CVSS scores have become the default way to rank security findings. The framework is well intentioned and broadly useful. It is also frequently misapplied, because a number that looks objective tends to substitute for the judgement that actually decides whether a finding matters in a given environment. A 9.8 in the abstract is not the same as a 9.8 on your network, and confusing the two leads to remediation priorities that look thorough on paper and miss the real risks in practice.
Base Scores Are Decontextualised By Design
The CVSS base score deliberately ignores environmental factors. It describes the inherent severity of the vulnerability under worst case assumptions. That is useful for comparing vulnerabilities across organisations. It is less useful for deciding which vulnerability in your specific environment deserves attention first. A vulnerability scored 9.8 that requires authenticated access to a service nobody can reach matters less than a vulnerability scored 7.2 sitting on your internet facing perimeter. A focused vulnerability scan services programme should incorporate environmental scoring deliberately rather than treating base scores as gospel.
Exploitability Tells A Different Story
CVSS attempts to capture exploitability through its temporal metrics, but those metrics frequently go unused in production patch management. A vulnerability with a working public exploit deserves faster attention than one that exists only in theory, even if both share the same base score. The Known Exploited Vulnerabilities catalogue maintained by CISA provides a useful filter for this, because the entries on it are vulnerabilities currently being weaponised in the wild.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
A board level conversation that ranks remediation priorities by CVSS alone tends to produce remediation queues that work through the list mechanically. The patching team is busy. The business is not safer. The vulnerabilities that mattered are not always the ones at the top of the score sheet.
EPSS Adds Another Useful Dimension
The Exploit Prediction Scoring System provides an estimated probability that a given vulnerability will be exploited in the wild in the next thirty days. It complements CVSS by adding likelihood to severity. Use both metrics together for prioritisation and the resulting queue tends to match operational risk much better than either metric alone. Worth combining EPSS with internal exposure data so the prioritisation reflects both the external likelihood and your specific environmental factors. The combination produces a remediation queue that aligns with operational risk far better than either input alone.
Use The Score, Do Not Worship It
CVSS is a useful input for prioritisation. It is not the prioritisation itself. The right approach combines the base score with environmental factors, exploit availability and business context. A best pen testing company that helps you build a meaningful prioritisation framework will pay back its cost many times over the life of your security programme.
A number is easier than a judgement. Easier is not the same as better. CVSS is a useful input. It is not a substitute for thinking. The teams that use it well treat it accordingly. Vulnerability management at scale rewards consistent investment in the unglamorous parts of the discipline. The teams that show up every week and grind through the queue consistently outperform the ones that pursue novel tooling without the underlying operational rigour.
