
NIST NVD
Threat Intelligence- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The NIST NVD Connector integrates with the National Vulnerability Database (NVD) maintained by the U.S. National Institute of Standards and Technology, together with the CWE catalog published by MITRE. It synchronizes three datasets:
- Vulnerabilities (CVE records) — published CVEs including descriptions, CVSS v2/v3 scoring, CISA Known Exploited Vulnerability (KEV) data, weakness (CWE) associations, and the affected products (CPEs) resolved from CPE match criteria.
- Weaknesses (CWE) — the latest CWE weakness catalog, including weakness names, descriptions, exploit likelihood, and parent-weakness relationships.
- Products (CPE) — Common Platform Enumeration dictionary entries, with the CPE name parsed into its Well-Formed Name (WFN) components.
The Vulnerability and Product datasets are retrieved from the NVD REST API and support incremental synchronization. The Weakness dataset is downloaded as a compressed XML archive directly from MITRE.
Data retrieved from NIST NVD
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Vulnerability | Yes | Cve Record |
| Weakness | Yes | Weakness |
| Product | Yes | Product |
Model relationships
For detailed steps on how to view the data retrieved from NIST NVD in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select NIST NVD from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| Service URL | Yes | https://services.nvd.nist.gov | NIST NVD REST service URL |
| API key | Yes | (Brinqa-provided default key) | NVD API key |
| Parallel requests | No | min(2, available processors) | Maximum number of parallel API requests |
| Maximum retries | No | 10 | The maximum number of retry attempts before giving up a request |
Authentication
The connector authenticates to the NVD REST service using an API key that is sent as an apiKey HTTP request header on every request. There is no separate token-exchange or login step — the key is supplied directly with each call. A request to the NVD API to confirm connectivity looks as follows.
Endpoint
| Method | URL |
|---|---|
| GET | https://services.nvd.nist.gov/rest/json/cves/2.0?resultsPerPage=1 |
Request Headers
| Header | Value | Description |
|---|---|---|
apiKey | <your NVD API key> | NVD-issued API key used to authorize and rate-limit the request. |
X-Requested-With | brinqa | Client identifier sent by the connector. |
User-Agent | BrinqaNVDConnector/<version> | Connector user-agent string. |
Request Body
No request body is sent; all parameters are passed as query-string parameters.
Sample Response
{
"resultsPerPage": 1,
"startIndex": 0,
"totalResults": 240000,
"format": "NVD_CVE",
"version": "2.0",
"timestamp": "2026-06-10T00:00:00.000",
"vulnerabilities": [
{
"cve": {
"id": "CVE-1999-0001",
"sourceIdentifier": "cve@mitre.org",
"published": "1999-12-30T05:00:00.000",
"lastModified": "2024-11-20T23:27:50.057",
"vulnStatus": "Modified"
}
}
]
}
Response Fields
| Field | Description |
|---|---|
resultsPerPage | Number of results returned in this page. |
startIndex | Zero-based index of the first result in this page. |
totalResults | Total number of results matching the request. |
vulnerabilities | Array of CVE records (the synced payload). |
Using the credential in subsequent requests
The same apiKey header is attached to every API and archive request the connector makes (CVE, CPE, CPE match, and the CWE archive download). The connector also honors the NVD rate limit of 50 requests per 30 seconds for authenticated callers.
Sync Behavior
The connector supports incremental (delta) syncs. It maintains a sync token between runs and applies it as an incremental timestamp filter, so each run re-processes only the records that changed after the previous sync. The initial run retrieves the complete data set; later runs are incremental. The specific timestamp field applied to each object is documented under that object's Sync Duration Parameter.
How to obtain NIST NVD credentials
Generate a NIST NVD API key
For the NIST NVD connector to use the NIST NVD API, you must provide the API keys from NIST NVD. To obtain an API key, follow these steps:
-
Navigate to NIST NVD's developer portal.
-
Fill in the organization name and email address, and then select the organization type from the dropdown.
-
Agree to the Terms of Use and click Submit. An email is sent to the email address from the previous step.
-
Click the link in the email from
nvd-noreply@nist-gov. -
A new tab containing the new API key opens in your browser. Copy the API key and save it in a safe and secure location.
