← Back to Research
Research18 min read

Severity Recalibration Drift Across Scanner Generations

A vulnerability finding inherits a severity at the moment the scanner produces it. Twelve months later, the same scanner re-scores the same finding at a different severity because the engine version moved, the rule pack revised, the CVSS calculation migrated from 3.1 to 4.0, or the vendor renamed a severity band. The underlying weakness has not changed. The asset has not changed. The operating decisions the programme made based on the original severity are still in the record. What changes is the scoring methodology, and unless the change is captured as a recorded recalibration event, the historical severity is overwritten in place and the audit conversation loses the anchor that makes operating decisions defensible.1,2,5,10,11

This research covers how severity recalibration actually behaves across enterprise scanning programmes. It names the four canonical drift events (scanner engine version change, rule pack revision, bundled CVSS version migration, vendor severity scale revision), the three primary measurement axes (generation-attributed severity coverage, drift event capture rate, pre-and-post severity migration matrix), the failure modes that hide recalibration from the open backlog query, the framework citations that expect severity provenance (ISO 27001 A.8.8 and A.5.7, SOC 2 CC4.1 and CC7.1, PCI DSS 6.3.1 and 11.4.4, NIST SP 800-53 RA-5 and SI-2 and CA-7, NIST CSF 2.0 ID.RA-01 and PR.PS-02, CIS Controls v8.1 safeguard 7.7, DORA Article 24), and the live-record discipline that keeps severity history defensible across scanner upgrade cycles.3,4,6,7,8,9

Why severity is structurally tied to scanner generation

Most metadata on a vulnerability finding is intrinsic to the vulnerability or to the asset. The weakness class, the affected URL, the affected file path, the proof string in the response: none of these depend on which version of the scanner detected the issue. They depend on the underlying defect in the asset.

Severity is different. Severity is the output of a scoring methodology applied to the vulnerability characteristics, the exploitability signals, and the environmental context. The methodology lives in the scanner generation: the engine version, the rule pack or signature database, the bundled CVSS version, the vendor severity scale, and the policy template applied at scan time. When the methodology changes, the scoring output can move without any change to the underlying defect. Severity drift across scanner generations is this property of the live finding record over the upgrade window.10,11,18

Because severity drift does not show up in the finding query as a state change in the underlying issue, programmes that record severity as a single mutable field on the finding see only the latest scanner generation. The historical query for what severity the programme operated under fails the moment the field is overwritten. The audit citation for vulnerability handling at the historical SLA moment becomes inferred state rather than recorded state.

The four canonical drift events

Recalibration drift does not arrive in one shape. Four canonical events drive the bulk of drift across enterprise scanning programmes. Each event has its own detection signature in the scanner output, its own vendor reporting pattern, and its own programme response. The drift register names the event class on each affected finding so the audit citation for severity recalibration reads as a recorded action rather than as silent state change.2,3,10,11

Drift eventDetection signatureProgramme response
Scanner engine version changeMajor or minor engine release rolls in; release notes name scoring logic changes; same finding template emits different score against the same target.Pre-upgrade snapshot; vendor change review; representative test scan; recalibration event recorded on each affected finding at production rollout.
Rule pack or signature revisionRule pack diff lists changed severity entries; specific finding templates carry new severity defaults; vendor advisories or CVE evidence drives the change.Affected finding list generated from the rule pack diff; per-finding recalibration event captured; activity log carries the rule pack version on each event.
Bundled CVSS version migrationScanner moves from CVSS 3.1 to CVSS 4.0 emission; same vulnerability scored differently because of scope handling, threat metrics, impact weighting changes.Both versions recorded on the finding through migration; workspace reporting score chosen consistently; trend chart names the methodology effect.
Vendor severity scale revisionVendor renames, splits, or moves the cut-off between severity bands without changing the underlying numeric score.Translation table updated; pre-and-post band mapping documented; recalibration event captured for each finding whose band shifts.

The pattern across the table is that detection requires a versioned scanner identity (so upgrades surface as generation change), a captured rule pack diff (so signature changes surface as specific finding template events), an explicit CVSS version field (so version migration surfaces as a known transition), and an activity log that records recalibration events (so the audit citation reads as a recorded action). Programmes that run any of these as static fields cannot detect the drift event automatically and run the post-upgrade reconciliation as a manual archaeology exercise.

