Beyond CVSS: A Guide to Vulnerability Prioritization

You've just run your weekly vulnerability scan, and your heart sinks. The report shows 3,000 critical and high vulnerabilities requiring immediate attention. Your Tenable dashboard is a sea of red, your ServiceNow queue is overflowing with tickets, and your team is already stretched thin. Where do you even start?

If this scenario sounds familiar, you're experiencing what security professionals call alert fatigue – and you're not alone.

"When you've got 3000 'urgent' findings, where do you even start? We're drowning in scanner output while the stuff that could actually pwn us is probably hiding in plain sight." - Security Professional, Reddit

The truth is, the problem isn't finding vulnerabilities anymore; it's figuring out which ones actually matter versus which ones are just noise. And while the Common Vulnerability Scoring System (CVSS) has been the industry standard for years, relying on it alone is a fundamentally flawed approach to vulnerability management.

The Limitations of CVSS Scores

CVSS provides a standardized framework for rating security vulnerabilities with a score from 0 to 10. In theory, this helps teams prioritize their remediation efforts. In practice, it's creating more problems than it solves.

The "Critical" Overload Problem

According to Tenable research, 56% of all vulnerabilities are scored as High (7.0–8.9) or Critical (9.0–10.0) by CVSS. In 2024 alone, over 41,000 new CVEs were published, with 61% labeled as "high" or "critical".

When everything is critical, nothing is critical.

Static Scores in a Dynamic Landscape

A critical flaw in CVSS is that scores are assigned early in a vulnerability's lifecycle and typically don't change, even if the vulnerability becomes widely exploited later. A CVE with a CVSS 6.0 (medium) remains a 6.0, regardless of whether attackers start actively exploiting it in the wild.

Missing Context

Perhaps most importantly, CVSS scores lack essential context:

"CVSS scores are basically useless because a 'critical' vuln that's not reachable is way less important than a 'medium' one that's actively being hit by traffic." - Security Engineer, Reddit

A Remote Code Execution (RCE) vulnerability might score 9.8 on CVSS, but if it affects a non-production system behind multiple firewalls, it likely poses less immediate risk than a 7.2 CVSS vulnerability on your public-facing e-commerce platform that processes credit card data.

A Better Approach: The Risk-Based Prioritization Model

What's needed is a more nuanced, risk-based approach that moves beyond raw CVSS scores to consider:

1. Real-world exploitability: Is the vulnerability actually being exploited in the wild?
2. Asset criticality: What would a successful exploit impact?
3. Business context: How would this impact affect your organization specifically?

This approach transforms vulnerability management from a chaotic, reactive process into a strategic, risk-driven function. Let's explore each component.

Real-World Exploitability: CISA KEV and EPSS

Two powerful resources have emerged that can help security teams gauge real-world exploitability:

CISA's Known Exploited Vulnerabilities (KEV) Catalog

The CISA KEV catalog is a curated list of vulnerabilities confirmed to be actively exploited in the wild. Think of it as the "smoking gun" of vulnerability prioritization – these vulnerabilities are being weaponized right now.

Each KEV entry includes:

• The CVE ID
• Affected product and vendor
• Vulnerability description
• Date added to the catalog
• Required remediation date (for federal agencies)

"For organizations without mature vulnerability management, the KEV in particular is a rock solid resource that can help guide your prioritization efforts." - Cybersecurity Analyst, Reddit

While the KEV catalog is invaluable, it's retrospective – vulnerabilities only appear after exploitation has been confirmed.

Exploit Prediction Scoring System (EPSS)

EPSS complements KEV by looking forward. It provides a probability score (from 0 to 100%) that a CVE will be exploited in the next 30 days, using machine learning to analyze data from various sources.

EPSS helps identify vulnerabilities that might soon land on the KEV list, giving teams a chance to remediate before widespread exploitation begins.

Consider this example: CVE-2023-48795 has a "medium" CVSS score of 5.9 but an EPSS score in the 90th percentile. The CVSS score might lead you to deprioritize it, but the high EPSS score warns that attackers are likely to exploit this vulnerability soon – making it a much higher priority than its CVSS score suggests.

Asset Criticality and Business Context

The final pieces of the risk puzzle involve understanding what's being affected and how much it matters to your organization.

Key questions to ask:

• Is the vulnerable system internet-facing?
• Does it process sensitive data?
• Is it part of your CI/CD pipeline?
• What business functions depend on it?
• Are there compensating controls that mitigate the risk?

