1The one-paragraph answer
READ THIS FIRST
A CVE is just a globally unique serial number assigned by MITRE. The vulnerability details get published when the vendor releases their patch and the security advisory. Your scanner (Qualys, Tenable, Defender, etc.) reads those bulletins, writes detection rules, scans your assets, and reports back which assets have which CVEs. Mythal reads that finding from the scanner's API and takes it from there. Mythal does not crawl the internet hunting for CVEs — your scanner already does that job. Mythal orchestrates everything that happens after.
2Where CVEs come from — in 3 sentences
- A researcher finds a flaw. They report it to the vendor (or the vendor's own security team finds it).
- MITRE assigns a CVE number. The vendor builds a patch in private (the embargo, typically 90 days).
- The vendor publishes the bulletin (MS17-010, cisco-sa-iosxe-webui-privesc-j22SaA4z, SSA-573348) with the patch. NVD and CISA enrich the record. Scanner vendors write detection rules within hours. Your scanner runs against your assets and finds the vulnerable ones.
3One CVE walked through, end to end
Let's follow a real CVE — CVE-2023-20198, the Cisco IOS-XE Web UI privilege escalation from October 2023.
1
Day 1 — Private discovery
A Cisco customer (or independent researcher) notices weird behavior in IOS-XE Web UI. They report it to Cisco PSIRT. Cisco confirms it's a privilege-escalation flaw. Cisco reserves CVE number CVE-2023-20198 from MITRE. No one outside Cisco knows yet.
2
Day 2–60 — Embargo
Cisco engineers write the fix (IOS-XE 17.9.4a). The NVD record for CVE-2023-20198 exists but is RESERVED and empty — nothing published yet. No public knowledge of the flaw.
3
Disclosure day · 2023-10-16
Cisco publishes the bulletin cisco-sa-iosxe-webui-privesc-j22SaA4z on their PSIRT site. The patch is available immediately. NVD enriches: CVSS 10.0, CWE-269. CISA adds it to KEV the next day.
4
Day +1 to +2 — Scanner content update
Qualys' content team reads the Cisco bulletin. They write a QID (let's say QID 92121) — a detection rule that says "if you see IOS-XE version < 17.9.4a on a Cisco device, the asset is vulnerable to CVE-2023-20198." Qualys pushes that QID out to all customer subscriptions automatically.
5
Your next scan
Qualys runs (continuously / nightly / on your schedule). For each Cisco IOS-XE asset on version < 17.9.4a, it logs { QID: 92121, CVE: ["CVE-2023-20198"], asset: switch-001, ... } in Qualys VMDR.
6
Mythal picks it up
Mythal's Scanner Liaison agent polls Qualys' API every 5 minutes. It pulls the new findings, extracts the CVE list, creates a Mythal Finding record for each affected asset, and hands them to the Supervisor agent — which kicks off the full 12-agent loop.
That's the entire chain. Mythal's job starts at stage 6.
4Glossary — who's what, where it lives
PSIRT
Vendor's security team
Microsoft MSRC · Cisco PSIRT · Siemens ProductCERT
Advisory
Document the PSIRT publishes
cisco-sa-iosxe-webui-privesc-j22SaA4z
CVE
Global serial number from MITRE
CVE-2023-20198
NVD record
NIST's authoritative database
nvd.nist.gov/vuln/detail/CVE-2023-20198
KEV listing
CISA's actively-exploited catalog
cisa.gov/known-exploited-vulnerabilities-catalog
QID
Qualys' detection rule identifier
QID 92121 → maps to CVE-2023-20198
Finding
Mythal database row · one CVE on one asset
{ asset: switch-001, cve: CVE-2023-20198 }
Plan
Mythal's response to a finding
"Apply IOS-XE 17.9.4a via Catalyst Center, rollback ready"
5Direct answers to your questions
Q: Do our agents query vendor advisories?
For the scanner finding — no. Your scanner already did that part. Mythal just reads the scanner's API.
For enrichment — yes, but as a secondary source. The Threat Intel agent and Patch Hunter agent can query NVD (REST API), CISA KEV (live JSON feed), and vendor PSIRT APIs (Microsoft MSRC API, Cisco PSIRT openVuln). These are subscriptions, not crawls — we hit known endpoints, not random sites.
For enrichment — yes, but as a secondary source. The Threat Intel agent and Patch Hunter agent can query NVD (REST API), CISA KEV (live JSON feed), and vendor PSIRT APIs (Microsoft MSRC API, Cisco PSIRT openVuln). These are subscriptions, not crawls — we hit known endpoints, not random sites.
Q: How do we get CVEs? Where from?
Primary source — your scanner (Qualys, Tenable, Defender, Wiz, Claroty, etc.). It reports findings via its REST API; each finding includes the CVE.
Secondary sources (enrichment): NVD, CISA KEV, vendor PSIRT feeds.
We don't go fetch new CVEs from "the internet" on a timer. We subscribe to authoritative endpoints.
Secondary sources (enrichment): NVD, CISA KEV, vendor PSIRT feeds.
