Cybersecurity teams are drowning in vulnerabilities. Thousands of CVEs are published each year, and while scanners and severity scores help flag what’s out there, they rarely explain how attackers will actually use those vulnerabilities in a real-world breach.
That’s where the MITRE ATT&CK framework shines. It provides a living knowledge base of adversary tactics, techniques, and procedures. The challenge? There’s no built-in connection between CVEs and ATT&CK techniques. Until now.
In this webinar, Rob Johnson and Shawn Evans from NopSec break down how their team is using large language models (LLMs) to bridge this gap — giving security teams a contextual view of vulnerabilities and how they fit into the attack chain.
Rob Johnson opened by explaining why traditional vulnerability management falls short:
“We capture all of that information — infrastructure scans, cloud, container, application testing — and then run it through our AI-based algorithm. But the key is prioritization. Not every CVE poses the same level of risk to your environment.” — Rob Johnson
He walked through how NopSec’s CTEM platform layers in asset telemetry, threat intelligence feeds, and control data (from tools like CrowdStrike, Defender, or SentinelOne) to calculate a contextual risk score. That transparency is critical for building trust:
“We’re very transparent about how we prioritize risk. It’s not a black box — you can actually understand why we scored a vulnerability in a certain way.” — Rob Johnson
Shawn Evans then dug into how ATT&CK fills in the missing piece. While CVEs, CWEs, and CPEs provide classifications and identifiers, they don’t map to the real-world tactics attackers use.
“When an attacker is moving through your network, they move like water — finding the path of least resistance. MITRE ATT&CK helps you see those paths, and we wanted to bring that intelligence into CVE analysis.” — Shawn Evans
For example, CVE-2021-34527 (PrintNightmare) is classified as a remote code execution vulnerability. By itself, that description doesn’t reveal the full risk picture. Mapping it through ATT&CK shows it can also enable privilege escalation, persistence, and lateral movement — a chain of activity that changes how defenders should respond.
The NopSec research team trained LLMs on CVE descriptions, enriched threat intelligence, and MITRE ATT&CK data. Instead of using generative AI to “write,” they employed it discriminatively — classifying and correlating data to map CVEs to likely ATT&CK techniques.
“It’s remarkable that just by parsing language, the models can arrive at fairly accurate relationships. You don’t just see what the CVE is — you see how an attacker might use it.” — Shawn Evans
This approach allows security leaders to:
The ultimate goal is to give defenders a richer, contextualized view of risk — one that goes beyond patch-and-pray and moves toward attacker-informed defense strategies.
As Rob summed it up:
“This isn’t just about fixing vulnerabilities. It’s about understanding how those vulnerabilities fit into an attacker’s playbook, and what you can do — technically and strategically — to shut down those paths.”
This research is still evolving, but it points toward a future where vulnerability management is not just about volume or speed, but about context, intent, and impact.
Want to see this in action? Schedule a demo with NopSec and learn how CTEM can reshape your vulnerability management strategy.
©2025 NopSec Copyright. All rights reserved. Privacy Policy