How long does it take a new CVE to appear on EchelonGraph after the vendor publishes it?

Median ~5 minutes, worst case ~9 minutes. The chain is: CNA publishes via CVE Services API → record lands in MITRE's cvelistV5 GitHub repo (1–3 min, CNA-driven) → EchelonGraph's MITRE poller picks it up (0–5 min — 5-minute ticker) → record upserted into the cves table → matcher attributes it to customer assets → per-tenant NATS alert → WebSocket bridge surfaces it in the Attack Graph. NVD-only feeds typically lag this by 3–48 hours because of NVD's analyst-queue step.

Why is NVD slower than EchelonGraph?

NVD is one layer downstream of where CNAs publish. After a CNA submits a record to the CVE Services API, the record lands in the cvelistV5 GitHub repo within minutes. NVD then ingests that record and routes it through an analyst queue for CPE matching, CVSS validation, CWE review, and reference tagging. Those analyst-enrichment steps add hours-to-days of latency (NVD had a multi-month backlog crisis in 2024). EchelonGraph polls cvelistV5 directly every 5 minutes, then later upserts NVD's analyst enrichment when it lands — first-touch wins for speed, deep-enrichment wins for quality.

What data sources does EchelonGraph aggregate?

Seven distinct upstream sources, all upserting into one cves row keyed by CVE-ID: (1) MITRE cvelistV5 GitHub commits, every 5 minutes — the fast path. (2) NVD REST API every 2 hours — the deep-enrichment path with analyst-validated CPE and CVSS. (3) GitHub Security Advisories — npm, PyPI, Go, Maven, RubyGems ecosystem detail. (4) Google OSV — open-source vulnerability database across multiple ecosystems. (5) CISA KEV (Known Exploited Vulnerabilities) every 6 hours — flags CVEs being exploited in the wild. (6) EPSS (Exploit Prediction Scoring System) from FIRST, daily — exploit-probability score 0-1. (7) Fourteen vendor PSIRT/advisory pollers — MSRC, Red Hat, Cisco, Palo Alto, Apple, AWS, GCP, Azure, VMware, HashiCorp, Atlassian, GitLab, Grafana, GHSA. Conflicts resolve via a `modified` timestamp freshness gate so stale re-fetches are no-ops.

How does EchelonGraph connect CVEs to my specific assets?

EchelonGraph's three-tier scanner stack discovers assets (Tier 1 cloud-native APIs, Tier 2 on-prem network crawl, Tier 3 in-cluster Kubernetes agent) and represents them as nodes in a per-tenant graph. When the CVE ingest pipeline lands a new vulnerability, an internal matcher attributes it to every customer asset that matches by package, image, or CPE tag — then writes a findings row, emits a per-tenant NATS alert, and surfaces it on the Attack Graph via the WebSocket bridge within roughly 60 seconds of CVE landing. Most CVE feeds give you a flat list — EchelonGraph tells you which of your assets is affected, not just that the CVE exists.

What is the EchelonGraph Score?

A confidence-rated severity score we synthesize per CVE by combining NVD CVSS, CISA KEV exploitation flag, EPSS exploit probability, GHSA ecosystem severity, and any vendor-supplied CVSS into a single 0-10 value. Confidence is reported alongside the score (HIGH / MEDIUM / LOW) so security teams know whether to trust it as a triage signal. Most providers show only NVD CVSS — which can mark a CVE 9.8 even when it has zero observed exploitation and no available exploit code. The EG Score blends those signals so triage time goes to CVEs that actually have exploitation pressure on your stack.

NVD's typical lag from CNA publication to NVD record visibility is hours to multiple days. During the 2024 analyst-pool capacity crisis, NVD's tail latency stretched to weeks-to-months for new records — and that tail re-opens during analyst-pool capacity crunches. The latency comes from NVD's required analyst step: CPE matching (converting CNA free-text affected-product strings into structured cpe:2.3 URIs with version-range trees), CVSS validation, CWE classification review, and reference-link tagging. These are real value-adds — analyst-curated CPE is what lets vulnerability scanners deterministically decide 'is this version affected?' — but they're the reason NVD lags the cvelistV5 feed that EchelonGraph polls directly.

