Control trends
How is defensive coverage evolving?
NIST 800-53 controls and the CWEs / ATT&CK techniques they address. Configuration-management rule coverage (CIS Benchmarks, AWS Config conformance, STIGs) will plug into reserved chart slots when that data is ingested.
Last updated: 2026-05-15 11:31 UTC
Control family share of mitigationsAI
→ For each quarter, the share of annotated CVEs whose
strongest mitigating NIST 800-53 r5 control belongs to each
family. Surfaces which families do the heavy lifting and how
that mix evolves. Limited to the ~16k CVEs with per-CVE control
annotations.
NIST control annotations per week
→ Per-week count of new
cve_mitigating_controls
annotations (Grok-bound). Tracks the per-CVE control-coverage
pipeline's throughput; sustained dips usually mean Grok rate-limit
or billing-wall episodes. The annotator runs once daily inside
daily_enrichment.sh.
Reserved — Configuration rule coverage by control family
Coming when CIS Benchmarks / AWS Config conformance / Azure Policy / STIG ingestion lands. See the controls catalogue for the 49 cloud-native rules we have today.
Reserved — Implementation drift
Coming when configuration-drift observations are ingested. Will chart deviation between a customer's running configuration and their declared baseline, by control family.
Active anomalies — Control lensAI
→ Auto-detected each daily run. Shifts in control-family
mitigation share over time. Resolves when the metric stops
triggering.
No active anomalies in this lens.