The three primary measurement axes

Drift is measurable as a function of the live record across three axes that together separate a programme with controlled drift management from one whose severity history is silently overwritten as scanners upgrade.5,7,19

Generation-attributed severity coverage

The fraction of open findings whose current severity record carries the scanner generation that produced it (engine version, rule pack version, CVSS version, severity scale version). Calculated at query time against the live record so the audit-week answer and the operational answer are the same number. A programme that holds high coverage continuously runs the scanner identity layer as a versioned artefact; a programme that hits high coverage only at audit week runs the upgrade history as a derivative reconstruction.

Drift event capture rate

The fraction of detected scanner generation changes that produced a recorded recalibration event on the affected findings rather than a silent severity overwrite in place. Decomposes by event class so the programme can read which drift path drives most of the rate (engine upgrade cadence, rule pack revision cadence, CVSS migration events, vendor scale revisions). Programmes whose capture rate concentrates around engine upgrades need a pre-upgrade snapshot and a post-upgrade reconciliation routine; programmes whose capture rate concentrates around rule pack revisions need a rule pack diff workflow that lands recalibration events automatically.

Pre-and-post severity migration matrix

For each generation transition, the count of findings whose severity moved between bands across the transition, decomposed by direction of move. Reads as evidence to leadership and to auditors at the same query, separates upward migration from downward migration, surfaces the rule templates that carry the most movement, and supports the leadership conversation about whether a reported trend reflects remediation activity or methodology change. The migration matrix is the most useful single artefact in drift reporting because it makes the methodology effect quantitatively visible.

Reporting these three together separates the false-passing programmes (high generation-attributed coverage achieved at audit week through manual reconstruction) from the durable programmes (high coverage at any time, achieved through a continuous versioning layer on the scanner identity).

Five failure modes that hide drift from the backlog query

Recalibration drift tends to be invisible to the backlog query because the severity field is always populated. The drift surfaces only when the audit query, the leadership trend chart, or the SLA reconciliation routine tries to anchor against the historical severity. Five failure modes hide the drift until the audit moment, when the failure is operationally expensive.2,5,10,11,18

Single mutable severity field

The severity is stored as one field on the finding and is overwritten on each scanner upgrade. The finding query returns the latest scanner generation; the audit query for historical severity cannot answer. The discipline is to record severity entries with provenance (scanner generation, CVSS version, vector, timestamp, source-emitted severity) so the historical query reads against captured state rather than against whatever the field happens to hold today.

Untagged scanner generation

The scanner emits a severity but the workspace does not capture which scanner version, rule pack version, or CVSS version produced it. Drift cannot be detected because the generation identity is missing from the record. The discipline is to tag every scan execution with the scanner generation so each severity entry on the finding inherits the generation context through the scan reference.

CVSS version mixed in one column

Findings carry CVSS scores from both 3.1 and 4.0 emitters in the same severity column without naming the version. Leadership trend charts misread methodology change as trend; audit citations for severity provenance fail. The discipline is to record the CVSS version on every entry, choose one workspace reporting score consistently across an observation period, and name the version on every chart.

Silent rule pack updates

The vendor revises the severity default for a specific finding template in a rule pack release; the scanner picks up the new pack on the next scan; the affected findings on the live backlog now report a different severity without any visible change in the workspace. The discipline is to consume the rule pack diff against the workspace finding catalogue so the recalibration event is detected before the trend chart absorbs it.

Import severity treated as workspace severity

Imported third-party scanner output (Nessus, Burp Suite, CSV) carries the source tool generation at the moment of export; the import workflow copies the source severity directly into the workspace canonical severity without capturing the export generation or the workspace tag. The imported finding cannot be reconciled against a future scanner generation because the source baseline is unrecorded. The discipline is to tag imports with the source tool generation at the time of export, preserve the source-emitted severity on the originating evidence, and set the canonical workspace severity through the workspace severity policy with the workspace generation captured.

