A few weeks ago someone left this comment on my post about AVE:
"It looks to me like you're listing common (agentic) weaknesses (CWEs) or 'Threat Patterns' and not 'vulnerabilities'. Those are intended to be specific to concrete artifacts."
ApfelbaumFlo was correct. I want to explain exactly why, because it matters for how you use AVE.
CVE vs CWE — what the distinction actually means
CVE (Common Vulnerabilities and Exposures) identifies a specific flaw in a specific product at a specific version. CVE-2024-0519 is a V8 engine flaw in Chrome versions below 120.0.6099.129. It has an affected product. It has a version range. There is a patch. You can check whether you are running the vulnerable version.
CWE (Common Weakness Enumeration) identifies a class of weakness that can appear in any codebase. CWE-79 is Cross-Site Scripting. It is not tied to one product. Thousands of CVEs reference it. A scanner that detects XSS detects the CWE class, and each individual instance found in a specific product becomes a CVE.
An AVE record describes a behavioral class — what a dangerous agentic component does, not what product version it appears in. AVE-2026-00002 (Tool Poisoning via Description Manipulation) describes a behavior: a tool description contains instructions targeting the agent rather than describing what the tool does. That behavior appears in infinitely many skill files and MCP servers. There is no version range. There is no patch. The threat is behavioral.
That is CWE-shaped, not CVE-shaped. ApfelbaumFlo was right.
Why this matters practically
The CVE framing created a wrong expectation: if AVE is CVE-shaped, where are the per-product disclosures? Why does AVE-2026-00002 not name a specific MCP server? Why is there no CPE?
The CWE framing creates a correct expectation: AVE records are the classification layer. A scanner detects an instance of AVE-2026-00002 in your skill file the same way a SAST tool detects an instance of CWE-79 in your web app. The record defines the class. The scanner finding is the instance.
This also explains why AVE has 51 records and is unlikely to grow to thousands. CWE has approximately 900 entries covering decades of software weakness research. AVE is building the equivalent for agentic AI — a much newer, narrower domain. 51 to 65 records is the right target, not 5,000.
What MITRE has, and what it is missing
MITRE's CWE catalog has CWE-1446: "Weaknesses That are Specific to AI/ML Technology." It currently contains four entries:
- CWE-1426: Improper Validation of Generative AI Output
- CWE-1427: Improper Neutralization of Input Used for LLM Prompting
- CWE-1434: Insecure Setting of Generative AI/ML Model Inference Parameters
- CWE-1039: Inadequate Detection of Adversarial Input Perturbations
These are model-level weaknesses. They describe what goes wrong inside the LLM — output quality, prompt handling, parameter configuration.
MITRE's own documentation on CWE-1446 explicitly says: "As of CWE 4.20, it is still difficult to distinguish common AI/ML related attacks from the underlying weaknesses. The CWE AI Working Group has had many discussions about this general topic... This category is likely to be updated frequently in future versions. See Research Gaps."
The agentic execution layer — tool descriptions, MCP server manifests, skill files, agent delegation chains, OAuth discovery documents, toolchain registration — has zero coverage in CWE-1446. That is the gap AVE's 51 records address.
What changed in our framing
We updated ave.bawbel.io and the bawbel/ave repo to use what we call "own-terms framing." The new headline:
"The behavioral classification standard for agentic AI components."
No borrowed brand. No CVE analogy. AVE describes what it is: a classification standard, behavioral in nature, for the agentic AI attack surface.
The CWE comparison is still useful as an explanation — "AVE plays a similar role for agentic AI to what CWE plays for traditional software" — but it is an explanation, not an identity.
What this means if you run a scanner
If you are building or maintaining a scanner that detects agentic AI threats, AVE is designed to be the shared vocabulary layer. Adding ave_id to your finding output is a single JSON field. The implementer guide covers three consumption patterns:
- Runtime API:
GET https://api.piranha.bawbel.io/ave/{ave_id}returns the full record at scan time - Bundled offline: download
ave-records-v1.1.0.jsonand bundle it for air-gapped environments - ID-only: emit just the
ave_idfield and let the consuming SIEM resolve it downstream
Full guide: https://github.com/bawbel/ave/blob/main/docs/specs/ave-implementer-guide.md
What is next
We are reaching out to scanner maintainers with crosswalk packages — a pre-built mapping from your rule IDs to AVE IDs — to reduce the integration cost to near zero.
We are also engaging with the MITRE CWE AI Working Group and the OWASP AST10 project as the right institutional path for a behavioral classification standard.
If you are building in this space and want to discuss the crosswalk for your tool, open an issue at https://github.com/bawbel/ave or email bawbel.io@gmail.com.
The registry: https://ave.bawbel.io/registry.html
The GitHub repo: https://github.com/bawbel/ave
The threat intel API: https://api.piranha.bawbel.io
Top comments (0)