July 11, 2026
Understanding the Cybersecurity Ecosystem: CVE, CWE, CAPEC, CVSS, NVD, NIST & More
Introduction

By xayol
4 min read
Introduction
If you've recently started learning cybersecurity, you've probably come across terms like CVE, CWE, CAPEC, CVSS, NVD, NIST, MITRE, or CNA.
At first, they can be overwhelming because they're often mentioned together. I had the same confusion — Are they all databases? Are they all vulnerability IDs? Who creates them?
The answer is no. Each serves a different purpose, and together they form the language used by security researchers, penetration testers, SOC analysts, and software vendors.
Let's understand them one by one.
Before We Begin
Imagine you're a security researcher.
While testing a WordPress plugin, you discover that attackers can upload a PHP file without authentication and gain remote code execution.
This single vulnerability will eventually involve almost every term we'll discuss in this article.
Let's follow its journey.
1. MITRE
Full Form
MITRE Corporation
Before understanding CVEs, you should know about MITRE.
MITRE is a non-profit organization that operates several cybersecurity programs funded by the U.S. government and other organizations. It develops and maintains projects that are used worldwide, including:
- CVE
- CWE
- CAPEC
- ATT&CK
- D3FEND
Notice something?
MITRE doesn't just maintain CVEs. Many of the cybersecurity resources you use every day are actually MITRE projects.
Think of MITRE as the organization managing the cybersecurity "dictionary."
2. CVE (Common Vulnerabilities and Exposures)
A CVE is a unique identifier assigned to a publicly disclosed security vulnerability.
It doesn't describe every technical detail.
Its job is simply to ensure that everyone refers to the same vulnerability using the same ID.
Example:
CVE-2026-12345CVE-2026-12345Instead of saying:
"That SQL Injection bug in WordPress Plugin XYZ…"
everyone can simply say:
"CVE-2026–12345"
Now researchers, vendors, scanners, and security teams know they're talking about the exact same vulnerability.
Think of it as
A passport number for a vulnerability.
3. CNA (CVE Numbering Authority)
Who creates CVEs?
Not every CVE comes directly from MITRE.
MITRE authorizes trusted organizations called CVE Numbering Authorities (CNAs).
Examples include:
- Microsoft
- Red Hat
- Cisco
- GitHub
- Oracle
If Microsoft discovers a Windows vulnerability, it can assign a CVE itself because it is a CNA.
This makes the process much faster.
Think of it as
Regional offices that are authorized to issue official IDs.
4. CWE (Common Weakness Enumeration)
A CWE describes the software weakness that caused the vulnerability.
It focuses on what developers did wrong.
Example:
CWE-89
SQL InjectionCWE-89
SQL InjectionThis doesn't point to one application.
Instead, it describes an entire category of programming mistakes.
Thousands of different applications could contain the same weakness.
Think of it as
The root cause.
5. CAPEC (Common Attack Pattern Enumeration and Classification)
Once a weakness exists, attackers need a way to exploit it.
That's where CAPEC comes in.
CAPEC documents how attackers perform attacks.
For SQL Injection, it explains things like:
- The attack process
- Prerequisites
- Required access
- Possible impacts
- Common defenses
Notice the difference:
CWE explains the developer's mistake.
CAPEC explains the attacker's technique.
Think of it as
The attacker's playbook.
6. CVSS (Common Vulnerability Scoring System)
Imagine two vulnerabilities.
One lets anyone on the internet take over a server.
Another only crashes an application if someone already has local access.
Clearly, they don't have the same risk.
CVSS assigns a severity score from 0.0 to 10.0.
Example:
9.8 Critical9.8 CriticalThe score considers factors like:
- Can it be exploited remotely?
- Does it require authentication?
- Does a user need to click something?
- How much damage can it cause?
Think of it as
A danger meter.
7. CPE (Common Platform Enumeration)
A vulnerability doesn't affect every piece of software.
CPE identifies exactly which products and versions are affected.
Example:
WordPress Plugin XYZ 2.1–2.4WordPress Plugin XYZ 2.1–2.4This allows scanners to determine whether a system is vulnerable.
Think of it as
A product identifier.
8. NVD (National Vulnerability Database)
The NVD is maintained by NIST.
It takes a CVE and enriches it with additional information such as:
- CVSS score
- Affected products (CPE)
- Related CWE
- References
- Technical analysis
If CVE is the ID card,
NVD is the complete profile.
Think of it as
A searchable encyclopedia of vulnerabilities.
9. NIST (National Institute of Standards and Technology)
NIST is a U.S. government agency responsible for developing cybersecurity standards and best practices.
Besides maintaining the NVD, it publishes widely used resources such as:
- Cybersecurity Framework (CSF)
- Risk Management Framework (RMF)
- SP 800 series
- Password guidelines
- Cryptographic standards like AES and SHA-3
Many organizations around the world follow NIST guidance to improve their security.
Think of it as
One of the organizations that defines cybersecurity best practices.
10. MITRE ATT&CK
ATT&CK is not about vulnerabilities.
Instead, it documents how attackers behave after gaining access.
Examples include:
- Credential Dumping
- Pass-the-Hash
- PowerShell
- Lateral Movement
- Persistence
Security teams use ATT&CK to understand and detect attacker behavior.
Think of it as
A map of real-world attacker techniques.
How Everything Fits Together
Imagine the complete journey.
Developer writes insecure code
│
▼
Software contains a weakness
(CWE)
│
▼
Attacker uses a known attack technique
(CAPEC)
│
▼
A researcher discovers the vulnerability
│
▼
Vendor fixes the issue
│
▼
A CNA or MITRE assigns a CVE
│
▼
NVD publishes detailed information
│
▼
CVSS measures its severity
│
▼
Security scanners detect affected products
using CPE information
│
▼
Organizations patch their systemsDeveloper writes insecure code
│
▼
Software contains a weakness
(CWE)
│
▼
Attacker uses a known attack technique
(CAPEC)
│
▼
A researcher discovers the vulnerability
│
▼
Vendor fixes the issue
│
▼
A CNA or MITRE assigns a CVE
│
▼
NVD publishes detailed information
│
▼
CVSS measures its severity
│
▼
Security scanners detect affected products
using CPE information
│
▼
Organizations patch their systemsCheat Sheet
Final Thoughts
Understanding these terms is like learning the vocabulary of cybersecurity. At first, they may seem unrelated, but each answers a different question:
- What mistake was made? → CWE
- How can it be exploited? → CAPEC
- Which vulnerability are we talking about? → CVE
- How serious is it? → CVSS
- Which products are affected? → CPE
- Where can I find the full details? → NVD
- Who develops many of these standards? → MITRE and NIST
Once you understand how these pieces fit together, reading vulnerability reports, bug bounty write-ups, penetration testing findings, and security advisories becomes much easier.
This version is closer to what you'd see in a high-quality Medium article: it introduces the concepts gradually, uses one running example throughout, and explains why each component exists rather than just listing definitions. One small factual note: MITRE is a nonprofit organization, not a government agency, although it operates federally funded research and development centers and manages programs such as CVE on behalf of the U.S. government.