← Home

Analyst Field Guide · Vulnerability Management

What to Fix
First

A scanner will hand you thousands of findings, most of them marked "critical," and you will never patch them all. The entire discipline of vulnerability management is deciding — defensibly — which few to fix now, which can wait, and which you'll knowingly accept. This guide is the identifiers and scores you'll meet, why a severity number is not a priority, and how exploitation evidence and your own environment turn an unmanageable backlog into a short, ordered list.

You can't patch everything CVSS is severity, not priority Exploited beats critical

Vulnerability management is a prioritization problem, not a patching problem. Patching is the easy part; deciding what to patch, in what order, with finite people and maintenance windows, is the hard part — and getting it wrong means the one flaw that gets exploited was sitting at position 400 on a list sorted by the wrong thing. Keep three terms distinct: a vulnerability is a weakness, a threat is someone who might use it, and risk is the combination weighted by what it would cost you. Scores measure the first; only you can supply the last.

01

What Vulnerability Management Is

Like detection engineering, vulnerability management is a continuous loop, not a project with an end. New vulnerabilities are disclosed daily, your environment changes constantly, and a backlog you cleared last month refills by this one. The loop runs from discovery through remediation and back.

A continuous loop — the queue never empties 1 · Discoverscan · inventory · advisories 2 · Assessconfirm · CVSS · context 3 · PrioritizeKEV · EPSS · exposure 4 · Remediatepatch · mitigate · accept 5 · Verifyre-scan · confirm fixed 6 · Reportmetrics · track · trend new vulnsdaily →
The feedback arrow — new vulnerabilities arriving faster than you can close old ones — is why "get to zero" is the wrong goal. The realistic goal is to keep the things that matter remediated within a defensible window, and to make the prioritization repeatable so the loop keeps up.

Everything downstream depends on the first step being honest: you can only manage vulnerabilities on assets you know you have. An accurate inventory (which the scanning section returns to) is the unglamorous foundation the whole loop stands on.

02

The Identifier Ecosystem

A handful of catalogs and scores surround every vulnerability, and they answer different questions. Confusing "what it is" with "how urgent it is" is the root of most bad prioritization.

the WHAT how bad · how urgent · what to do CVE recordthe vulnerability id CWEweakness class CPEproduct · version CVSS — severity KEV — exploited now? EPSS — likely soon? SSVC — act / attend / track The CVE is only the identifier. Severity, exploitation, probability, and the act/wait decision are layered on top — and none of these scores knows your environment. That context is yours to add.
The "what": CVE (the unique id, run by MITRE via CNAs), CWE (the weakness class it belongs to — e.g. CWE-79 cross-site scripting, CWE-89 SQL injection), and CPE (machine-readable product and version strings scanners match against). The "how urgent": CVSS, KEV, EPSS, and SSVC, each covered next.

The single most useful habit here is to read a CVE as a starting point, not a verdict: confirm the affected version against your actual inventory (the prose is often vague; the version data and CPE bind it to reality), then layer on severity and exploitation. A CVE that doesn't match a version you run is noise, however high its score.

03

CVSS: Severity, Not Priority

The Common Vulnerability Scoring System (CVSS, owned by FIRST) is the number everyone reaches for — a 0.0 to 10.0 severity rating. The current version is v4.0 (released November 2023), though v3.1 scores are still everywhere during the transition. Understanding what it does and doesn't measure prevents the most common prioritization mistake.

A score is meaningless without its vector — and severity is not risk

CVSS v4.0 has four metric groups: Base (intrinsic, worst-case, constant), Threat (exploit maturity — is there active exploitation?), Environmental (your deployment and asset context), and Supplemental (extra context that doesn't change the score). Vendors usually publish only the Base score. FIRST requires that a score always travel with its vector string, because the vector is where the meaning lives. An illustrative v4.0 base vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H — read it and you learn far more than the number does: AV:N = network-reachable, PR:N = no privileges needed, UI:N = no user interaction, high impact across the board. That combination is what makes something urgent, not the digit. NVD (which enriches many CVEs with CVSS) states it plainly: CVSS is a measure of severity, not risk. It describes the flaw's worst-case badness in the abstract; it knows nothing about whether anyone is exploiting it or whether the affected system even exists in your environment.

So a CVSS 9.8 with no known exploit on an internal, unreachable system can be a lower real priority than a CVSS 7.0 that is being actively exploited on an internet-facing box. Reading the vector (especially Attack Vector, Privileges Required, User Interaction) tells you more than sorting by the score ever will. The next section is how to turn severity into priority.

