{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreibn2xmyzdm54ooxrn7askbyfguogykmpauj57pola5vxstoufwv7e",
    "uri": "at://did:plc:25rdn5elo5izoxrmtis34zuk/app.bsky.feed.post/3mpmcj2az4de2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreieg5znce2hpptc6k4p2clzvhhpydavllh2dp5ijzpygpshb3ygxxe"
    },
    "mimeType": "image/webp",
    "size": 141158
  },
  "path": "/patchvex/why-cvss-alone-doesnt-tell-you-what-to-patch-first-1cj7",
  "publishedAt": "2026-07-01T19:51:17.000Z",
  "site": "https://dev.to",
  "tags": [
    "security",
    "devsecops",
    "vulnerabilities",
    "nessus",
    "github.com/PatchVex/vulnpilot",
    "patchvex.com"
  ],
  "textContent": "Your Nessus scan just finished. You have 5,000 findings. CVSS says 200 of them are Critical.\n\n##  Where do you actually start?\n\nIf your answer is \"sort by CVSS score and work from the top\" — you are making the same mistake most security teams make. And it is costing you hours every week while leaving your most dangerous vulnerabilities unpatched.\n\n##  The problem with CVSS\n\nCVSS (Common Vulnerability Scoring System) measures the theoretical severity of a vulnerability. It answers the question: _how bad could this be in the worst case?_\n\nIt does not answer: _is anyone actually exploiting this right now?_\n\nA CVSS 9.8 vulnerability on an isolated internal test server with no internet access is less urgent than a CVSS 7.0 vulnerability on your public-facing web server that attackers are actively exploiting today.\n\nCVSS cannot tell you which one to fix first. It was never designed to.\n\n##  What CISA KEV actually means\n\nThe Cybersecurity and Infrastructure Security Agency maintains a catalog called the Known Exploited Vulnerabilities (KEV) list.\n\nThis is not a theoretical list. Every CVE on this list has been confirmed as actively exploited in the wild. Real attackers. Real infrastructure. Right now.\n\nAs of today the KEV catalog contains over 1,100 CVEs — out of more than 250,000 total CVEs ever published.\n\nThat means less than 0.5% of all known vulnerabilities are confirmed to be actively exploited.\n\nIf your Nessus scan returns 4,847 findings and 19 of them match the KEV catalog — those 19 are your actual priority. Not the 200 that CVSS calls Critical.\n\n##  What EPSS predicts\n\nFIRST (Forum of Incident Response and Security Teams) publishes the Exploit Prediction Scoring System (EPSS).\n\nEPSS uses machine learning trained on real-world exploitation data to estimate the probability that a CVE will be exploited in the next 30 days.\n\nA CVE with an EPSS score of 0.94 has a 94% probability of being exploited in the next 30 days. A CVE with EPSS 0.001 has a 0.1% probability.\n\nThis is far more actionable than CVSS severity.\n\n##  A real example — Log4Shell\n\nCVE-2021-44228 (Log4Shell) has:\n\n  * CVSS: 10.0 (maximum)\n  * KEV: Yes — confirmed exploited\n  * EPSS: 0.975 — 97.5% exploitation probability\n\n\n\nCVE-2021-45046 (a related Log4j variant) has:\n\n  * CVSS: 9.0\n  * KEV: Yes\n  * EPSS: 0.960\n\n\n\nBoth would appear near the top of a CVSS-sorted list. So far so good.\n\nBut consider this common scenario: a CVSS 9.8 vulnerability in an obscure library with no public exploit code, no KEV entry, and an EPSS of 0.002.\n\nOn a CVSS-sorted list it sits above Log4Shell variants. In reality it should be deprioritized until the known exploited vulnerabilities are patched.\n\nCVSS cannot make this distinction. KEV and EPSS can.\n\n##  The composite approach\n\nThe most effective vulnerability prioritization combines all three signals:\n\nSignal | Weight | What it tells you\n---|---|---\nCISA KEV | 40% | Actively exploited right now\nFIRST EPSS | 35% | Exploitation probability next 30 days\nCVSS | 15% | Severity context\nScanner rating | 10% | Additional context\n\nAny finding confirmed in the KEV catalog should score a minimum of 75/100 regardless of other factors. KEV means patch immediately — no further analysis needed.\n\n##  What this looks like in practice\n\nWhen you apply composite scoring to a real Nessus scan, the output looks very different from a CVSS sort:\n\n\n\n    #  Score   Priority      Host            CVE              Finding\n    1  100.0   CRITICAL NOW  192.168.1.10   CVE-2021-44228   Log4Shell ★KEV\n    2  100.0   CRITICAL NOW  192.168.1.25   CVE-2023-34362   MOVEit SQLi ★KEV\n    3  99.8    CRITICAL NOW  192.168.1.15   CVE-2020-1472    Zerologon ★KEV\n    4  99.7    CRITICAL NOW  192.168.1.11   CVE-2021-26084   Confluence RCE ★KEV\n    5  11.5    LOW           192.168.1.10   N/A              SSH Weak Ciphers\n\n\nThe SSH weak ciphers finding would appear near the top of a CVSS sort. With composite scoring it correctly sits at the bottom — it has no KEV match, low EPSS, and no real-world exploitation in this context.\n\n##  The time cost of manual triage\n\nMost security teams spend hours per scan cycle doing this manually:\n\n  1. Export Nessus CSV\n  2. Open in Excel\n  3. Sort by CVSS\n  4. Manually check KEV catalog\n  5. Manually check EPSS scores\n  6. Build remediation priority list\n  7. Repeat next week\n\n\n\nThis is a solved problem. The data is public. The methodology is documented. The only missing piece was a tool that does it automatically — locally, privately, without uploading your scan data.\n\n##  VulnPilot\n\nWe built VulnPilot to solve exactly this problem.\n\n\n\n    pip install vulnpilot\n    vulnpilot update-feeds\n    vulnpilot analyze scan.csv\n\n\nIt downloads the latest KEV and EPSS feeds, cross-references your Nessus scan locally, applies composite scoring, and outputs a prioritized remediation list in seconds.\n\nEverything runs on your machine. Your scan data never leaves your environment. No account required. No cloud upload.\n\nFree and open source: github.com/PatchVex/vulnpilot\n\nWebsite: patchvex.com\n\n_Built by PatchVex — privacy-first security tools for DevSecOps and Security teams._",
  "title": "Why CVSS Alone Doesn't Tell You What to Patch First"
}