When your vulnerability scanner flags thousands of issues, the first instinct is often to prioritize by severity. But relying solely on a metric like CVSS can mislead teams—pushing high-scoring but low-risk flaws to the front of the line while critical, actively exploited vulnerabilities slip through the cracks.
This approach doesn’t just waste hours each week; it leaves your most exposed systems unprotected when attackers are already exploiting weaknesses. The solution? Shift from theoretical severity to real-world risk by integrating intelligence from CISA’s Known Exploited Vulnerabilities (KEV) catalog and the Exploit Prediction Scoring System (EPSS).
Why CVSS alone isn’t enough
The Common Vulnerability Scoring System (CVSS) assesses the potential impact of a vulnerability under worst-case scenarios. It answers a simple question: How severe could this become? However, it fails to address far more critical concerns: Is this vulnerability being exploited right now? Could it be exploited soon? And where is it located in my infrastructure?
For example, a CVSS 9.8 flaw in a disconnected internal server poses minimal immediate risk, while a CVSS 7.0 vulnerability on a public-facing web application—especially one already targeted by attackers—demands urgent attention. CVSS can’t make this distinction. It was never designed to predict real-world threats, only theoretical severity.
How KEV identifies immediate threats
The Cybersecurity and Infrastructure Security Agency (CISA) maintains the Known Exploited Vulnerabilities (KEV) catalog, a curated list of flaws confirmed to be actively exploited in the wild. Every entry in this catalog represents a threat with real-world consequences, not hypothetical scenarios.
Currently, the KEV catalog includes only a fraction of all published vulnerabilities—those with confirmed exploitation. If your scanner flags 4,847 findings and 19 match the KEV list, those 19 should be your top priority. The remaining 4,828, no matter how severe their CVSS scores, can wait until the active threats are addressed.
EPSS predicts near-term exploitation risk
While KEV highlights confirmed attacks, the Exploit Prediction Scoring System (EPSS) goes further. Developed by the Forum of Incident Response and Security Teams (FIRST), EPSS uses machine learning to estimate the likelihood that a vulnerability will be exploited within the next 30 days.
A high EPSS score signals an elevated risk of imminent exploitation, regardless of the CVSS score. Conversely, a low EPSS score suggests a vulnerability is unlikely to be targeted soon, even if its CVSS rating is high. This data-driven approach helps teams focus on vulnerabilities that pose the greatest near-term danger.
A practical comparison: Log4Shell vs. an obscure flaw
Consider CVE-2021-44228, the Log4Shell vulnerability:
- CVSS score: 10.0 (maximum severity)
- KEV status: Confirmed exploited
- EPSS score: Extremely high
Now contrast this with a CVSS 9.8 flaw in an obscure library that lacks public exploit code, has no KEV entry, and boasts a near-zero EPSS score. On a CVSS-sorted list, this lesser risk would rank higher than Log4Shell. In reality, it should be deprioritized until actively exploited vulnerabilities are resolved.
Combining KEV, EPSS, and CVSS for smarter prioritization
Tools like VulnPilot automate this composite scoring approach by integrating KEV, EPSS, CVSS, and scanner severity into a single, transparent risk score. The current model applies the following weights:
- CISA KEV: 40% (indicates active exploitation)
- FIRST EPSS: 35% (predicts near-term exploitation risk)
- CVSS: 15% (assesses potential impact)
- Scanner severity: 10% (additional context)
Any vulnerability confirmed in the KEV catalog automatically receives a minimum score of 75/100, signaling the need for immediate patching. This system eliminates guesswork and ensures teams focus on what truly matters: vulnerabilities attackers are actively exploiting or likely to target soon.
How VulnPilot works in practice
VulnPilot processes your Nessus scan data locally, combining it with public threat intelligence feeds from CISA and FIRST. The workflow is straightforward:
- Run a Nessus scan and export the results as a CSV file.
- Install and run VulnPilot locally to analyze the scan data.
- The tool cross-references each finding against the KEV and EPSS databases.
- It generates a prioritized report highlighting the most critical vulnerabilities.
The entire process runs on your machine, ensuring your sensitive infrastructure data never leaves your control. Only publicly available threat intelligence is downloaded, maintaining privacy while delivering actionable insights.
What this looks like in real-world triage
Here’s how VulnPilot transforms a typical scan report:
Total findings: 4,847
KEV matches: 19 (prioritize these first)
EPSS scores >= 90%: 31The prioritized list might look like this:
- Score 100.0 (Critical Now): CVE-2021-44228 (Log4Shell) — KEV confirmed
- Score 100.0 (Critical Now): CVE-2023-34362 (MOVEit SQL injection) — KEV confirmed
- Score 99.8 (Critical Now): CVE-2020-1472 (Zerologon) — KEV confirmed
- Score 11.5 (Low): SSH weak ciphers — No KEV match, low EPSS
Without this approach, the SSH weak ciphers finding might have consumed time better spent patching actively exploited vulnerabilities. VulnPilot ensures teams address the right issues at the right time.
The manual triage trap
Many security teams spend hours each scan cycle manually:
- Exporting Nessus data to CSV
- Sorting findings by CVSS score
- Cross-referencing each CVE against KEV and EPSS databases
- Building custom priority lists
- Repeating the process weekly
This labor-intensive method is error-prone and inefficient. The data already exists; the challenge is consolidating it into a single, actionable workflow. Automation bridges this gap, freeing teams to focus on remediation rather than data wrangling.
Why local analysis matters
Vulnerability scan results often contain sensitive details about your infrastructure—internal hostnames, IP addresses, software versions, and network configurations. Many organizations prohibit uploading this data to third-party services, as it effectively maps out their entire attack surface.
VulnPilot performs all analysis locally, ensuring your data remains private. Only non-sensitive threat intelligence feeds are downloaded, so your scan results never leave your environment. This approach aligns with best practices for data security and compliance.
Limitations and future directions
While tools like VulnPilot significantly improve vulnerability prioritization, they aren’t a silver bullet. Teams should:
- Validate KEV and EPSS data against their own threat intelligence
- Consider additional context, such as asset criticality and exposure
- Regularly review and adjust scoring weights based on emerging threats
The cybersecurity landscape evolves rapidly, and prioritization strategies must evolve with it. By combining automated tools with human expertise, organizations can build a more resilient and efficient vulnerability management program.
As threat actors grow more sophisticated, the ability to distinguish between noise and real danger becomes crucial. KEV, EPSS, and CVSS—when used together—provide that clarity, ensuring your patching efforts target the vulnerabilities that truly matter.
AI summary
Stop wasting time on high-CVSS vulnerabilities that aren’t exploited. Learn how KEV and EPSS prioritize real-world threats for faster, smarter patching.