Back to Blog

Modern Vulnerability Management: Beyond CVSS Scores

9 min read Kepler Security Team

Your scanner reports 2,000 vulnerabilities. 500 are marked "Critical" with CVSS scores above 9.0. Which one do you fix first? If your answer is "the highest CVSS score," you might be prioritizing the wrong risks. Here's why CVSS alone is broken—and what to do about it.

The Problem with CVSS-Only Prioritization

The Common Vulnerability Scoring System (CVSS) has been the industry standard for vulnerability prioritization since 2005. It's a useful framework that considers factors like attack complexity, privileges required, and impact—but it has a fatal flaw: it lacks context.

A CVSS 9.8 vulnerability sounds terrifying. But what if:

  • The vulnerable code is never executed in your application?
  • It's in a development environment with no production data?
  • It requires local access and you're a cloud-native SaaS company?
  • There's a WAF rule that blocks exploitation attempts?
  • No public exploits exist and never will?

Meanwhile, a CVSS 6.5 vulnerability in your authentication service that's internet-facing and handling customer PII might be exponentially more dangerous. CVSS doesn't know this—it can't.

The Data Proves It: CVSS Miss Rate

Research from the Exploit Prediction Scoring System (EPSS) project reveals a sobering truth:

  • Only 2-7% of published CVEs are ever exploited in the wild
  • Of the CVEs marked "Critical" (CVSS 9.0-10.0), less than 5% see active exploitation
  • Some "Medium" severity vulnerabilities (CVSS 4.0-6.9) are exploited more frequently than Critical ones

If you're only looking at CVSS scores, you're likely focusing on vulnerabilities that will never threaten you while potentially ignoring the ones that will.

A Better Framework: Risk-Based Vulnerability Management

Modern vulnerability management requires a multi-dimensional approach that considers:

1. Exploit Probability (EPSS)

The Exploit Prediction Scoring System uses machine learning to predict the likelihood of exploitation based on:

  • Existence of public exploits
  • References in threat intelligence feeds
  • Ease of exploitation
  • Historical exploitation patterns

Example: CVE-2024-1234 has a CVSS of 9.8 but an EPSS score of 0.02% (very unlikely to be exploited). CVE-2024-5678 has a CVSS of 7.5 but an EPSS of 94% (actively exploited). Fix CVE-2024-5678 first.

2. Asset Criticality

Not all systems are created equal. Prioritize based on:

  • Environment: Production > Staging > Development
  • Data Sensitivity: PII/PCI systems > Internal tools > Test environments
  • Business Impact: Revenue-generating services > Supporting systems > Internal tools
  • User Exposure: Customer-facing > Employee-facing > Isolated systems

3. Network Exposure

A critical vulnerability in an internet-facing API is vastly different from the same vulnerability in an internal service behind three layers of network segmentation.

  • Public Internet: Highest risk
  • VPN Access: Medium-high risk
  • Internal Network: Medium risk
  • Isolated/Air-gapped: Lower risk

4. Compensating Controls

Security doesn't exist in isolation. Consider existing protections:

  • WAF rules blocking known exploit patterns
  • Runtime Application Self-Protection (RASP) preventing exploitation
  • Network segmentation limiting lateral movement
  • Behavioral detection catching exploitation attempts

These controls don't eliminate the need to patch, but they can buy you time to remediate thoughtfully rather than reactively.

5. Reachability Analysis

Modern Application Security Posture Management (ASPM) tools can perform code-level reachability analysis:

  • Is the vulnerable function actually called in your codebase?
  • Can untrusted input reach the vulnerable code path?
  • Are there code-level controls (input validation, sanitization) in place?

A critical vulnerability in a library you import but never use should rank lower than an actively exploited vulnerability in code that handles user input.

Implementing Risk-Based Prioritization

Here's a practical framework you can implement today:

Step 1: Enrich Vulnerability Data

Augment scanner output with:

  • EPSS scores from epss.cyentia.com
  • CISA Known Exploited Vulnerabilities (KEV) catalog
  • Asset metadata (environment, data classification, network zone)
  • Compensating controls from your security stack

Step 2: Create a Risk Matrix

Combine multiple dimensions into a single risk score: 

Risk Score = (CVSS × 0.3) + (EPSS × 100 × 0.3) + 
             (Asset Criticality × 0.2) + 
             (Network Exposure × 0.15) + 
             (Reachability × 0.05)

Asset Criticality: 1-10 scale
Network Exposure: 1-10 scale  
Reachability: 0 (not reachable) or 1 (reachable)

Step 3: Define SLAs by Risk Tier

Different risk levels warrant different response times:

  • Critical (Score 9-10): Patch within 7 days
  • High (Score 7-8.9): Patch within 30 days
  • Medium (Score 4-6.9): Patch within 90 days
  • Low (Score 0-3.9): Patch during regular maintenance

Step 4: Automate the Process

Manual enrichment and scoring doesn't scale. Use or build automation that:

  • Pulls EPSS scores and KEV data daily
  • Tags assets with environment and criticality metadata
  • Calculates composite risk scores automatically
  • Routes findings to appropriate teams via JIRA/ServiceNow
  • Tracks remediation progress against SLAs

Real-World Impact

Organizations that implement risk-based vulnerability management see dramatic improvements:

85%

Reduction in critical backlog

By focusing on truly critical issues

60%

Faster remediation cycles

Teams fix the right things first

Common Pitfalls to Avoid

Over-Relying on Automation

Risk scores are guides, not gospel. A "Low" risk vulnerability might still matter if it affects a critical business process. Use human judgment for edge cases.

Ignoring Trends

A vulnerability with low EPSS today might spike tomorrow when a public exploit drops. Monitor EPSS scores over time and re-prioritize accordingly.

Perfect Being the Enemy of Good

Don't wait for the perfect risk model. Start with CVSS + EPSS + asset criticality. You can refine and add dimensions later.

Conclusion

CVSS isn't useless—it's just incomplete. Modern vulnerability management requires layering multiple data sources to understand true risk. By combining severity, exploit probability, asset context, and compensating controls, security teams can:

  • Focus on vulnerabilities that actually threaten their organization
  • Reduce time wasted on theoretical risks
  • Demonstrate measurable risk reduction to leadership
  • Sleep better knowing they're fixing what matters

Stop chasing CVSS scores. Start managing real risk.

Intelligent Vulnerability Prioritization with Kepler

Kepler automatically enriches vulnerability findings with EPSS scores, asset context, and compensating controls to deliver risk-based prioritization out of the box. See how we can help you focus on what matters.

See It in Action