Mapping CVEs to MITRE ATT&CK with AI

Watch the full replay below and learn how NopSec is using large language models to bridge vulnerability data with adversary tactics.

Cybersecurity teams are drowning in vulnerabilities. Thousands of CVEs are published each year, and while scanners and severity scores help flag what’s out there, they rarely explain how attackers will actually use those vulnerabilities in a real-world breach.

That’s where the MITRE ATT&CK framework shines. It provides a living knowledge base of adversary tactics, techniques, and procedures. The challenge? There’s no built-in connection between CVEs and ATT&CK techniques. Until now.

In this webinar, Rob Johnson and Shawn Evans from NopSec break down how their team is using large language models (LLMs) to bridge this gap — giving security teams a contextual view of vulnerabilities and how they fit into the attack chain.

From raw vulnerabilities to attacker context

Rob Johnson opened by explaining why traditional vulnerability management falls short:

“We capture all of that information — infrastructure scans, cloud, container, application testing — and then run it through our AI-based algorithm. But the key is prioritization. Not every CVE poses the same level of risk to your environment.” — Rob Johnson

He walked through how NopSec’s CTEM platform layers in asset telemetry, threat intelligence feeds, and control data (from tools like CrowdStrike, Defender, or SentinelOne) to calculate a contextual risk score. That transparency is critical for building trust:

“We’re very transparent about how we prioritize risk. It’s not a black box — you can actually understand why we scored a vulnerability in a certain way.” — Rob Johnson

Why MITRE ATT&CK matters

Shawn Evans then dug into how ATT&CK fills in the missing piece. While CVEs, CWEs, and CPEs provide classifications and identifiers, they don’t map to the real-world tactics attackers use.

“When an attacker is moving through your network, they move like water — finding the path of least resistance. MITRE ATT&CK helps you see those paths, and we wanted to bring that intelligence into CVE analysis.” — Shawn Evans

For example, CVE-2021-34527 (PrintNightmare) is classified as a remote code execution vulnerability. By itself, that description doesn’t reveal the full risk picture. Mapping it through ATT&CK shows it can also enable privilege escalation, persistence, and lateral movement — a chain of activity that changes how defenders should respond.

How AI bridges the gap

The NopSec research team trained LLMs on CVE descriptions, enriched threat intelligence, and MITRE ATT&CK data. Instead of using generative AI to “write,” they employed it discriminatively — classifying and correlating data to map CVEs to likely ATT&CK techniques.

“It’s remarkable that just by parsing language, the models can arrive at fairly accurate relationships. You don’t just see what the CVE is — you see how an attacker might use it.” — Shawn Evans

This approach allows security leaders to:

  • See not only the vulnerability, but the attack path it may enable
  • Identify systemic mitigation strategies (beyond patching) from ATT&CK guidance
  • Prioritize remediation based on adversary behaviors, not just scanner output

The bigger picture: smarter remediation

The ultimate goal is to give defenders a richer, contextualized view of risk — one that goes beyond patch-and-pray and moves toward attacker-informed defense strategies.

As Rob summed it up:

“This isn’t just about fixing vulnerabilities. It’s about understanding how those vulnerabilities fit into an attacker’s playbook, and what you can do — technically and strategically — to shut down those paths.”

This research is still evolving, but it points toward a future where vulnerability management is not just about volume or speed, but about context, intent, and impact.

Want to see this in action? Schedule a demo with NopSec and learn how CTEM can reshape your vulnerability management strategy.

Customer Bar Small

Schedule a Product Demo Today!

See how NopSec's end-to-end Cyber Exposure Management platform can organize your security chaos.
Schedule a Demo CTA