CVSS 3.1 to CVSS 4.0 migration as a structural drift event

The CVSS 3.1 to CVSS 4.0 migration is the most consequential single recalibration event most enterprise scanning programmes will experience this decade. Every scanner that emits CVSS scores carries the upgrade through its release cycle, and the methodology shift is non-trivial enough that the same underlying vulnerability can land in a different band under the new version.10,11,12

DimensionCVSS 3.1CVSS 4.0
Metric structureEight base metrics across attack vector, attack complexity, privileges, user interaction, scope, and CIA impact.Four metric groups: base, threat, environmental, supplemental. Base introduces attack requirements; supplemental adds context not in the score.
Reported scoreOne CVSS base score 0 to 10 with bands None, Low, Medium, High, Critical.Four scores: CVSS-B, CVSS-BT, CVSS-BE, CVSS-BTE. The workspace chooses one for consistent reporting.
Scope handlingSingle Scope metric (Changed or Unchanged).Replaced with Vulnerable System impact and Subsequent System impact metrics; finer-grained but not directly translatable.
Threat metricsOptional Temporal metrics for exploit code maturity and remediation level.Threat metric group with exploit maturity and explicit weight in CVSS-BT and CVSS-BTE; supports KEV-style adjustment more cleanly.
Provider responsibilityNot represented explicitly.Supplemental metrics capture provider security signals (recovery, value density, vulnerability response effort).
Workspace reporting scoreBase score is the conventional anchor; environmental score where context applies.Workspace policy chooses one of the four scores consistently; CVSS-BT is a common middle path because it includes threat signals without environmental specifics.

The disciplined response to the migration is recording which CVSS version applied to each severity entry on the finding (3.1 base score; 4.0 CVSS-B, CVSS-BT, CVSS-BE, or CVSS-BTE), choosing one workspace reporting score consistently across an observation period, and naming the version on every leadership chart and audit citation. Programmes that mix the two versions in one severity column without naming the version produce reports that fail the audit query for severity provenance and the leadership query for trend interpretation.

The severity calibration for pentest findings research covers the cross-source calibration dimension of the same discipline (how scanner output severity should be calibrated against pentest context, asset criticality, and compensating controls); this research covers the per-source temporal dimension (how the same scanner re-scores the same finding across its own generations).

How drift interacts with remediation SLAs

SLAs anchor to severity, so severity drift produces SLA drift unless the programme handles the recalibration as a recorded event. Three patterns emerge in practice. Each pattern has a clean operating response that survives audit and a silent overwrite mode that does not.4,5,7

Recalibration upward

A Medium finding becomes High after a rule pack update or after a vendor severity scale revision. The clean response records the recalibration event with the rule pack version and the date, recalculates the SLA against the new severity from the recalibration date forward, and preserves the time-of-detection severity and SLA for the historical audit citation. The silent mode overwrites the severity and SLA in place and loses the audit anchor that explains why the original SLA was reasonable.

Recalibration downward

A High finding becomes Medium after a vendor methodology revision (a CVSS rebase, a rule pack downgrade against new CVE evidence, a scale revision). The clean response is the same recording pattern but in reverse, and the leadership read needs to see that the downward recalibration is not a remediation event. The silent mode causes a leadership trend chart to misread methodology change as remediation progress.

Recalibration sideways

The numeric CVSS score shifts within a band without crossing a threshold (7.0 to 7.3, or 5.5 to 6.0 inside Medium). The SLA is not affected because the band did not move, but the change should still be captured as a numeric event for trend analysis and to support the migration matrix. The silent mode loses the numeric movement signal that often precedes a band-crossing event in a future scanner generation.

Programmes that pair the recalibration register with the SLA breach aging distribution research separate the band-movement effect from the breach population dynamics. SLA-breach-from-recalibration is a different failure mode from SLA-breach-from-slow-remediation, and the routing of each into the right operational remediation depends on the breach being attributable to the right event.

