Why Do I Need This?
Minimal changes, immediate value, and context your team can act on.
Complete CVE Enrichment. No Coverage Gaps.
The NVD can no longer provide enrichment for every published CVE. As vulnerability volumes continue to grow, enrichment efforts are increasingly focused on a prioritized subset of vulnerabilities, leaving many CVEs without the scoring and metadata security teams depend on.
We restore complete coverage.
Our automated enrichment pipeline provides CVSS 3.1 and CVSS 4.0 vectors, dictionary-validated CPEs, categorized references, and enriched descriptions for all new CVEs, not just the vulnerabilities selected for prioritization.
Deployment is simple. Our API is fully compatible with NVD 2.0 endpoints and response formats, allowing it to serve as a drop-in replacement for existing NVD integrations.
Every score is derived from an auditable attack graph generated for the CVE. We map and evaluate all viable exploitation paths, score each path independently, and use the highest-risk path to produce the final vector. This methodology was presented at VulnCon 2026 and powers the same enrichment used throughout our enterprise threat intelligence platform.
We also analyze and classify every reference associated with a CVE, including advisories, patches, exploits, and technical write-ups, so your tools can automate triage and prioritization without manual review. Enriched descriptions summarize the information that matters most, reducing the time analysts spend reviewing source material.
Maintain complete visibility across the vulnerability landscape without changing your workflows.
"https://services.nvd.nist.gov/rest/json/cves/2.0""https://api.volerion.com/v1/nvd/rest/json/cves/2.0"One endpoint change. Full NVD 2.0 compatibility.
“Volerion gives us what NVD can't: instant, accurate context on every CVE. With remediation steps ready to go. When Hadrian finds the risk, Volerion makes sure nobody wastes time figuring out what it means.”
Hadrian
Security vendor, Amsterdam
Is it compatible with my current NVD integration?
Yes. The API is NVD 2.0-compatible by design, with the same response schema and semantics, so existing tooling keeps working as-is. In most integrations, you only replace https://services.nvd.nist.gov/rest/json/cves/2.0 with https://api.volerion.com/v1/nvd/rest/json/cves/2.0.
Why not just use a free public vulnerability feed?
The primary issue is coverage: free public feeds often do not provide complete enrichment across the full CVE set. Beyond that, accuracy and consistency in public aggregated data are often extremely poor, and that directly costs money everywhere the data is used. It drives wasted research time, extra triage hours, false alerts, missed alerts, and unreliable automation outcomes.
How do you keep up with the CVE volume?
We have a fully automated enrichment pipeline that processes the entire CVE feed, not just a prioritized subset. It is built to scale and uses fine-tuned machine learning models in combination with a data harness to guarantee high accuracy and consistency.
How do you ensure the quality of your data?
We have a dedicated quality ensurance program, and we regularly spot differences between our data and public data. We investigate the difference to determine if it is an error on our side or the third-party source. So far, we have submitted hundreds of corrects to the CISA Vulnrichment team and all CVEs have had their CVSS vector updated. Our data has a proven track record of accuracy and consistency, and we are committed to maintaining the highest standards.
What sources do you use for enrichment?
We use authoritative sources such as vendor advisories, patch releases, and write-ups. Our team consists of security researchers with deep experience in the offensive field, so our models are trained to extract the relevant information for attack modeling and CVSS scoring.
What is the difference with other commercial solutions?
Other sources often aggregate data, and do not enrich the CVEs themselves. We specialized in the data standards and specifications so we can provide information that is not available anywhere else yet. We also presented our CVSS automation methodology at VulnCon26 earlier this year, and we are the only provider that has a fully auditable attack graph behind our scores.
NIST has stopped enriching most CVEs
NIST now prioritizes only a narrow subset, leaving most new CVEs without timely enrichment, severity context, or reliable CPE detail.
Read the NIST announcement →The enriched data that does exist cannot be trusted either
Our accepted correction history shows recurring scoring and scenario errors in public enrichment feeds that can mislead triage and patch priority.
Read the full analysis →