Lacework ingests new CVEs daily from OS vendors and the NIST National Vulnerability Database (NVD).

We update our CVE database daily. However, for major new vulernabiliies (such as Log4j), we can update it multiple times a day.

Additional sub-question: Do we notate zero-day vulnerabilities any differently?

By definition, zero-days don’t have a CVE before they are disclosed. We will alert based on behavior, but not in the vulnerability section.

We do note whether vulns have a published exploit and use that as part of the risk scoring.