CWE Browse by Abstraction Level

Browse 991 CWE entries organized by abstraction level. Explore Pillars, Classes, Base weaknesses, Variants, and Compound weaknesses.

CWE Abstraction Hierarchy

CWE entries are organized into abstraction levels from most general (Pillars) to most specific (Variants). This hierarchy helps you understand weakness relationships and find the right level of detail.

991
Total CWE Entries
5
Abstraction Levels

Understanding Abstraction Levels

For Vulnerability Mapping

When mapping CVEs or real vulnerabilities, use Base or Variant level weaknesses. These provide specific enough detail to accurately describe the issue.

For Security Training

Start with Pillar and Class level weaknesses to understand broad categories, then drill down to specific examples.

Don't leave your security to chance

Get a free security assessment from our experts. We'll identify vulnerabilities and create a protection plan tailored to your business.

Frequently Asked Questions

Common questions about the CWE Browse by Abstraction Level

What are CWE abstraction levels?+

CWE uses abstraction levels to organize weaknesses from the most general (Pillars) to the most specific (Variants). This hierarchy helps developers understand how weaknesses relate to each other and find relevant information.

What is the difference between Pillar and Base weaknesses?+

Pillar weaknesses are the highest level abstractions representing broad categories of security issues. Base weaknesses are more specific and concrete, describing actual issues found in code that can be directly mapped to vulnerabilities.

Which abstraction level should I use for vulnerability mapping?+

For CVE and vulnerability mapping, Base and Variant level weaknesses are recommended as they provide sufficient detail. Pillar and Class level weaknesses are too abstract for direct vulnerability mapping.

⚠️ Security Notice

This tool is provided for educational and authorized security testing purposes only. Always ensure you have proper authorization before testing any systems or networks you do not own. All processing happens client-side in your browser — no data is sent to our servers.