Framework citations that expect severity provenance

Most enterprise frameworks expect severity to be reproducible from the underlying evidence rather than asserted from a single mutable field at audit week. The audit query reads against the time-of-detection severity (what the programme knew when it acted) and against the current severity (what the live record reports now). The pattern across frameworks is consistent enough that one versioned severity record with scanner generation tags satisfies citations across the in-scope framework set.1,2,4,5,6,8,9

FrameworkSeverity provenance citationWhat the audit reads
ISO 27001:2022A.8.8 (vulnerability handling), A.5.7 (threat intelligence), A.8.9 (configuration management of assessment tool)Documented severity methodology, threat intelligence inputs into severity, configuration management of the scanner that produced it.
SOC 2 Trust Services CriteriaCC4.1 (monitoring controls with severity classification), CC7.1 (vulnerability remediation by severity band)Severity policy applied consistently across the observation period; remediation cadence aligned to severity bands.
PCI DSS v4.06.3.1 (risk ranking with documented methodology), 11.4.4 (vulnerability resolution by ranking)Documented risk-ranking methodology with version controls; vulnerability resolution evidence aligned to the ranking.
NIST SP 800-53 Rev. 5RA-5(a) (vulnerability scanning programme), SI-2 (flaw remediation by severity), CA-7 (continuous monitoring)Scanning programme with documented severity outputs; remediation evidence by severity; continuous monitoring with severity tracking across the observation window.
NIST CSF 2.0ID.RA-01 (vulnerabilities with assessed severity), PR.PS-02 (software maintained with severity prioritisation)Vulnerability inventory with documented severity assessment; software maintenance prioritisation against severity-informed schedule.
CIS Controls v8.1Safeguard 7.7 (remediation cadence by severity)Documented remediation cadence per severity band; evidence the cadence operates across the assessment cycle.
DORAArticle 24 (ICT testing outcomes with severity tracking)Testing outcomes with severity capture; severity tracked across the testing cycle and into remediation.

The severity provenance citation reads cleanly when the underlying record carries a captured scanner generation, the CVSS version where applicable, the vector for recalculation, and a recorded recalibration event for each prior drift episode. When any of these properties are missing, the audit citation passes the field-presence check but fails the methodology reconstruction check; the audit then writes a finding against the severity policy rather than against the underlying vulnerability handling. The audit evidence half-life research covers the currency dimension of this discipline; this research covers the severity provenance dimension.

Drift signatures by finding source

Recalibration drift behaves differently across finding sources because each scanner class has its own generation cadence and its own severity methodology. The decomposition lets the programme prioritise the scanner identity discipline that produces the highest drift volume rather than treating severity provenance as a single hygiene problem across the backlog.15,16,17,19

SourceTypical drift driverGeneration tag that holds provenance
External web scansWorkspace platform release cadence; rule pack updates rolled in by the platform team; CVSS vector revisions on canonical finding templates.Scan execution timestamp paired to the platform release version; finding template version on each match; CVSS version field on each scored entry.
Authenticated DASTSame drivers as external scans, plus session-handling logic changes that can affect authentication coverage and the severity of session-anchored issues.Scan execution timestamp; credential profile version; finding template version with auth-context flag.
Code scans (SAST and SCA via Semgrep)Semgrep rule registry updates; rule version pinning; upstream CVE severity revisions for SCA findings.Semgrep rule registry version pinned per scan; rule version on each finding match; SCA finding carries upstream CVE identifier with the CVSS version evidence.
Imported third-party scanner outputSource tool generation at the moment of export rather than at the moment of import; severity scale of the source tool changes between exports.Source tool name and generation tag captured at import; original source-emitted severity preserved on originating evidence; workspace canonical severity tagged with workspace generation.

Programmes that read the drift-rate decomposition rather than the headline severity distribution prioritise the scanner identity tagging update that recovers the most provenance. Imported third-party output usually produces the highest drift volume because the source generation is hardest to capture; code scans through a versioned rule registry tend to produce the cleanest provenance because the registry version is explicit at scan time.

For internal security teams, AppSec, and vulnerability management leads

Drift management is operational discipline that internal security teams, AppSec leads, and vulnerability management owners run on the live record rather than as an audit-week reconstruction. The operating commitment is to capture the scanner generation on every scan execution, attach it to every severity entry on the finding, and record every recalibration event so the severity history is a durable artefact rather than inferred state.

For internal security teams, vulnerability management teams, AppSec teams, security engineering teams, and product security teams, drift management is the practical question of whether the next leadership review, the next audit query, and the next SLA reconciliation can anchor against a reproducible severity history. The operational counterpart of this research lives on the vulnerability prioritisation use case, which describes the severity-driven decision loop that the drift register sits inside; the scanner-side mechanics live on the scanner output severity normalisation scanner-info page, which covers the cross-tool axis at one moment.

