7.3.1. Vulnerability Classification and Risk Prioritization
💡 First Principle: Vulnerability prioritization answers one question: "Given limited remediation resources, which fixes prevent the most damage?" This requires combining multiple data sources because no single scoring system captures all dimensions of risk. CVSS measures technical severity. EPSS estimates exploitation probability. CISA KEV confirms active exploitation in the wild. Asset criticality maps to business impact. Only by combining these dimensions can you build a defensible remediation queue.
Vulnerability scoring systems compared:
| System | What It Measures | Scale | Best For |
|---|---|---|---|
| CVSS Base | Technical severity (attack vector, complexity, impact) | 0.0–10.0 | Universal severity language; vendor advisories |
| CVSS Environmental | Base score adjusted for your deployment context | 0.0–10.0 | Organization-specific risk adjustment |
| EPSS | Probability of exploitation in the next 30 days | 0.0–1.0 | Forecasting which vulns attackers will actually target |
| CISA KEV | Confirmed active exploitation in the wild | Boolean (listed/not listed) | Mandatory-action trigger for federal; strong signal for all |
Risk-based prioritization framework:
The most effective prioritization models combine scoring with contextual factors:
- Exploitability signal — Is there a public exploit? Is it in CISA KEV? What is the EPSS score? A CVSS 7.0 vulnerability with a weaponized exploit kit and active exploitation is more urgent than a theoretical CVSS 9.8 with no known exploit.
- Asset criticality — A medium-severity vulnerability on the domain controller that authenticates 10,000 users is higher priority than a critical vulnerability on a development workstation with no network access.
- Exposure — Internet-facing assets have fundamentally different risk profiles than assets behind multiple network layers. The attack surface reduction from network position is real but must be verified, not assumed.
- Compensating controls — A SQL injection vulnerability behind a properly configured WAF with virtual patching has reduced exploitability. The vulnerability still needs fixing, but the compensating control buys time.
Scan output validation — eliminating false positives:
Vulnerability scanners produce findings, not confirmed vulnerabilities. Validation is required before remediation resources are committed:
| Validation Method | When to Use | Effort Level |
|---|---|---|
| Manual verification | High-severity findings on critical assets | High — analyst confirms exploitability |
| Authenticated re-scan | When initial scan was unauthenticated | Medium — confirms patch state |
| Penetration test | When you need to confirm exploitable chains | High — demonstrates actual impact |
| Vendor advisory cross-reference | When scanner flags a version as vulnerable | Low — confirms whether patch is applied |
| Compensating control verification | When a finding may be mitigated by other controls | Medium — tests whether mitigation is effective |
The difference between authenticated and unauthenticated scanning is significant: unauthenticated scans see the target as an external attacker would — they fingerprint services and infer vulnerabilities from version banners. Authenticated scans log into the target and inspect installed packages, patches, and configurations directly. Authenticated scans produce fewer false positives and far greater coverage, but require credential management and carry the risk of scanner-induced disruption.
⚠️ Exam Trap: A CVSS 10.0 vulnerability on a system with no network connectivity and no sensitive data is lower operational priority than a CVSS 7.5 vulnerability on your internet-facing payment processing server. The exam tests whether you apply risk-based thinking or blindly follow severity scores.
Reflection Question: A quarterly vulnerability scan returns 1,200 findings: 47 critical, 203 high, 614 medium, and 336 low. The security team has capacity to remediate approximately 80 findings per quarter. Using risk-based prioritization principles, describe how you would build the remediation queue, what data sources beyond CVSS score you would incorporate, and how you would communicate the remaining accepted risk to executive leadership.
