AI's Impact on Vulnerability Standards: Rapid7 Calls for Modernization
Rapid7's policy paper argues that AI-driven vulnerability discovery is outpacing current standards like CVE and CVSS, necessitating urgent reforms.
The rapid advancement of AI in discovering and chaining software vulnerabilities is placing unprecedented strain on established cybersecurity standards, according to a new policy paper from Rapid7. The paper, titled "Modernizing Global Vulnerability Standards," highlights how current frameworks, including CVE identifiers, CVSS scoring, and the National Vulnerability Database (NVD), were largely designed around human-speed discovery and manageable vulnerability volumes. As AI systems can now identify and link vulnerabilities at machine speed, these legacy systems are struggling to keep pace.
During a recent consultation with the White House, Rapid7 presented its findings, emphasizing that AI's ability to accelerate threat discovery and exploitation requires a fundamental re-evaluation of how vulnerabilities are managed. The Five Eyes cybersecurity agencies have also warned that AI is transforming cyber risk by increasing the speed, scale, and sophistication of threats, while simultaneously lowering the barrier to entry for malicious actors. This evolving landscape demands that leaders reassess long-held assumptions about cybersecurity resilience and accountability.
AI's impact is already evident in the dramatic improvements seen in AI agent capabilities for cybersecurity tasks. In April 2026, major AI labs announced production-grade systems capable of discovering, chaining, and even remediating vulnerabilities. Benchmarks from Stanford's HAI AI Index 2026 Cybench showed a significant leap in unguided AI agent success rates on cybersecurity tasks, rising from 15% to 93% within a single year. While faster discovery can benefit security teams by enabling earlier identification and more effective risk validation, it intensifies pressure on every system involved in vulnerability verification, scoring, disclosure, prioritization, and remediation.
The paper points out that traditional vulnerability management standards, built on assumptions of human-led discovery and time for assessment, are showing their age. CVE submissions, for instance, grew by 263% between 2020 and 2025 due to human-speed growth alone. NIST has acknowledged that the NVD can no longer keep up, shifting towards risk-based triage. If AI-driven discovery dramatically increases this volume, the prioritization problem will become even more acute, leaving defenders struggling to identify which vulnerabilities are truly exploitable, reachable in their environments, chainable, and require immediate action.
Rapid7 argues that the most urgent and least addressed issue is the "prioritization gap." Traditional severity scores often fail to account for how attackers can chain multiple lower-severity vulnerabilities into a significant compromise. While the CISA Known Exploited Vulnerabilities (KEV) catalog offers a strong signal, it is retrospective. Similarly, the Exploit Prediction Scoring System (EPSS) relies on historical attacker behavior, which may not reflect the new capabilities of AI-assisted attackers. To address this, Rapid7 proposes reforms such as recognizing verified AI-demonstrated exploitability, incorporating chaining-risk metadata into vulnerability records, and requiring reachability guidance alongside AI-discovered findings.
The paper also outlines a broader policy agenda, calling for updates to the Vulnerabilities Equities Process, increased investment in CVE and NVD infrastructure, standardized capability disclosures from AI labs, enhanced international coordination, and clear leadership from CISA. It advocates for three key access and verification standards for the security community: independent verification before access expansion, broad yet curated access through transparent processes, and rigorous data standards for published capability claims.
Ultimately, the paper concludes that AI-driven vulnerability discovery has crossed a critical threshold. The challenge now lies in adapting policy, standards, and operational systems quickly enough to enable defenders to leverage these powerful new capabilities safely and effectively. The future of cybersecurity resilience hinges on this adaptation, ensuring that the tools designed to protect us can keep pace with the evolving threat landscape.