How our detection approach holds up as CVE enrichment changes

Author(s)
Daniel Bechenea Security Research Lead

Updated at: May 08, 2026

If you've been following the offensive security tooling space, you may have seen NIST's recent update on NVD operations and the broader discussion around CVE enrichment gaps. Here's what it means in practice - and what it means for your results in Pentest-Tools.com.

What's changing in the ecosystem

Passive, version-based detection is a component of most vulnerability scanners: they identify a software version, match it to a CVE ID, and flag it as a finding. That layer depends on CVEs receiving complete enrichment data (including Official Common Platform Enumeration identifiers) from NIST and CISA. When that enrichment is delayed or missing, passive detections become less reliable.

This is a real constraint - and it affects the entire ecosystem and every vendor in the passive detection layer (us included). That’s why we’ve been building towards a more resilient detection mechanism that keeps testing methodologies as close as possible to the reality security practitioners experience every day.

Where our approach is different

Because offsec testing accuracy is core to what we do, we've built detection across multiple methods rather than relying on a single source of truth.

Our Network Scanner combines passive version-based detection with active validation - checks that probe the actual behavior of a service rather than just its reported version.

Active detections don't depend on CVE enrichment to fire correctly. They test the real condition. For critical CVEs, Sniper Auto-Exploiter goes further: it attempts actual exploitation on authorized targets and extracts proof of exploitability, independent of whether the underlying CVE has complete metadata.

Our Website Scanner takes a different path entirely: it detects web vulnerabilities - SQLi, XSS, SSRF, XXE, and more from the OWASP Top 10 - through active testing rather than CVE matching. Enrichment gaps don’t affect this layer at all.

What this means for your work

Your scan results remain reliable and evidence-backed.

Findings from active checks come with proof - not just a version match - which makes them more defensible in reports and easier to prioritize.

If you're currently on a plan that includes the Network Scanner's active detection, Sniper, or the Website Scanner, this resilience is already working for you.

If you’re on the Free edition, it’s worth taking a look at the active scanning and authenticated scanning capabilities you can unlock with one of our paid plans. Since these methods are the least affected by CVE enrichment gaps, upgrading is how you get the coverage described above.

We'll continue being transparent about what each detection method can and can't validate - that's not changing.

Get vulnerability research & write-ups

In your inbox. (No fluff. Actionable stuff only.)

DotNetNuke: XSS to RCE (CVE-2026-40321)

Year in review: from routine to results in 2025

Security teams had to cover more assets, respond to more CVEs, and explain more findings to more people than ever. And not just explain them - defend them. In front of clients. In front of auditors. In front of leadership that wants to know what actually changed since the last in-depth test.