For years, the enterprise security playbook was clear. Researchers find bugs. Vendors patch them. NIST catalogs them. Scanners and the rest of the vulnerability management stack run the loop, match what’s in your environment against the CVE database, patch by severity, and send the report up. A green dashboard meant the job was done. The model worked.
Then pre-CVE attacks broke it - A CVE used to be a warning. Now it’s an obituary.
The pre-CVE window is the gap between the moment attackers find a vulnerability and the moment the world catalogs it. It used to be the defenders’ head start. AI turned that gap into the dominant attack window. Attackers no longer wait for the catalog. The catalog itself has formally given up trying to keep up. Attackers see the gap and live inside it. For the first time, the head start belongs to them.
The Catalog Went Dark
NVD enriches each CVE with severity scores, affected products, and the metadata that makes the entry actionable. Every downstream tool, score, and report inherits that enrichment. Most CISOs have never thought about NVD any more than they think about DNS. It just works. Or it used to.
In April 2026, NIST issued a public statement that, in plain language, ended an era. CVE submissions had surged and NIST couldn’t keep up. The agency formally abandoned its longstanding goal of analyzing every submitted CVE. Going forward, NIST will enrich only what hits CISA’s Known Exploited Vulnerabilities catalog or what the federal government uses directly. Everything else gets a CVE number and nothing more, and the hundreds of thousands of CVEs already backlogged from before March 2026 were moved wholesale to ‘Not Scheduled.
Meanwhile, Mandiant’s measured time-to-exploit has crossed zero, a vulnerability is now exploited on average before the patch is released. CISA added 1,484 vulnerabilities to its Known Exploited Vulnerabilities catalog in 2025 - one in six of every KEV entry in history, added in a single year.
NIST is not alone. The cURL project, used in nearly every piece of software shipped in the last decade, permanently shut down its bug bounty program in February 2026. HackerOne suspended new submissions to its Internet Bug Bounty in March 2026. The Linux Kernel team stopped issuing CVSS scores. Every institution defenders rely on for the truth about vulnerabilities has either capitulated, retreated, or stopped trying.
Then Mythos Showed Up
Why did the submissions surge? Anthropic released Claude Mythos in early 2026, not publicly, only to a small group of partners under Project Glasswing. They were explicit about why: a public release would create an unmanageable amount of new work for the world’s defenders. That work is happening anyway. Mythos is the most visible example, not the only one. Vulnerability discovery has stopped being a slow human craft and become an industrial process.
The Scanner Is a Search Engine for the Past
Tenable, Qualys, Rapid7, CrowdStrike Spotlight. Different products, same architecture: a CVE-matcher with a dashboard. They scan your environment, look up what they find against a database of catalogued vulnerabilities, and flag the matches. When the database is incomplete, late, or unscored, the scanner is blind. When the vulnerability is pre-CVE, not cataloged at all, the scanner is silent.
Every vendor risk score in your environment, every compliance attestation, every “we’re current on patches” line in a board deck, all of it inherits this blindness. Your team is patching every CVE on the list. The list is the problem.
The dashboard shows green because the dashboard reflects what has been catalogued, not what is being exploited.
Three Months Pre-CVE Window
In July 2025, attackers began probing Oracle E-Business Suite environments at customer organizations across the world. Oracle EBS is not a security appliance and not a developer tool - it is core enterprise software, running finance, HR, procurement, and order management at thousands of large companies. By August 9, the attackers had a working pre-CVE exploit and were inside production EBS environments, exfiltrating data quietly while the world saw nothing.
The CVE did not exist yet. CVE-2025-61882 - an unauthenticated remote code execution flaw - was not published until October 4, 2025. For nearly three months, every vendor risk dashboard pointed at Oracle EBS scanned clean. Every “patched on time” report showed green. Every compliance attestation referencing the latest critical patch update was technically accurate and operationally meaningless. Oracle had even released a patch in July - addressing different vulnerabilities entirely. Executives at affected enterprises learned something was wrong in late September, when CL0P-affiliated attackers began emailing them directly to demand ransom for the data already taken.
When Oracle finally issued the emergency patch, the campaign was already a board-level event. Major enterprises had data leaked publicly. The patch did not undo the exfiltration. The dashboard updating from green to red did not undo the months of access. The enterprises that had every patch deployed on time ended up in the same place as the ones that did not.
What Maze Does About It
Maze was built for the pre-CVE world.
Maze does not rely on NVD, CISA, or HackerOne to tell it what’s dangerous. It finds what the catalog misses: CVEs, 1-day exploits, malware, and the pre-CVEs that don’t have a number yet. Maze finds the flaws sitting in your ERP three months before disclosure. And it gives your team clear remediation steps, so risk gets reduced without waiting on a vendor advisory that may never come.
Maze Dex continuously scans over 1,000 vendors at the same depth, so the next pre-CVE exploitation does not reach you blind.
Every other tool defends the post-CVE world. Maze defends the pre-CVE one.