"Many vulns sound scary in isolation but just don't matter when you look at the environment and controls in totality." - Security Architect, Reddit

A Practical 4-Step Workflow for Vulnerability Prioritization

Here's how to implement this risk-based approach in practice:

Step 1: Identification & Aggregation

Use scanning tools like Tenable, Qualys, or similar platforms to identify vulnerabilities across your environment.

Pro Tip: Sort by vulnerability ID instead of IP address to identify widespread issues that can be remediated at scale using automation tools.

Step 2: Contextual Evaluation (The Triage Step)

This is where the magic happens. For each vulnerability, cross-reference it against multiple data points:

1. Is it in the CISA KEV catalog? If yes, this is a TOP PRIORITY.
2. What is its EPSS score? Vulnerabilities with scores above 30% deserve immediate attention.
3. What is the asset criticality? Prioritize vulnerabilities that allow initial access (especially RCEs) or provide administrative privileges on critical systems.
4. Are there mitigating controls? Is the affected port blocked by a firewall? Is the vulnerable component in an isolated network segment?

Step 3: Prioritized Remediation

Develop a clear remediation policy with timeframes based on your contextualized risk assessment:

• KEV vulnerabilities on critical assets: 7 days
• High EPSS score (>50%) on critical assets: 14 days
• Critical CVSS on non-critical assets: 30 days

Remember, most organizations can only remediate 10-15% of vulnerabilities monthly, so ensuring the right ones get fixed first is essential.

Step 4: Reassessment & Continuous Improvement

Vulnerability management isn't a one-and-done activity. Continuously monitor your environment, validate remediation effectiveness, and refine your prioritization model based on results.

Conclusion: From Alert Fatigue to Focused Remediation

Stop chasing CVSS scores. A risk-based approach that combines CVSS, CISA KEV, EPSS, and asset criticality provides a more realistic view of which vulnerabilities truly threaten your organization.

This model isn't just better for security; it's "real-world, practical, and completely defensible to management, auditors, boards, and other non-techie stakeholders." It transforms your vulnerability management from an overwhelming flood of alerts into a strategic function that focuses precious resources where they'll have the greatest impact.

By prioritizing what actually matters – vulnerabilities that are being actively exploited (or soon will be) on your most critical assets – you can finally break free from alert fatigue and build a vulnerability management program that genuinely reduces risk, not just checks compliance boxes.

Frequently Asked Questions

What is risk-based vulnerability prioritization?

Risk-based vulnerability prioritization is a strategic approach that assesses vulnerabilities based on real-world threat intelligence and business context, rather than relying solely on static scores like CVSS. It combines data points such as active exploitation (from sources like the CISA KEV catalog), the probability of future exploitation (using EPSS), and the criticality of the affected asset. This method helps teams focus on fixing the vulnerabilities that pose the most genuine and immediate danger to the organization.

Why is relying only on CVSS scores ineffective for prioritization?

Relying solely on CVSS scores is ineffective because it leads to "critical overload," where a majority of vulnerabilities are rated as high or critical, making it impossible to prioritize. CVSS scores are also static and lack crucial context. A high-scoring vulnerability on an isolated, non-critical system may pose less risk than a medium-scoring one on a public-facing server that is actively being exploited.

How can my team start with risk-based prioritization today?

A practical first step is to cross-reference your vulnerability scan results with the CISA Known Exploited Vulnerabilities (KEV) catalog. Any vulnerability on your systems that appears in the KEV catalog should become your top priority for remediation, as these are confirmed to be actively exploited by attackers. From there, you can begin incorporating EPSS scores and asset criticality data to further refine your process.

What is the difference between CISA KEV and EPSS?

The key difference is that the CISA KEV catalog is retrospective, while EPSS is predictive. The KEV catalog lists vulnerabilities that are already confirmed to be exploited in the wild. EPSS provides a probability score (from 0 to 100%) that a vulnerability will be exploited in the next 30 days. Using them together allows you to address both current and emerging threats.

What makes a vulnerability a top priority for remediation?

A vulnerability becomes a top priority when it combines evidence of real-world exploitation with significant business impact. The highest-risk vulnerabilities are typically those listed in the CISA KEV catalog that affect your critical, internet-facing assets. A high EPSS score on a critical asset would also signal a top priority, as it indicates a high likelihood of future exploitation.

How does asset criticality affect vulnerability priority?

Asset criticality provides essential business context that can dramatically change a vulnerability's priority. A vulnerability's risk increases significantly if it affects a system crucial to your operations, such as a public-facing application, a domain controller, or a database containing sensitive data. A medium-level vulnerability on your e-commerce platform is likely a higher priority than a critical-level one on an isolated development server.