What is MITRE cvelistV5?

cvelistV5 is the canonical CVE-record format and the GitHub repository where every CVE Numbering Authority (CNA) publishes their vulnerability disclosures. When a CNA — Microsoft, Apple, Cisco, Red Hat, GitHub, or any of the ~400 other CNAs — assigns a CVE ID and submits a record via the CVE Services API, the record lands in github.com/CVEProject/cvelistV5 within minutes. It contains the raw CNA disclosure (descriptions, affected products as free text, references, CVSS the CNA supplied, CWE classification). It does NOT contain NVD's analyst-curated CPE or validated CVSS — those are added later when NVD ingests the record. EchelonGraph polls cvelistV5 every 5 minutes for first-touch freshness, then upserts NVD's enrichment when it lands.

Can I get pre-NVD CVE access through EchelonGraph?

Yes. 'Pre-NVD' means a CVE that has been published by a CNA via MITRE cvelistV5 but has not yet been ingested and analyst-enriched by NVD. EchelonGraph's 5-minute MITRE poller picks up these records as soon as they land in cvelistV5, typically hours-to-days before they appear in NVD's REST API. Pre-NVD records carry the CNA's self-supplied CVSS (we tag the score's source as 'cna:\u003cvendor\u003e' on the detail page) and are surfaced with a 'Pre-NVD' badge so security teams understand they're seeing analyst-pending data. When NVD's analyst record lands later, EchelonGraph upserts the validated CVSS and CPE match without losing the original CNA attribution.

Is EchelonGraph an alternative to VulnCheck, Tenable, Rapid7, or Snyk?

EchelonGraph is complementary to those platforms on the CVE-feed axis, not a one-to-one replacement. VulnCheck and Mandiant focus on threat intelligence + exploit data. Tenable (Nessus, Tenable.io, VPR) and Rapid7 (InsightVM) are vulnerability scanners with their own prioritization scores. Snyk DB focuses on developer-tool SCA across language ecosystems. What EchelonGraph adds: 5-minute median CVE delivery from MITRE cvelistV5 (faster than NVD-only feeds the other platforms typically license), multi-source aggregation across 7 distinct upstreams in one row keyed by CVE-ID with a freshness-gated upsert, and per-tenant asset attribution so each new CVE is automatically connected to the specific customer assets affected. Customers commonly run EchelonGraph alongside their existing scanner to close the CVE-disclosure-to-attack-graph latency gap.

CVE Pipeline Architecture

Why EchelonGraph is the fastest CVE informer

Most CVE feeds show you a vulnerability after NVD's analyst finishes — hours to days after publication. EchelonGraph shows it the moment the vendor publishes — minutes — and connects it to your assets, not just to a CVE ID.

The 9-minute worst case

Every hop from the moment a CVE Numbering Authority (CNA) publishes a vulnerability to the moment it appears on your Attack Graph:

Per-hop latency budget from CNA publishing a CVE to it appearing on a customer's Attack Graph.
Hop	Latency
CNA publishes via CVE Services API	t = 0
Record lands in cvelistV5 GitHub repo	+1–3 min (CNA-driven)
EchelonGraph MITRE poller ticks	+0–5 min (5-min ticker)
Postgres BatchUpsertConservative writes the row	<1 sec
Matcher after-ingest hook attributes to assets	<1 sec
Per-tenant NATS alert published	<1 sec
WebSocket bridge → Attack Graph updates	<1 sec
Total — worst case	~9 minutes
Median observed (production)	~5 minutes

Time-to-first-record vs other CVE providers

How long after a vendor publishes a CVE does each provider make it visible to you?