The SLA dimension of the operating model lives on the vulnerability SLA management use case, the breach-handling discipline lives on vulnerability SLA breach escalation, and the SLA design rationale lives on the vulnerability remediation SLA policy guide. Pair these with the drift register so the SLA clock does not move silently under the programme when a scanner upgrades.

The cross-tool severity axis lives on the severity calibration for pentest findings research and the workspace data model that holds both axes lives on the vulnerability programme data model research. Reading the three together gives the operating picture: the data model holds the severity entries with provenance, the calibration research covers how to set severity at the time of detection, and this research covers how to keep severity history defensible across the upgrade cycle.

For security leadership and audit committees

Security leaders and audit committees read the severity layer through a different lens than operational teams. The leadership read is whether the trend chart reflects programme activity or methodology change, not only whether the latest scanner emits the latest severity. A programme reporting a clean downward trend in High-severity findings that coincides with a vendor methodology revision has produced a chart that absorbed the revision as remediation progress.5,6,13,14

  • Track generation-attributed severity coverage, drift event capture rate, and the pre-and-post migration matrix on the same dashboard the operational view reads.
  • Pair the live-record severity distribution with the time-of-detection severity distribution so divergence is visible as methodology effect rather than absorbed as trend.
  • Read the migration matrix per generation transition so the programme can answer leadership questions about why the chart moved.
  • Investigate every Critical-band downward recalibration individually; the target on Critical downward drift without a documented rationale is zero.
  • Tie scanner upgrades to the same engagement record the audit evidence comes from so the leadership read and the audit read are the same record rather than two reports.

The leadership question that drives this discipline is whether the severity layer survives scanner upgrade cycles between audit moments. If it does, the audit conversation is grounded in the live record and the operational conversation is grounded in the same place. If it does not, the audit-week reconstruction produces a derivative that has no operational equivalent and the audit citation passes only because the reconstruction was done. The audit evidence half-life research covers the evidence-currency dimension, the vulnerability evidence reuse research covers the artefact-class dimension, and this research covers the severity provenance dimension.

The leadership-side platform discipline that supports this is covered on SecPortal for CISOs and security leaders, which describes how findings, remediation, retests, exceptions, and reporting hold the durable read of programme health between reporting cycles. The GRC and compliance teams persona describes the audit-side cadence that needs severity provenance to regenerate citations from the live record.

The operating cadence for scanner generation upgrades

Scanner upgrades land cleanly when the programme treats them as planned recalibration events rather than as silent infrastructure refreshes. Five steps land on most enterprise vulnerability programmes that survive audit scrutiny.5,7,15,17

Pre-upgrade snapshot

  • Capture the current open finding catalogue with severity tagged to the scanner generation in effect.
  • Record the CVSS version on every score and the rule pack version on every match.
  • Export the snapshot to a versioned record so the post-upgrade comparison reads against a stable baseline.

Vendor change review

  • Read the release notes and the rule pack diff against the workspace finding catalogue.
  • Identify which finding templates and which target classes carry severity changes.
  • Map the changes to the workspace severity policy and decide whether the policy needs an update before the rollout.

Representative test scan

  • Run the new scanner generation against a subset of representative targets and compare emitted severities to the pre-upgrade snapshot.
  • Record any divergence as an expected drift signature for the production rollout.
  • Confirm the new generation produces a deterministic output that matches the vendor advisory.

Production rollout with drift capture

  • Run the new generation in production with the recalibration events captured on each affected finding through finding overrides or the equivalent live-record mechanism.
  • Tag each scan execution with the new generation so the provenance chain is intact from the first scan forward.
  • Surface the recalibration events through notifications to the operational team so the operating context is not lost in the upgrade window.

Post-upgrade reconciliation

  • Produce the migration matrix and share it with security operations leaders and audit owners.
  • Update the leadership trend chart with the methodology effect named explicitly so the next reporting cycle does not misread the migration as remediation.
  • Carry the post-upgrade snapshot forward as the new baseline for the next upgrade event.

How the engagement record carries severity provenance

Severity provenance gets cleaner when the finding, the source-emitted scanner output, the CVSS vector, the analyst overrides, and the activity log live on the same engagement record the operational work lives on, rather than across a scanner export, a triage spreadsheet, and an audit-week derivative report. The platform does not write the severity narrative for the team; it does make every audit query for historical severity reproducible from the live record at any moment between assessments.