Note: You can not view the API key again. If you lose or forget the key, you must request a new one. For additional information, see NIST NVD documentation.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Vulnerability
| Source Field Name | SDM Attribute |
|---|---|
CveItem.cisaActionDue | CISA_DUE_DATE |
CveItem.cisaExploitAdd | CISA_ADDED_DATE |
CveItem.cisaRequiredAction | CISA_REQUIRED_ACTION |
CveItem.cisaVulnerabilityName | CISA_VULNERABILITY_NAME |
CveItem.descriptions[lang=en].value | DESCRIPTION |
CveItem.id | UID |
CveItem.id | NAME |
CveItem.lastModified | SOURCE_LAST_MODIFIED |
CveItem.published | PUBLISHED_DATE |
CveItem.references[].url | REFERENCES |
CveItem.sourceIdentifier | SOURCE_IDENTIFIER |
CveItem.vulnStatus | STATUS |
CveItem.weaknesses[].description[].value | WEAKNESSES |
derived from CveItem.cisaExploitAdd | CISA_EXPLOITED |
| derived integer from CVSS base score | SOURCE_SEVERITY |
metrics.cvssMetricV2[].baseSeverity | CVSS_V2_SEVERITY |
metrics.cvssMetricV2[].cvssData.accessComplexity | CVSS_V2_AC |
metrics.cvssMetricV2[].cvssData.accessVector | CVSS_V2_AV |
metrics.cvssMetricV2[].cvssData.authentication | CVSS_V2_AU |
metrics.cvssMetricV2[].cvssData.availabilityImpact | CVSS_V2_AI |
metrics.cvssMetricV2[].cvssData.baseScore | CVSS_V2_BASE_SCORE |
metrics.cvssMetricV2[].cvssData.confidentialityImpact | CVSS_V2_CI |
metrics.cvssMetricV2[].cvssData.integrityImpact | CVSS_V2_II |
metrics.cvssMetricV2[].cvssData.vectorString | CVSS_V2_VECTOR |
metrics.cvssMetricV31/V30[].cvssData.attackComplexity | CVSS_V3_AC |
metrics.cvssMetricV31/V30[].cvssData.attackVector | CVSS_V3_AV |
metrics.cvssMetricV31/V30[].cvssData.availabilityImpact | CVSS_V3_AI |
metrics.cvssMetricV31/V30[].cvssData.baseScore | CVSS_V3_BASE_SCORE |
metrics.cvssMetricV31/V30[].cvssData.baseSeverity | CVSS_V3_SEVERITY |
metrics.cvssMetricV31/V30[].cvssData.confidentialityImpact | CVSS_V3_CI |
metrics.cvssMetricV31/V30[].cvssData.exploitCodeMaturity | CVSS_V3_E |
metrics.cvssMetricV31/V30[].cvssData.integrityImpact | CVSS_V3_II |
metrics.cvssMetricV31/V30[].cvssData.privilegesRequired | CVSS_V3_PR |
metrics.cvssMetricV31/V30[].cvssData.remediationLevel | CVSS_V3_RL |
metrics.cvssMetricV31/V30[].cvssData.reportConfidence | CVSS_V3_RC |
metrics.cvssMetricV31/V30[].cvssData.scope | CVSS_V3_SCOPE |
metrics.cvssMetricV31/V30[].cvssData.userInteraction | CVSS_V3_UI |
metrics.cvssMetricV31/V30[].cvssData.vectorString | CVSS_V3_VECTOR |
| normalized from CVSS base score | SEVERITY |
resolved from CveItem.configurations[].nodes[].cpeMatch[] via CPE match criteria | AFFECTED |
Weakness
| Source Field Name | SDM Attribute |
|---|---|
"CWE-" + Cwe.id | UID |
| constant "Weakness" | CATEGORIES |
Cwe.description | DESCRIPTION |
Cwe.name | NAME |
Cwe.relatedWeaknesses[nature=ChildOf].cweId | PARENT_WEAKNESSES |
normalized from Cwe.likelihoodOfExploit | EXPLOITABILITY |
Product
| Source Field Name | SDM Attribute |
|---|---|
CpeItem.cpeName | CPE_NAME |
CpeItem.cpeName (WFN component) | PART |
CpeItem.cpeName (WFN component) | VENDOR |
CpeItem.cpeName (WFN component) | NAME |
CpeItem.cpeName (WFN component) | VERSION |
CpeItem.cpeName (WFN component) | UPDATE |
CpeItem.cpeName (WFN component) | EDITION |
CpeItem.cpeName (WFN component) | LANG |
CpeItem.cpeName (WFN component) | SOFTWARE_EDITION |
CpeItem.cpeName (WFN component) | TARGET_SOFTWARE |
CpeItem.cpeName (WFN component) | TARGET_HARDWARE |
CpeItem.cpeName (WFN component) | OTHER |
CpeItem.cpeNameId | UID |
CpeItem.cpeNameId | CPE_NAME_ID |
CpeItem.created | SOURCE_CREATED_DATE |
CpeItem.deprecated | DEPRECATED |
CpeItem.deprecatedBy[].cpeNameId | DEPRECATED_BY |
CpeItem.lastModified | SOURCE_LAST_MODIFIED |
CpeItem.refs[].ref | REFERENCES |
CpeItem.titles[lang=en].title | TITLE |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Vulnerability
Operation options
This object does not support any operation options.