04

Prioritize: What to Fix First

Prioritization is a funnel. You start from everything the scanner found and apply filters — exploitation, likelihood, exposure, asset value — until you have a list short enough to actually remediate. CVSS finds the candidates; the other signals set the order.

From thousands of findings to the few that matter All scanner findings — thousands of "critical" CVSS Known-exploited (in CISA KEV) — act now + likely soon (EPSS) & internet-facing Fix this cycle in KEV? EPSS high + exposed? critical / reachable? (SSVC) CVSS finds candidates; KEV, EPSS, and your asset context set the order — often narrowing to under 5% of the raw list. Sort by CVSS alone and the exploited vulnerability waits behind a pile of theoretical criticals.
The signals in order of decisiveness: KEV (CISA's Known Exploited Vulnerabilities catalog — if it's here, exploitation is real, not theoretical) is the strongest single filter; EPSS (FIRST's daily 0-to-1 probability of near-term exploitation) flags likely-soon; SSVC (a CISA/SEI decision tree returning Act / Attend / Track) folds in your exposure, impact, and asset value. Newer signals like NIST's LEV (likely-already-exploited) are emerging too.
The combination, not any single number

None of these scores alone reflects real risk — each is explicit that it "doesn't know your environment." A workable stack: treat any KEV match on an in-scope asset as immediate; for the rest, use a high EPSS plus internet exposure to pull items forward; then walk an SSVC-style decision on the remainder using asset criticality and reachability. Keep CVSS in your records (auditors expect it) but stop making the decision on it alone. By one 2025 analysis, a large majority of ransomware incidents exploited a CVE that was already in KEV at the time — which is the whole argument for leading with exploitation evidence.

05

The Window of Exposure

Prioritization matters because of timing. Between a vulnerability becoming known and your systems being patched, there is a window in which you are exposed — and attackers move inside it. Understanding the window explains why exploitation evidence, not severity, drives urgency.

The window of exposure — where breaches actually happen DisclosureCVE assigned PoC / exploitcode public Exploitedin the wild → KEV Vendor patchavailable You patchwindow closes exposure window: known-exploited, not yet patched time → Exploitation often begins before a patch exists, and long before you apply it. Most breaches use known, unpatched flaws — not zero-days.
The shaded span is where the damage happens: the flaw is being exploited, a fix may exist, but your systems aren't patched yet. Log4Shell (CVE-2021-44228) is the canonical example — a critical, widely exploited flaw that stayed dangerous for organizations for as long as it took them to find and patch every affected system. KEV and EPSS exist to shrink this window; your remediation speed decides the rest.

This is the empirical case against zero-day obsession. Zero-days (unknown, unpatched-by-anyone) are real but rare; the overwhelming majority of breaches exploit vulnerabilities that were known and had a patch available — the organization just hadn't applied it. Managing the known backlog well protects you against far more than chasing the exotic.

06

Scanning & Discovery

You can only manage what you can see, and scanners see imperfectly. Knowing a scan's coverage and its error modes keeps you from mistaking "no findings" for "no vulnerabilities."

ChoiceWhat it changes · the tradeoff
Authenticated vs unauthenticatedCredentialed scans log in and see installed versions and configs — far more accurate, fewer false positives. Unauthenticated scans see only what's exposed to the network, missing much and guessing more.
Agent vs network scanAgents on the host report continuously and reach roaming/cloud assets; network scans need reachability and a window. Each misses what the other catches.
Coverage gapsUnscanned segments, unmanaged devices, ephemeral cloud instances, and OT/embedded systems that can't be scanned safely are invisible — and absence of findings there is not absence of risk.
False positives / negativesScanners over-report (a flagged version that's actually back-ported/patched) and under-report (a vuln they have no check for). Same FP/FN discipline as detection engineering: validate before you act, and never assume the check exists.
Inventory is the foundation, not a footnote

Every scanning choice above sits on top of asset inventory: a vulnerability on a host you don't know you own is one you will never see, patch, or verify. The most consequential blind spots aren't bad scores — they're assets that were never in scope. Treat inventory coverage as a first-class metric, and treat "we didn't find anything" as a statement about your visibility, not a clean bill of health.

