Vulnerability Prioritisation: Beyond CVSS Scores

Why CVSS Alone Fails

CVSS measures the intrinsic severity of a vulnerability—how bad it could be in the worst case. It doesn't measure how likely exploitation is, whether a public exploit exists, what the affected asset does, or whether compensating controls reduce the risk. A CVSS 9.8 vulnerability with no public exploit in an internal-only system is less urgent than a CVSS 7.5 vulnerability with an active exploit kit targeting internet-facing payment systems.

EPSS: Exploit Prediction Scoring System

EPSS predicts the probability that a vulnerability will be exploited in the wild within the next 30 days, based on real-world exploitation data. An EPSS score of 0.97 means 97% probability of exploitation. Combined with CVSS, EPSS helps distinguish between theoretical severity and practical risk. CVEs with high CVSS but low EPSS can often be deprioritised. CVEs with moderate CVSS but high EPSS should be fast-tracked.

SSVC: Stakeholder-Specific Vulnerability Categorisation

SSVC, developed by CISA and Carnegie Mellon, replaces numeric scores with decision trees. It evaluates exploitation status (none, PoC, active), technical impact (partial, total), mission prevalence (minimal, support, essential), and produces a recommended action: Track, Track*, Attend, or Act. SSVC produces more actionable outcomes than numeric scores.

Contextual Prioritisation

The most effective prioritisation adds your specific business context: what does the affected system do? What data does it hold? Is it internet-facing or internal-only? Are compensating controls in place? What's the blast radius if compromised? This contextual analysis is where Penetrify's manual expert testing adds the most value—testers evaluate findings in the context of your specific environment, producing severity ratings that reflect actual business risk rather than theoretical scores.

A Practical Prioritisation Workflow

Step 1: Filter by EPSS > 0.1 (vulnerabilities with meaningful exploitation probability). Step 2: Rank by asset criticality (internet-facing, sensitive data, revenue-generating). Step 3: Check for compensating controls that reduce effective risk. Step 4: Apply SSVC decision tree for recommended action. Step 5: Assign remediation timelines based on the resulting priority. This workflow reduces your 847 findings to the 30–50 that genuinely demand immediate attention.

The Bottom Line

CVSS is a starting point, not a prioritisation framework. Layer EPSS for exploitation probability, SSVC for actionable decisions, and contextual analysis for business relevance. Penetrify's expert testers provide the contextual prioritisation that automated scoring can't—because knowing a vulnerability exists matters less than knowing whether it matters to your business.

Frequently Asked Questions

What is EPSS?

The Exploit Prediction Scoring System predicts the probability of a vulnerability being exploited in the wild within 30 days. It uses real-world exploitation data to distinguish between theoretical severity and practical risk.

Should I stop using CVSS?

No—continue using CVSS as a baseline, but don't use it as your sole prioritisation metric. Layer EPSS for exploitation probability and contextual analysis for business relevance.