Vulnerability prioritisation
from raw signals to a defensible queue

The intrinsic technical severity of the vulnerability if it were exploited. Captured as the full attack vector, attack complexity, privileges required, user interaction, scope, and CIA impact metrics. CVSS answers the "how bad if exploited" question. It is the starting point of prioritisation, not the final answer; a CVSS 9.8 in an internal-only system with a compensating control may legitimately rank below a CVSS 7.5 in an internet-facing API with active exploitation in the wild.

The Exploit Prediction Scoring System estimates the probability that a vulnerability will be exploited within the next thirty days based on real-world exploitation data. EPSS separates the small set of vulnerabilities that are both severe and likely from the much larger set that are severe but rarely exploited. Pairing EPSS with CVSS turns a backlog of hundreds of high findings into the dozen the team has to address first this week.

The Known Exploited Vulnerabilities catalogue is the strongest single signal a prioritisation queue can carry. Anything in KEV is being actively exploited by threat actors at the time the catalogue was updated. KEV-listed findings on internet-facing assets warrant the tightest SLA tier regardless of CVSS score, because the assumption that exploitation is theoretical no longer holds.

The same vulnerability in a tier-zero asset (cardholder data, customer authentication, regulated data) carries materially higher impact than the same vulnerability in a non-production sandbox. Asset tier is the multiplier that converts technical severity into business risk. Without asset context, the queue treats every finding as if it sits on the same system; with asset context, the queue reflects what actually matters to the business.

Internet-facing exposure raises real risk; internal-only reachability lowers it. Network segmentation, authentication walls, and zero-trust controls are part of the exposure picture rather than abstract risk reductions. A finding that is technically high but unreachable from the public network without authenticated access deserves a different SLA tier than one that is one curl request away from exploitation.

A WAF rule, network segmentation, monitoring alert, or session-policy hardening can demonstrably reduce residual risk. Compensating controls are recorded against the finding with the rule ID, segment policy, or alert query so the residual claim is verifiable later. Generic claims that "a WAF blocks this" without naming the rule are the most common path from a defensible exception to a finding the audit cannot defend.

The team sorts findings by base CVSS score and works the top of the list. Half the criticals are theoretical; half the highs are KEV-listed and actively exploited but get worked second. The fix is layering EPSS, KEV, and asset context onto the ordering rather than treating CVSS as the sole input. CVSS is a severity score, not a priority score.

A separate document lists tier-zero, tier-one, and tier-two assets, but the finding queue does not pull from it. The result is a queue where tier-zero criticals sit alongside tier-three mediums in creation-date order. The fix is recording asset criticality against the engagement scope so every finding logged on that asset inherits the tier without manual classification.

A team integrates EPSS scoring at first import and then forgets to refresh. Six months later the queue is using a six-month-old probability estimate that no longer reflects current exploitation patterns. EPSS is updated daily and the prioritisation logic has to reflect the live estimate, not the snapshot taken at the moment of import.

The team checks KEV at the end of triage rather than at the start. Findings that should have been escalated to a tighter SLA tier sit in the standard queue for weeks before someone notices the CVE is in KEV. The fix is making KEV a queue-entry signal so KEV-listed findings carry the tightest SLA from the moment they land.

A finding rated critical on base CVSS but mitigated by a WAF rule sits at the top of the queue alongside un-mitigated criticals. The team chases the mitigated finding and the un-mitigated one waits. The fix is recording the compensating control against the finding so the residual severity is visible alongside the original severity, and the queue can sort by residual rather than by base.

A spreadsheet reorders findings once a quarter at the steering meeting. Between reviews the queue drifts back toward creation-date order and the urgent work gets buried. The fix is making prioritisation a queue-state property rather than a meeting deliverable: every finding carries its priority signal at all times, and the queue surfaces the closest-to-slipping work first.

How CVSS, EPSS, and KEV combine into a single priority score. The most common pattern is a tiered rule: KEV plus exposure equals immediate, high CVSS plus elevated EPSS plus reachable equals high, and so on. The weighting is recorded on the engagement so every finding inherits the same logic without manual reordering.

The classification of in-scope assets into tier-zero (cardholder data, customer authentication, regulated data), tier-one (production business systems), tier-two (internal supporting systems), and tier-three (development and sandbox). The mapping is a property of the engagement scope, not of the individual finding, so every finding inherits the tier from the asset it sits on.

How the queue determines whether a finding is internet-facing, internal-only, or behind authentication. Common inputs are the verified-domain hostname check, the scanner module that produced the finding (external scanning versus authenticated scanning versus code scanning), and the engagement scope description. Recording the exposure source makes the residual claim verifiable later.

The list of named compensating controls (WAF rule IDs, segment policies, monitoring alert queries, session-policy hardening references) that can be applied to a finding to reduce its residual severity. The register lives alongside the engagement so the residual claim is auditable rather than narrative.

How often the platform refreshes EPSS scores against the live finding queue. EPSS is updated daily; a defensible policy refreshes at least weekly, more often for tier-zero assets. The refresh cadence is recorded on the engagement so the audit can verify the priority decision was based on a current estimate rather than a months-old snapshot.

The events that force a finding to be re-prioritised: a new KEV listing for the underlying CVE, an EPSS percentile crossing a threshold, a compensating-control change, an asset re-tiering, or a regression. Trigger-driven re-prioritisation keeps the queue accurate between scheduled reviews rather than waiting for the next cycle.

Prioritisation depends on scanner result triage promoting validated findings into the queue, on bulk finding import preserving the original tool metadata, on threat intelligence driven prioritisation ingesting external CTI signals (KEV, EPSS shifts, CERT advisories, vendor PSIRT bulletins, ISAC alerts) into the queue with provenance, and on vulnerability acceptance and exception management handling the residual cases that compensating controls move out of the standard tier.

Priority tier feeds vulnerability SLA management because the tier decides the deadline. The queue feeds remediation tracking for the broader status workflow and retesting because closure under tier depends on retest evidence. AI report generation produces the leadership and audit narratives from the live record.

Every finding carries CVSS, EPSS, KEV status, asset tier, exposure, and compensating controls on its own record. The priority decision is not an output of a quarterly meeting; it is a property of the finding the queue inherits at all times.

KEV-listed findings carry the immediate tier from the moment they enter the queue. The programme covers KEV before anything else, and the KEV coverage report demonstrates the floor. Beyond KEV, EPSS and asset tier order the rest of the high-urgency work.

Compensating controls are recorded with rule, segment, or query references. The residual severity sits alongside the base severity on every finding the controls apply to, and the audit can verify the residual claim from the same record the queue runs on.

The priority tier breakdown, the KEV coverage view, the EPSS top-percentile view, the tier-zero exposure view, and the activity log export all derive from the live record. Nobody assembles the prioritisation evidence at the end of the quarter from a spreadsheet; the activity log is the trail and the AI report is the narrative.