Typical lag from CNA publication to record visibility, by CVE provider. EchelonGraph vs NVD-only, MITRE-only, VulDB, Snyk, and GHSA-only feeds.
Provider	Source path	Typical lag
EchelonGraph	MITRE 5-min + NVD 2h + GHSA + OSV + KEV + EPSS + 14 vendor pollers	5–10 min
NVD-only feeds	NVD /rest/json/cves/2.0 — analyst-gated	3 hrs – multiple days
MITRE-only feeds	Raw cvelistV5 records — no CPE / no validated CVSS	5–15 min
VulDB	Scrapes CNAs + their own analysts	min–hours, no API SLO
Snyk DB	Curated ecosystem advisories — analyst-gated	hours–days
GitHub Advisories only	GHSA — ecosystem-only (npm / PyPI / Go / Maven / RubyGems)	min, but ecosystem-only

Lag values reflect typical behaviour at time of publication. NVD's 2024 analyst backlog pushed its tail latency to weeks-to-months — a tail that re-opens during analyst-pool capacity crunches.

What single-source providers can't do

Speed is only one axis — depth matters too. Here's what EchelonGraph delivers that NVD-only, MITRE-only, and VulDB feeds don't:

Capability matrix comparing EchelonGraph against NVD-only, MITRE-only, and VulDB across 9 dimensions including multi-source ingest, analyst-enriched CPE, KEV, EPSS, vendor PSIRTs, asset attribution, real-time push, and the synthesized EG Score.
Capability	EchelonGraph	NVD-only	MITRE-only	VulDB
Fast first-touch via MITRE cvelistV5 (5-min poll)	✓	—	✓	✓
Analyst-enriched CPE + validated CVSS	✓	✓	—	—
GHSA ecosystem detail (npm/PyPI/Go/Maven/RubyGems)	✓	—	—	—
CISA KEV exploit-in-the-wild flag	✓	—	—	—
EPSS exploit-probability score	✓	—	—	—
Vendor PSIRT pollers (14 vendors)	✓	—	—	partial
Per-tenant asset → CVE attribution	✓	—	—	—
Real-time WebSocket push to dashboard	✓	—	—	—
Synthesized confidence-scored EG Score	✓	—	—	—

Looking for a VulnCheck, Tenable, Rapid7, or Snyk DB alternative?

EchelonGraph is complementary to those platforms on the CVE-feed axis, not a one-to-one replacement. Most teams evaluating us are already paying for one of them and want to close a specific gap. Here's how to think about it:

VulnCheck alternative — CVE feed freshness + asset attribution

VulnCheck's strength is exploit intelligence and KEV-style early-warning feeds. Where EchelonGraph adds is the 5-minute MITRE cvelistV5 poll (CVE records arrive at EchelonGraph before NVD's analyst-queue step delays them), the multi-source upsert (NVD + GHSA + OSV + KEV + EPSS + 14 vendor PSIRTs into one row), and per-tenant asset attribution that links every new CVE to your specific cloud / on-prem / Kubernetes assets — not just a flat list.

Tenable / Rapid7 InsightVM alternative — pre-scan CVE intelligence

Tenable (Nessus, Tenable.io, VPR — Vulnerability Priority Rating) and Rapid7 InsightVM are scanner-first products with their own prioritization scores. They license CVE data from NVD, which means the CVE freshness ceiling matches NVD's. EchelonGraph runs alongside your scanner and closes the gap on the disclosure-to-detection latency: a new CVE reaches the EchelonGraph Attack Graph in ~5 minutes after the CNA publishes it, instead of waiting for the next NVD analyst pass plus the next scanner cycle.

