Run a vulnerability scan on any production environment and you'll get a list. Hundreds of items, ranked by CVSS score. Critical at the top, Informational at the bottom. And here's the problem: that list is almost useless as a remediation guide.
CVSS scores measure severity in isolation. They don't know your environment. They don't know whether a "Critical" vulnerability is on a server exposed to the internet or an air-gapped development system. They don't know whether a public exploit exists. They don't know what threat actors are actively targeting your industry. Your scanner isn't broken β it's just answering the wrong question.
The CVSS Trap
CVSS was designed to provide a standardized way to communicate the characteristics of a vulnerability β not to tell you what to fix first. A CVSS 9.8 Critical on a system that's behind a firewall, not exposed to the internet, and processed by a team with no elevated access is far less urgent than a CVSS 6.5 Medium on a public-facing authentication endpoint that's being actively scanned by threat actors.
Security teams that patch by CVSS descending order will spend months fixing vulnerabilities that would never have been exploited while actively exploited issues quietly wait their turn. This is how breaches happen at organizations that run vulnerability scans every week.
What Risk-Based Prioritization Actually Looks Like
Effective vulnerability management layers three questions on top of raw severity:
1. Is this reachable? A vulnerability on a system with no network path to sensitive data or external access is categorically lower priority than an identical vulnerability on an internet-facing system. Network segmentation isn't just a control β it's a prioritization tool.
2. Is there active exploitation? CISA's Known Exploited Vulnerabilities (KEV) catalog is the most underutilized resource in enterprise vulnerability management. If a vulnerability appears in KEV, it's being exploited by real threat actors in real attacks right now. KEV membership should immediately elevate any vulnerability to the front of your remediation queue, regardless of CVSS score.
3. What's the business impact of compromise? Not all systems are equal. A vulnerability on a system that processes payment data, holds employee PII, or provides administrative access to your cloud environment deserves significantly more urgency than the same vulnerability on an internal wiki server. Map your asset inventory to business value before you start scoring.
EPSS: A Better Signal
The Exploit Prediction Scoring System (EPSS) estimates the probability that a vulnerability will be exploited in the wild within the next 30 days, based on threat intelligence signals. For organizations drowning in scanner output, EPSS provides a measurably better triage signal than CVSS for most remediation decisions.
A vulnerability with a CVSS score of 7.5 and an EPSS score of 0.85 is being actively targeted. A vulnerability with a CVSS score of 9.8 and an EPSS score of 0.02 probably isn't. That's actionable context that CVSS alone doesn't provide.
Building a Remediation SLA That Means Something
Most organizations have SLAs like "patch Critical vulnerabilities within 30 days." This sounds rigorous and is effectively meaningless. A better framework:
- Immediate (24β72 hours): Actively exploited, internet-facing, high business impact. No exceptions.
- High priority (7β14 days): CVSS Critical or High + reachable + known exploits available in public frameworks.
- Standard (30 days): CVSS Critical or High on internal systems with compensating controls.
- Next patch cycle (60β90 days): Medium and below on non-critical internal systems.
- Risk acceptance: Low vulnerabilities on end-of-life systems where patching risk exceeds exposure risk β documented and reviewed quarterly.
The Organizational Challenge
The hardest part of vulnerability management isn't technical β it's getting IT and engineering teams to prioritize remediation work alongside feature development. Security teams that frame vulnerability management as "here's a list of things that are wrong" will always lose to product velocity. The teams that succeed frame it as "here are the two vulnerabilities that would let an attacker move laterally to your payment systems β let's fix those this sprint."
Scanners are tools. Vulnerability management is a program. The distinction matters.
