Blog
Confused by CVE, NVD, CWE and CPE? A plain-English guide to what each vulnerability database and standard does, who runs them, and how they fit together.
2026-06-14 How a CVE goes from disclosure to exploitation: the lifecycleThe lifecycle of a vulnerability from discovery and coordinated disclosure to CVE assignment, public advisory, exploitation in the wild, and addition to the CISA KEV catalog.
2026-06-14 CVSS scores explained for non-experts (0.0 to 10.0)A plain-English guide to CVSS scores: what 0.0 to 10.0 means, the None-to-Critical bands, base vs temporal vs environmental metrics, and why severity is not risk.
2026-06-14 What is the CISA KEV catalog and why it matters for patchingThe CISA KEV catalog lists vulnerabilities with proof of active exploitation. Here is what it is, how entries are added, and why it beats CVSS for patch priority.
2026-06-14 Patch prioritization with KEV, EPSS and CVSS: a practical modelYou can't patch everything. Learn how to combine the CISA KEV catalog, EPSS exploit-prediction scores and CVSS severity into a defensible patch-prioritization workflow.
2026-06-14 What is a zero-day vulnerability? (And a zero-day exploit)A plain-English explanation of zero-day vulnerabilities and exploits: what 'zero day' means, why they are dangerous, the difference from an N-day, and how to reduce risk.
2026-06-14 How to read a CVE identifier (CVE-YYYY-NNNNN explained)What the CVE-YYYY-NNNNN format means, what the year and number actually tell you, who assigns CVE IDs, and the difference between a CVE, the NVD and a CWE.
2026-06-14