We don't go fetch new CVEs from "the internet" on a timer. We subscribe to authoritative endpoints.
Q: If we read from Qualys, how do we convert QID to CVE?
We don't have to convert — Qualys gives us both in the same API response. When Qualys reports a finding, its payload includes the QID and the list of CVEs that QID covers:
{
"QID": 92121,
"CVE": ["CVE-2023-20198"],
"host_dns": "switch-001.csx.local",
"severity": 5,
"first_found": "2023-10-17T03:14:00Z"
}
Scanner Liaison just extracts the CVE and uses that as the canonical identifier. We keep the QID stored as a back-reference for round-trip lookups.
Q: Are we querying NVD every time?
No. We only query NVD when we need to enrich a finding for the first time (get CVSS score, description, references). After the first hit we cache aggressively — once we've pulled the NVD record for CVE-2023-20198, we don't pull it again.
In the demo today, NVD-style enrichment is bundled (we don't actually call NVD on Azure). In production, we wire to the real NVD API 2.0 with local caching.
In the demo today, NVD-style enrichment is bundled (we don't actually call NVD on Azure). In production, we wire to the real NVD API 2.0 with local caching.
Q: Where are we getting CVEs from?
Three sources, ranked by volume:
- Customer's scanner — the firehose. 80%+ of findings.
- CISA KEV live fetch — for the actively-exploited tier. Mythal pulls this on the Sync KEV button.
- Vendor PSIRT feeds — direct subscriptions to Microsoft, Cisco, Siemens.
Q: PSIRT vs Advisory vs CVE vs Finding vs Plan — clarify?
The flow: Cisco PSIRT (the team) publishes an Advisory (the document) → which references CVE-2023-20198 (the global ID) → your scanner finds it on switch-001 → Mythal creates a Finding (one CVE on one asset) → Mythal builds a Plan (the response).
Q: Where do we start?
We start when a Finding arrives. The Scanner Liaison agent is the entry point. Everything else flows from there.
Q: "Will CVE not get published until vendor has fix?"
Mostly yes — for responsibly disclosed vulnerabilities. The CVE number is reserved early. The record stays empty during the embargo (~90 days while the vendor builds the patch). It's published with full details + patch references when the vendor releases the fix.
Exceptions where CVE is public BEFORE a patch:
Exceptions where CVE is public BEFORE a patch:
- Zero-days exploited in the wild — researcher publishes without coordination because attackers are already using it.
- Vendor non-response — researcher gives up after 90 days and discloses.
- Disagreements — vendor disputes severity; researcher discloses anyway.
Q: Do our agents query the internet every time for new CVEs?
No. Two different behaviors:
On a schedule (continuous):
On a schedule (continuous):
- Scanner Liaison polls your scanner APIs every 5–15 minutes.
- Threat Intel polls CISA KEV catalog every few hours.
- Vendor PSIRT RSS feeds where supported.
- NVD lookup for a specific CVE (cached after first hit).
- Vendor advisory page lookup (cached).
6What's real today vs production
| Source | Demo today | Production |
|---|---|---|
| Scanner findings | Synthetic via scenarios + real CISA KEV match | Real Qualys/Tenable/Wiz/Claroty/etc. API polling |
| CISA KEV catalog | Real live fetch — works today (the Sync KEV button) | Real live fetch + scheduled hourly poll |
| NVD lookups | Bundled / synthetic | Real NVD API 2.0 with local cache |
| Vendor PSIRT | Synthetic advisories | Real MSRC API · Cisco openVuln · Siemens CSAF · Red Hat Product Security |
The architecture is identical between demo and production. What changes is the data source flag in each connector's config. The same Scanner Liaison agent class talks to either a simulator or a real Qualys server — the contract doesn't change.
7The line for CSX
VERBATIM ANSWER WHEN CSX ASKS
"Two paths. Primary: your scanner — Mythal polls your Qualys / Tenable / Defender API and picks up findings the moment your scanner reports them. Secondary: vendor PSIRT feeds and CISA KEV — we subscribe directly so we sometimes see vulnerabilities before your scanner's detection rule is even shipped. Both paths converge on the same canonical Finding object in Mythal."
8The one-pager — what to remember
- CVE is just a serial number. MITRE assigns it. It exists before the details are public.
- The vendor PSIRT publishes the advisory when they release the patch. That's when the world learns the details.
- NVD and CISA enrich the record with CVSS scores, references, KEV listing.
- Scanner vendors translate the advisory into detection rules (QIDs, plugins) — usually within hours.
- Your scanner finds the vulnerable asset on its next scan.
- Mythal reads the finding from the scanner's API and runs the agent loop. We don't crawl the internet.
- Mythal can also subscribe directly to NVD / CISA KEV / vendor PSIRTs as secondary sources, for cases where we want to see things before the scanner's detection rule is shipped.
Where CVEs come from · Mythal · for your understanding
Pair with: Scenarios explained · Execution explained
Pair with: Scenarios explained · Execution explained