What is a vulnerability prioritisation framework?

A vulnerability prioritisation framework is a documented method for deciding which vulnerabilities to remediate first. A modern framework combines technical severity (CVSS), exploit likelihood (EPSS), asset criticality, exposure (internet-facing vs internal), compensating controls, and active exploitation signals (such as the CISA Known Exploited Vulnerabilities catalog). The output is an ordered queue with remediation SLAs, not a flat list of findings.

How is EPSS different from CVSS?

CVSS measures the intrinsic technical severity of a vulnerability if it were exploited (impact and exploitability characteristics). EPSS estimates the probability that a vulnerability will be exploited in the wild within the next 30 days, based on real exploitation data. CVSS answers "how bad is it if exploited"; EPSS answers "how likely is it to be exploited soon". Used together they separate the small set of vulnerabilities that are both severe and likely from the much larger set that are severe but rarely exploited.

Should I patch every CVSS 9.0+ vulnerability immediately?

Not without context. A CVSS 9.8 in an internal-only system with no network reachability and a compensating control is lower real risk than a CVSS 7.5 in an internet-facing API with a published exploit. Prioritise by combining severity with EPSS, asset criticality, and exposure. The CISA KEV catalog is the strongest signal: anything in KEV needs immediate attention regardless of CVSS score.

What remediation SLAs should I set?

A defensible baseline is: critical (15 days), high (30 days), medium (60 days), low (90 days). Adjust by asset tier: tier 0 systems (cardholder data, customer authentication, regulated data) often warrant 7 days for critical. PCI DSS, ISO 27001, and SOC 2 do not mandate specific numbers but auditors expect documented SLAs that match your stated risk appetite, plus evidence the SLAs are actually met.

How do I prioritise duplicate or related findings?

Group related findings into a single tracked item and prioritise by the most severe instance. For example, an outdated dependency causing twelve duplicate findings across services should be one tracked remediation, not twelve. Within the group, the highest CVSS plus exposure plus exploitation signal sets the SLA. Findings management tools that support deduplication and templates make this much faster than spreadsheets.

Where does threat intelligence fit in?

Threat intelligence sharpens the likelihood signal beyond EPSS. Vendor advisories, exploit availability (Metasploit, public PoCs), and active campaigns targeting your sector all raise the probability that a given vulnerability will be exploited against you. The KEV catalog already encodes "actively exploited"; layered threat intel adds "actively exploited against organisations like yours". Both belong in the prioritisation function.

How often should the prioritisation queue be re-scored?

EPSS updates daily; KEV updates as new entries are added; asset criticality changes more slowly. Re-score the queue at least weekly for live programmes, and immediately when KEV adds a vulnerability you have. Continuous scanners with built-in scoring can do this automatically; manual programmes typically settle on a weekly review meeting.

How does prioritisation work in a pentest context?

On a finite engagement, prioritisation drives both reporting order and the recommended remediation sequence. Sort findings by combined severity and exploitability, group related issues, map each to OWASP/CWE, and set a recommended SLA per finding. Deliver via a portal that supports retest and remediation tracking so the prioritised queue actually drives action after the engagement closes.

← Back to Blog

Guides6 May 202613 min read

Vulnerability Prioritisation Framework: CVSS, EPSS, and Business Context

Most vulnerability programmes fail at the same point: too many findings, too little time, and a queue ordered by severity alone. CVSS on its own treats every internet-facing critical and every internal-only critical the same. EPSS, the CISA Known Exploited Vulnerabilities catalog, and asset context turn a flat list into a defensible queue. This guide walks through a working prioritisation framework that pentest teams, in-house security functions, and managed service providers can adopt without buying another tool, tied to CVSS scoring and a structured vulnerability management programme.

Why Severity Alone Fails

CVSS is an excellent base score for the technical impact and exploitability of a vulnerability in isolation. It is also, on its own, a poor remediation queue. A typical mid-size enterprise scanner output contains thousands of high and critical findings. Treating that list as a literal patch order leads to one of two outcomes: the team patches the loudest CVEs and ignores the long tail (which is where active exploitation often hides), or the team triages by hand, slowly and inconsistently.

