog as evidence the gap is getting worse.
Pre-March 2026 backlog moved to “Not Scheduled.” Going forward, enrichment limited to KEV, federal-use, and EO 14028 critical software. All other CVEs published without NIST CVSS, CPE, or CWE data.
The NVD changes are live. The “Not Scheduled” label is already appearing on real CVEs. Four actions worth taking before your next board update:
In February we asked: “How long until your team knows you’re exposed?” In April, the question is sharper. If NIST never enriches the CVE, does your team ever know at all?
See how Uni5 Xposure correlates your software inventory against vendor advisories and exploit intelligence — with or without NVD enrichment — to close gaps the signature-first world can no longer cover.
Request a Technical Walkthrough Learn More About Our Platform
