CVE Prioritization Frameworks
Use SSVC to predefine actions based on vulnerability characteristics. Feed in data from KEV, EPSS, CVSS, and reachability tools. The decision tree outputs the action - no manual scoring needed.
Step 1: Define Your Actions
SSVC uses four predefined actions. Define what each means for your org before triaging.
Act
Remediate immediately, drop everything
Attend
Schedule remediation, prioritize in sprint
Track*
Monitor closely, may escalate
Track
Log it, revisit in normal cycles
Step 2: Evaluate Factors Using Your Data
Each SSVC factor is informed by data sources you already have. Map them:
Exploitation None → POC → Active
- → CISA KEV → if listed, it's Active
- → EPSS > 0.5 → likely Active soon
- → EPSS 0.1-0.5 → treat as POC
- → EPSS < 0.1 → likely None
Reachability Not reachable → Reachable
- → Wiz/Orca runtime reachability analysis
- → Is vulnerable code deployed and exposed?
- → Does attack path exist (network, auth)?
Automatable No → Yes
- → CVSS Attack Complexity (Low = automatable)
- → Known exploit tools available?
- → Requires user interaction?
Impact Partial → Total
- → CVSS Impact subscores (C/I/A)
- → Your data classification (PII/PHI/PCI)
- → Mission criticality of affected system
Step 3: Decision Tree → Action
Combine factors to get a predetermined action. Customize thresholds for your org.
| Reachable | Exploitation | Automatable | → Action |
|---|---|---|---|
| Yes | Active | Yes | Act |
| Yes | Active | No | Act |
| Yes | POC | Yes | Attend |
| Yes | POC | No | Track* |
| Yes | None | Any | Track* |
| No | Any | Any | Track |
FAQ
EPSS threshold?
> 0.1 (10%) = elevated priority. > 0.5 (50%) = urgent. < 0.01 = can deprioritize even high CVSS.
High CVSS, low EPSS?
Fix on normal SLA schedule. Monitor EPSS for changes. Don't panic, don't ignore.
How often does KEV update?
No fixed schedule. Subscribe to RSS or poll API daily. New additions mean active attacks.