Mandiant alternative — CVE-side of vulnerability intelligence

Mandiant (now Google Cloud Threat Intelligence) is strongest on adversary intel, IOCs, and APT tracking. EchelonGraph isn't trying to be a threat-intel platform — we're the CVE-side of vulnerability intelligence: which CVEs were disclosed in the last 5 minutes, which of your assets are affected, what the synthesized severity is across NVD + KEV + EPSS + GHSA. Customers commonly run both.

Snyk DB alternative — beyond developer-ecosystem SCA

Snyk DB is excellent for npm / PyPI / Maven / Go / RubyGems SCA inside a developer workflow. EchelonGraph already ingests GHSA (the same upstream Snyk uses for ecosystem data) and combines it with NVD + MITRE + vendor PSIRTs for infrastructure and appliance CVEs that ecosystem-only feeds miss — Palo Alto PAN-OS, Cisco IOS, VMware vCenter, F5 BIG-IP, HashiCorp Vault, Atlassian Jira / Confluence, and 8 more.

VulDB / NVD-only feeds — when you need pre-NVD CVE access

If you're relying on NVD's REST API or a feed that mirrors it, you inherit NVD's analyst-queue lag. EchelonGraph delivers pre-NVD CVE access via the 5-minute MITRE cvelistV5 poll — the same feed CNAs publish to. Records arrive with a clear "Pre-NVD" badge on the detail page so your team knows they're seeing CNA-self-supplied CVSS until NVD's analyst record lands and we upsert the validated CVSS + CPE match without losing the original CNA attribution.

How the architecture wins

1. Multi-poller, single-row upsert with freshness gate

Every source writes to the same cves row keyed by CVE-ID. A modified timestamp gates conflicts: MITRE wins first-touch (speed); NVD wins enrichment depth when its analyst lands (CPE, validated CVSS). Stale re-fetches become no-ops.

2. Direct CNA proximity

We watch the cvelistV5 GitHub commits — the same feed CNAs push to via the CVE Services API. NVD is one layer downstream of where we sit. That single architectural choice is the freshness lead.

3. Asset attribution built in

Most CVE feeds give you a flat list. EchelonGraph tells you which of your assets is affected. Our three-tier scanner stack (cloud-native APIs, on-prem network crawl, in-cluster eBPF agent) maps your infrastructure into a per-tenant graph; the matcher attributes each new CVE to every matching asset, emits a per-tenant alert, and surfaces it on the Attack Graph in roughly 60 seconds of CVE landing.

4. Synthesized confidence-scored EG Score

NVD shows CVSS only — which can mark a vulnerability 9.8 even when it has zero observed exploitation. EchelonGraph blends NVD CVSS, CISA KEV exploitation flag, EPSS probability, GHSA ecosystem severity, and vendor-supplied scores into one confidence-rated EG Score per CVE. Triage time goes to the vulnerabilities that actually have exploitation pressure on your stack.

Authoritative sources

The pipeline architecture above is based on public documentation from each upstream provider. Verify the claims directly:

CVE Project — cvelistV5 GitHub repository — the canonical source for CNA-submitted records that EchelonGraph polls every 5 minutes.
NIST NVD — REST API v2.0 — the analyst-enriched feed with validated CPE and CVSS, polled every 2 hours.
CISA Known Exploited Vulnerabilities (KEV) catalog — exploit-in-the-wild flag refreshed every 6 hours.
FIRST EPSS — Exploit Prediction Scoring System — daily exploit-probability scores 0–1.
GitHub Security Advisories (GHSA) — ecosystem-tagged advisories for npm, PyPI, Go, Maven, RubyGems.
Google OSV (Open Source Vulnerabilities) — multi-ecosystem coverage with affected-version ranges.
CVE Program — CNA Rules & Documentation — how CVE Numbering Authorities assign and publish records.

See the data behind the claims

Every CVE in our database has its own detail page with the full multi-source provenance — NVD, MITRE CNA assignment, GHSA, KEV flag, EPSS percentile, and vendor advisory links.

Browse the CVE catalogue →Read the scoring methodology Vendor advisory feed