Methodology
Methodology and Quality
How job-description intelligence, practitioner surveys, and public signal layers become claim-aware, commercially useful research.
Every finding in the report is backed by a traceable chain of sources — from raw data collection through classification, convergence scoring, and readiness labeling before any claim becomes public.
Signal Inputs
Job Market
Labor Signals
Practitioner Survey
Practitioner Signals
Academic Velocity
Research Frontier
Builder Ecosystem
Open Source
Media Coverage
Narrative Signals
Threat Disclosure
Vulnerability Feeds
ATLAS / Adversary
Adversary Framework
Citation Library
Verified Evidence
8 independent signal layers · Convergence scoring · Claim-ready output
Methodology
The report treats job descriptions as market artifacts
Job descriptions are market artifacts
They show what companies publicly ask for, not definitive proof of internal maturity.
Scores are role-language signals
A higher score means stronger signal in the job-description language, not a company grade.
Claims require readiness labels
Every finding maps to public-ready, public-with-caveat, internal-only, or do-not-claim status.
Privacy and redaction come first
Raw job text, raw surveys, profile-derived personal data, and internal ABM outputs stay private.
Signal layer methodology
Vulnerability Intelligence
Threat Signals
CVE / NVD / GHSA / OSV / CISA KEV
We aggregate CVE data from three primary sources: NIST National Vulnerability Database (NVD) API 2.0, GitHub Security Advisory Database (GHSA), and OSV.dev. Records are classified as AI-relevant using a two-stage pipeline: first, a product/package name matcher against a dictionary of 35+ known AI/ML packages; second, a keyword-weighted scorer across 21 semantic buckets derived from the MITRE ATLAS taxonomy. Only records with classification confidence ≥ 0.5 are included in published metrics.
CISA Known Exploited Vulnerabilities (KEV) are cross-referenced to identify the exploited-in-the-wild subset. Monthly counts are computed from the published_at date. Severity uses CVSSv3 base score where available, falling back to CVSSv2.
Signal layer methodology
Tools Intelligence
Builder Ecosystem
GitHub · Vendor docs · Practitioner surveys
Tool metadata is sourced from vendor documentation, GitHub repository data, and practitioner survey responses. Each tool entry includes: category classification against our 14-category AI security taxonomy, pricing model, deployment model, and license type. Star counts and contributor metrics are fetched directly from the GitHub API at enrichment time and are point-in-time snapshots.
Practitioner ratings (when available) represent aggregated responses from our survey cohort weighted by org size and role. Tools with fewer than 3 survey reviews are marked “insufficient data” and excluded from comparative rankings.
Pipeline status
Current execution health
Release status
conditional_go
SQL pipeline
ok
Blockers
0
Research Program
Built for research. Used for decisions.
Explore the channels, read the findings, or bring the research into your AI security program through AIPSA, workshops, and assessment work.