SecPortal pairs every finding, asset binding, remediation action, retest, exception, and closure to a versioned engagement record through findings management, which holds the severity field, CVSS vector, source-emitted scanner output, asset binding, and remediation status on the finding rather than across separate records. The finding overrides mechanism supports analyst-driven severity changes with the override reason, the creator, and the timestamp captured on the override record. The 300+ finding templates ship with pre-set CVSS 3.1 vectors so canonical severity for known weakness classes is anchored to a recalculable vector rather than to a vendor-specific label that drifts with the vendor.

The activity log records every state change and severity revision by user with CSV export so the recalibration register produces evidence rather than spreadsheet output. Bulk finding import accepts Nessus, Burp Suite, and CSV exports, and the imported records arrive as drafts the workspace triage promotes into canonical findings with the source-emitted severity preserved on the originating evidence. External scanning, authenticated scanning, and code scanning each capture the scan execution timestamp so the per-source severity provenance chain stays intact.

For CISOs and security leaders, the operating commitment is that the leadership trend chart reads against severity history that survives scanner upgrade cycles. For GRC and compliance teams, the discipline is that audit citations for severity provenance regenerate from the live record at any audit-week query. For internal security teams, the operational reality is that the next SLA reconciliation, the next leadership review, and the next audit fieldwork anchor against a reproducible severity history rather than against whatever the latest scanner emitted.

Conclusion

Severity recalibration drift is the temporal axis of vulnerability programme severity management. Generation-attributed severity coverage, drift event capture rate, and the pre-and-post migration matrix form a trio that separates a programme with controlled drift from one whose severity history is silently overwritten as scanners upgrade. Four canonical drift events (scanner engine version change, rule pack revision, bundled CVSS version migration, vendor severity scale revision) drive the bulk of drift across enterprise programmes, and each event has its own detection signature and its own programme response.2,5,10,11

Treating severity as a versioned record rather than as a single mutable field on the finding is the highest-leverage discipline in vulnerability programme severity operations. It keeps SLA clocks anchored to the severity the programme operated under at each moment, it preserves audit citations for severity provenance across scanner upgrade cycles, it surfaces methodology effects in leadership trend charts rather than absorbing them as remediation progress, and it makes scanner upgrades planned events rather than silent reconfigurations. The platform you use does not have to manage scanner generations for the team. It does have to make every audit query for severity history reproducible from the live record at any moment between assessments.

Frequently Asked Questions

Sources

  1. AICPA, SOC 2 Trust Services Criteria (TSC) 2017 with 2022 Revisions
  2. ISO/IEC, ISO 27001:2022 Information Security Management Systems
  3. ISO/IEC, ISO 27002:2022 Information Security Controls
  4. PCI Security Standards Council, PCI DSS v4.0
  5. NIST, SP 800-53 Revision 5: Security and Privacy Controls
  6. NIST, Cybersecurity Framework (CSF) 2.0
  7. NIST, SP 800-137 Information Security Continuous Monitoring (ISCM)
  8. CIS, Critical Security Controls v8.1
  9. European Union, Digital Operational Resilience Act (DORA) Article 24 ICT Testing
  10. FIRST, Common Vulnerability Scoring System (CVSS) v3.1 Specification
  11. FIRST, Common Vulnerability Scoring System (CVSS) v4.0 Specification
  12. NIST, National Vulnerability Database (NVD) CVSS Calculator
  13. CISA, Binding Operational Directive 22-01 Known Exploited Vulnerabilities
  14. CISA, Stakeholder-Specific Vulnerability Categorization (SSVC) Guide
  15. SecPortal, Findings Management
  16. SecPortal, Finding Overrides
  17. SecPortal, Activity Log
  18. SecPortal Research, Severity Calibration for Pentest Findings
  19. SecPortal Research, Vulnerability Programme Data Model
  20. SecPortal Research, Vulnerability Reopen Rate

Keep severity history defensible across scanner upgrade cycles

SecPortal pairs findings, CVSS vectors, source-emitted scanner output, analyst overrides, and the activity log to one versioned engagement record so each audit query for historical severity regenerates from the live record rather than from a derivative reconstruction.

Start freeSee findings management