Most teams drown in vulnerabilities. Dashboards fill with double-digit CVSS scores, patch windows shrink, and everything feels urgent. But treating all “highs” as equal wastes effort and leaves mission-critical gaps. The way out is risk-based vulnerability management, where threat intelligence (TI)—not just severity scores—guides what gets patched first.
The Problem with CVSS-Only Triage
CVSS measures theoretical impact, not real-world likelihood. It doesn’t tell you:
- Whether a vuln is actively exploited in the wild
- If ransomware crews or your industry’s top adversaries are targeting it
- How exposed your instance is (internet-facing? privileged? crown-jewel adjacent?)
Relying on CVSS alone often means over-patching the improbable and under-patching the inevitable.
What to Pull from Threat Intelligence
High-signal TI layers real-world context on top of CVSS:
- Active exploitation: Evidence of exploitation in the wild trumps score alone.
- Exploit availability & maturity: Public PoCs, crimeware kits, “one-click” reliability
- Actor interest: Chatter, tasking, or campaigns from groups that target your sector. Or worse– your organization.
- Victimology & vertical targeting: Is your industry, tech stack, or region in scope
- Infrastructure & TTP overlap: Does exploitation align with known attacker tradecraft (initial access, lateral movement, data theft)?
Closed sources (deep passive DNS, dark-web telemetry, underground actor tracking) often surface these signals before they hit public feeds.
A Simple Prioritization Model
Score each vuln with four lenses, then sort by total risk:
- Exploitability (0–5): Active exploitation, PoCs, exploit reliability.
- Impact (0–5): Data sensitivity, privilege gained, blast radius if abused.
- Exposure (0–5): Internet-facing, reachable from low-trust zones, number of affected assets.
- Compensating Controls (−0 to −3): Effective mitigations (virtual patching, segmentation, MFA) reduce urgency.
Priority Score = Exploitability + Impact + Exposure − Controls. Patch from highest to lowest score, not highest CVSS.
How to Operationalize
- Ingest curated TI daily: Track active exploitation, actor interest, and toolchain updates.
- Map TI to your asset inventory: Enrich vulns with business criticality and exposure.
- Focus on chokepoints: Internet-facing apps, identity systems, remote access, and widely deployed third-party components.
- Patch in waves:
- Wave 1: Actively exploited + internet-facing + high impact
- Wave 2: Exploit-ready (PoC), high impact, moderate exposure
- Wave 3: High CVSS without real-world signals or with strong compensating controls
Measure what matters: Time-to-patch for exploited vulns, reduction of attack paths, and percentage of internet-facing criticals remediated.
Don’t Ignore Vulnerability Chaining
Moderate CVSS bugs become critical when chained (e.g., auth bypass → RCE → privilege escalation). TI that highlights common chains and attacker playbooks helps you patch links that enable full compromises, not just headline CVEs.
Common Pitfalls to Avoid
- Chasing headlines: Prioritize based on your environment and threat model, not just social buzz.
- Static scoring: Recalculate priority as TI evolves (new PoCs, fresh targeting).
- Blind spots: Unknown assets and shadow IT undercut any prioritization model—keep discovery continuous.
- “Patch or nothing” thinking: Where downtime is costly, apply mitigations (WAF rules, feature flags, hardening) while scheduling maintenance windows.
Takeaways
Risk lives where likelihood and impact meet your exposure. By blending CVSS with threat intelligence signals—active exploitation, actor interest, exploit maturity, and asset context—you’ll patch the vulnerabilities attackers are most likely to use against you, not just the ones that look scary on paper.
Do you have the tools it takes to understand who is attacking your organization and why? Ultimately, it’s the only way to know how to stop attacks. Platform Blue offers government-grade threat intelligence to the worlds most elite threat hunting organizations. Get a demo today!