Delta sync
Supported.
API
- Type: REST endpoint · Endpoint:
GET /rest/json/cves/2.0
Weakness
Operation options
This object does not support any operation options.
Delta sync
Supported.
API
- Type: REST endpoint · Endpoint:
GET https://cwe.mitre.org/data/xml/cwec_latest.xml.zip
Product
Operation options
This object does not support any operation options.
Delta sync
Supported.
API
- Type: REST endpoint · Endpoint:
GET /rest/json/cpes/2.0
Changelog
The NIST NVD connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.1.13 | Bug Fixes - Corrected the data type used for the source severity value reported on vulnerabilities so it is stored as a whole number, matching the values published by NVD. | • Vulnerability: The stored data type of the source severity attribute changed. Re-sync the connector so existing vulnerability records are repopulated with the corrected value type. |
| 3.1.12 | Improvements - Expanded the connector documentation with detailed setup, configuration, and data model guidance. | N/A |
| 3.1.11 | Improvements Dependency Upgrades Upgraded internal framework and model libraries to the latest stable versions for improved reliability, security patches, and alignment with the rest of the connector platform. | N/A |
| 3.1.10 | New Features - Added a configurable maximum retry setting, letting you control how many times the connector retries requests to the NVD service before giving up. | N/A |
| 3.1.9 | Bug Fixes - Fixed how the source severity reported by NVD is interpreted so the numeric value is captured correctly on vulnerability records. | • Vulnerability: The stored data type of the source severity attribute changed. Re-sync the connector so existing vulnerability records are repopulated with the corrected value type. |
| 3.1.8 | Improvements - Added request rate limiting that respects the NVD service guidelines, improving sync reliability and reducing throttling errors on large data pulls. | N/A |
| 3.1.7 | New Features - Weakness (CWE) records now capture parent weakness relationships, enabling navigation of the CWE hierarchy. | N/A |
| 3.1.6 | Improvements Dependency Upgrades Upgraded internal framework and model libraries to the latest stable versions for improved reliability, security patches, and alignment with the rest of the connector platform. | N/A |
| 3.1.5 | Improvements Dependency Upgrades Upgraded internal framework and model libraries to the latest stable versions for improved reliability, security patches, and alignment with the rest of the connector platform. | N/A |
| 3.1.4 | Improvements - Optimized the connector logo to reduce its file size. | N/A |
| 3.1.3 | Improvements - CISA Known Exploited Vulnerabilities (KEV) data is now mapped to the standard data model attributes, including the exploited flag, date added, due date, required action, and vulnerability name, for consistent reporting across connectors. | • Vulnerability: The CISA KEV attribute identifiers were renamed to align with the standard data model. Re-sync the connector so existing vulnerability records are repopulated under the new attribute names. |
| 3.1.2 | Improvements - The original creation and last modified timestamps published by NVD are now preserved on synchronized records using the standard source date attributes. | • Product: The created and last modified timestamp attributes were re-keyed to the standard source date attributes. Re-sync the connector so existing records are repopulated under the new attribute names. |
| 3.1.1 | Bug Fixes - Corrected a typo in the CISA KEV due date handling and refined product record population. | N/A |
| 3.1.0 | New Features - Migrated the connector to the NVD 2.0 REST API, ensuring continued data access ahead of the legacy API's deprecation. - Added support for an NVD API key, enabling higher request rate limits. - Vulnerability records now include CISA Known Exploited Vulnerabilities (KEV) details and a source identifier. | N/A |
| 3.0.5 | Improvements Dependency Upgrades Upgraded internal framework and model libraries to the latest stable versions for improved reliability, security patches, and alignment with the rest of the connector platform. | N/A |
| 3.0.4 | Improvements - Vulnerability and Weakness records now populate standard unique identifier and source identifier mappings for more reliable matching and de-duplication. | N/A |
| 3.0.3 | Improvements - Added handling for the NVD service's 120-day date range limit and clearer error reporting when the service returns an error. | N/A |
| 3.0.2 | New Features - Added a Weakness model that synchronizes CWE (Common Weakness Enumeration) definitions from NVD. - Added support for configuring an NVD API key. | N/A |
| 3.0.1 | Improvements - Streamlined how matching CPE products are resolved for each vulnerability, removing the need to download the full CPE match data on every sync for faster, more efficient runs. | N/A |
| 3.0.0 | Overview The NIST NVD connector integrates with the National Vulnerability Database (NVD) maintained by the U.S. National Institute of Standards and Technology to synchronize publicly disclosed vulnerabilities (CVEs) and the affected products (CPEs) they reference. Category: Threat Intelligence Models | N/A |