Two facts change the picture. First, only a small percentage of CVEs are ever exploited in the wild. Second, the ones that are exploited are not uniformly distributed across severity bands. Several research studies have shown that exploit likelihood correlates poorly with CVSS base score alone. A prioritisation framework that ignores likelihood ends up wasting remediation capacity on findings that will never matter while leaving the dangerous ones in the queue.

For the underlying scoring mechanics, see CVSS 3.1 explained and verify scores with the CVSS calculator. For the metric-by-metric differences between CVSS 3.1 and CVSS 4.0, the new Threat and Supplemental groups, severity-band shifts, and a defensible enterprise migration plan, read the CVSS 4.0 vs CVSS 3.1 deep-dive.

The Four Signals

A working prioritisation framework combines four independent signals. Each answers a different question.

1. Severity (CVSS)

How bad is it if exploited? CVSS 3.1 base score plus environmental modifiers when you have them. Treat the base score as a starting point, not a final verdict.

2. Exploit likelihood (EPSS plus KEV)

How likely is it to be exploited soon? EPSS (Exploit Prediction Scoring System) is a FIRST.org daily-updated probability score from 0 to 1 indicating likelihood of exploitation in the next 30 days. The CISA Known Exploited Vulnerabilities (KEV) catalog flags vulnerabilities with confirmed active exploitation. Anything in KEV jumps the queue. For an operational walkthrough of ingestion, SLA timing, exception handling, and audit evidence, read our CISA KEV catalog vulnerability management guide. For the EPSS-side mechanics (probability vs percentile, threshold calibration, daily reconciliation, framework mapping), read our EPSS score explained guide.

3. Asset criticality

Where does this finding live? Tier 0 (regulated data, payment, authentication), Tier 1 (production customer-facing), Tier 2 (production internal), Tier 3 (non-production) require different SLAs. Without a tiered asset register, prioritisation collapses back into severity-only.

4. Exposure and compensating controls

Is the vulnerable component reachable, and is anything blocking exploitation? An internet-facing service with no WAF is much higher real risk than the same library in an internal admin tool behind SSO and MFA. Document compensating controls per finding so they can be challenged in audits.

A Working Scoring Function

Many teams stall here because they expect a single magic formula. There is no industry standard equation; the value comes from a documented, repeatable function that combines the four signals consistently. A workable starting point:

priority = base_severity x exploit_likelihood x asset_weight x exposure_factor

Where base_severity uses CVSS bucketed (critical 4, high 3, medium 2, low 1), exploit_likelihood combines EPSS percentile and KEV membership (KEV = 4, EPSS > 0.5 = 3, EPSS 0.1 to 0.5 = 2, EPSS < 0.1 = 1), asset_weight reflects asset tier (Tier 0 = 4, Tier 1 = 3, Tier 2 = 2, Tier 3 = 1), and exposure_factor captures reachability and compensating controls (1.5 internet-facing with no controls, 1.0 internet-facing with controls, 0.5 internal only, 0.25 with strong compensating control).

The scale does not need to be exact. What matters is that two analysts looking at the same finding produce the same priority score, and that the function is documented in your vulnerability management policy. Calibrate the weights against a sample of real findings; if a CVSS 9.8 in an air-gapped staging system outranks a CVSS 7.5 in a customer-facing API with active exploitation, the weights are wrong.

Tools that support custom severity templates and finding metadata (such as SecPortal's findings management) make this easier to operate at scale than spreadsheets.

Mapping Priority to Remediation SLAs

A priority score is only useful if it triggers different action. Translate the scored queue into remediation SLAs that engineering can hold. A defensible baseline:

Priority bucket	Remediate within	Typical signals
P0 (Emergency)	Within 24 to 72 hours	KEV entry, Tier 0 asset, internet-facing, no compensating control
P1 (Critical)	Within 15 days	CVSS critical with EPSS > 0.5, or KEV on Tier 1 asset
P2 (High)	Within 30 days	CVSS high with elevated EPSS, internet-facing
P3 (Medium)	Within 60 days	CVSS medium, lower exploit likelihood, internal asset
P4 (Low)	Within 90 days or accept	CVSS low, EPSS near zero, internal-only with controls

Adjust the numbers to your risk appetite and regulatory context. PCI DSS, ISO 27001 A.12, and SOC 2 CC7.1 expect documented timelines and evidence the SLAs are met. For framework specifics, see ISO 27001 and PCI DSS.

The Triage Workflow

With the framework defined, the day-to-day operation is a tight loop. A working version looks like this.

Ingest: findings arrive from scanners, pentests, code scanning, bug bounty, and customer reports. Normalise into one tracker. SecPortal accepts imports from Nessus, Burp Suite, and CSV directly into findings management.
Deduplicate: group findings that describe the same underlying issue across hosts, scans, and tools. The score reflects the most severe instance plus the breadth of exposure.
Enrich: attach EPSS score, KEV flag, CWE, asset tier, exposure flag, and compensating controls. Most of this can be automated against CVE identifiers.
Score: apply the priority function. Persist the score on the finding, not in a side spreadsheet.
Assign: route to the owning team based on asset register. Set an SLA aligned to the priority bucket.
Remediate: engineering fixes, security retests, and the finding moves to verified. Track time-in-state.
Re-score weekly: EPSS updates daily and KEV grows continuously. A finding scored P3 last week may be P0 today.

Prioritisation Inside a Pentest Engagement

Consultancies that ship pentest reports face the same problem in compressed form. A two-week assessment can produce 30 to 80 findings; clients need them ordered for action, not by line number.

Apply the same scoring function to engagement findings; document it once in your methodology and reuse
Sort the report by priority bucket, not by the order findings were discovered
Group related findings (a single misconfigured framework producing five surface symptoms) into one tracked item
Map each finding to an OWASP/CWE category and recommend SLA per priority bucket
Deliver findings in a portal so engineering can pick them up directly and mark ready for retest
Re-prioritise during retests: a P1 with confirmed remediation drops to verified, while a re-discovered finding may rise

For the full reporting structure, see the security assessment report template and how to write a pentest report.

Common Anti-Patterns to Avoid

Using CVSS environmental score as the only adjustment: the environmental metric group is useful but does not capture EPSS or KEV. Layer them on top.
Treating all critical findings the same: two CVSS 9.8 findings can carry vastly different real risk based on asset and exposure. The framework should differentiate them.
Spreadsheet-driven prioritisation: spreadsheets cannot hold daily-updated EPSS scores or KEV membership consistently across hundreds of findings. Bake the scoring into the tracker.
No re-scoring cadence: a queue scored once never reflects active exploitation. Re-score at least weekly and immediately on KEV additions for vulnerabilities you have.
Ignoring compensating controls: documented compensating controls let you justify a lower priority defensibly to auditors. Verbal “we have a WAF” claims do not.
Mixing prioritisation and acceptance: a finding that hits its SLA without remediation needs an explicit risk acceptance from a named owner, not a permanent demotion in the queue. Run a vulnerability acceptance and exception management workflow so each accepted exception carries an expiry date and a review cadence rather than drifting into permanent exposure.

Pairing With Continuous Coverage

Prioritisation is only as good as the inputs. Stale scan data quietly downgrades real risk because the scoring function never sees the new finding.

Run external scanning on a recurring schedule with external scanning so internet-facing exposure is always current.
Add authenticated scanning to cover the surface behind login, where the highest-impact findings often hide.
Run SAST and SCA in CI to catch vulnerable dependencies before they ship and feed them into the same priority function.
Use continuous monitoring to detect regressions and trigger re-scoring automatically.

For programme structure, see building a continuous security monitoring programme and automating security findings management.

Quick Implementation Checklist

Document the four signals and the scoring function in your vulnerability management policy
Build or buy a tracker that stores CVSS, EPSS, KEV, asset tier, and exposure as first-class fields
Tier your asset inventory; without it, asset_weight collapses to a constant
Calibrate weights against a sample of real findings before rolling out
Define remediation SLAs per priority bucket and align them with regulatory requirements
Automate EPSS and KEV ingestion against CVE identifiers
Set a weekly re-scoring cadence and a same-day rule for new KEV entries
Track SLA adherence as a programme metric and report it on the security dashboard
Make risk acceptance explicit, time-bound, and owned
Re-prioritise during retests and update the scoring function annually

Frequently Asked Questions About Vulnerability Prioritisation

Score, triage, and remediate findings in one workspace

SecPortal pairs scanning, findings templates, CVSS scoring, AI-assisted reporting, and a branded client portal so prioritised remediation actually happens. See pricing or start free.

Get Started Free