What host and network scanning misses — dependencies and containers

The scans above find flaws in installed software on running hosts. Two large classes slip past that. First, the software you build on: your applications pull in open-source libraries, which pull in their own — most of your code is transitive dependencies you never chose directly. Software Composition Analysis (SCA) inspects those dependency trees, and a Software Bill of Materials (SBOM) — a machine-readable component inventory (SPDX or CycloneDX format) — lets you answer "are we affected?" in minutes when the next Log4Shell-class flaw lands, instead of grepping build systems for days. Second, container images: a live host scan can miss what's baked into images sitting in your registry, so scan images at build time and in the registry, and rebuild from patched base images rather than patching running containers (they're meant to be immutable and replaced). Neither makes you "vulnerability-free": SCA is only as complete as the manifest it reads, an SBOM can be stale the moment a build changes, and image scanning inherits the same false-positive and false-negative limits as any scanner. What they close is a specific, common blind spot — the vulnerability that never appears in the OS package list because it's three dependencies deep or sealed inside an image.

07

Remediation: Patch, Mitigate, Accept

"Remediate" is not always "patch." For any given finding there are several defensible responses, and choosing among them is a risk decision — one you should document, especially when the answer is "not yet" or "not at all."

ResponseWhen · the residual risk it leaves
PatchApply the vendor fix — the durable answer. Residual: patches can break things, so testing and a change window are real costs; and a patch reduces this flaw's risk, not the system's overall exposure.
Mitigate (compensating control)Reduce exposure without the fix: segment the asset, block the vector at the firewall/WAF, disable the feature, restrict access. Residual: the underlying flaw remains; the control can be bypassed or misconfigured, and must be tracked until the real fix lands.
AcceptConsciously live with the risk when the cost of fixing exceeds the risk (low exposure, low likelihood, high remediation cost). Residual: the full risk stays — so this requires a documented rationale, an owner, and a review date, not silence.
Remove / decommissionRetire the vulnerable component or system entirely. Residual: usually the lowest, but watch for dependencies and shadow re-installation.
"Accept" is a decision, not a failure — but name what you're accepting

Not patching is often the right call, and pretending everything gets fixed is how real risk hides. The discipline is honesty about the residual: an accepted vulnerability is still exploitable, a mitigated one still has the underlying flaw, and a patched one has closed exactly one hole while the system remains attack surface. No remediation makes a system "secure" in the abstract — each action reduces a specific risk and leaves stated others. Write down what you accepted, why, who owns it, and when you'll revisit it.

08

Data Sources & Their Limits

The whole ecosystem runs on shared public data — and that data is currently under real strain, which changes how much you can lean on any single source.

The public vulnerability data is fragile — don't rely on one source

Two disruptions matter operationally. First, the NVD (NIST's National Vulnerability Database, which enriches CVEs with CVSS, CWE, and CPE data) fell badly behind starting in 2024 and has moved to risk-based triage — prioritizing enrichment of KEV entries, federally-used, and "critical" software while marking many other CVEs Not Scheduled. A CVE labeled "Not Scheduled" is not low-risk; it's just un-enriched, so tools that assume NVD data can quietly go blind on it. Second, the CVE program itself (MITRE, CISA-sponsored) nearly lost funding in April 2025 and has been running on a short-term extension with unresolved long-term governance; a nonprofit CVE Foundation has formed but not taken over. CISA's Vulnrichment/ADP effort and the EU's newer vulnerability database have emerged partly to add resilience. The practical response: cross-reference multiple sources (KEV and EPSS from FIRST are live and independent of NVD enrichment), lean on vendor advisories for affected-version truth, and treat incomplete data as a coverage gap to close, not evidence of safety.

Note also that vendor advisories and the databases can disagree or lag each other — a vendor may list different affected versions than a CVE record, or fix a description after the fact. When it matters, the vendor's own advisory is usually the authority on which versions are affected and what the fix is; the databases are the index, not the last word.

09

What Goes Wrong

The failure modes are consistent across organizations, and most trace back to treating a score as a decision.

FailureWhy it hurts
Patching by CVSS aloneSorting top-down by severity buries the exploited-and-exposed vuln under theoretical criticals. Severity is not priority (§3, §4).
Ignoring exploitation evidenceNot cross-referencing KEV/EPSS means treating a flaw under active attack the same as one no one has ever exploited. Exploitation is the strongest urgency signal (§4).
Scan blind spotsUnmanaged, cloud, or OT assets never appear, so "clean" reports reflect visibility, not safety (§6).
"Patch everything" burnoutAn unprioritized backlog of thousands is unwinnable; teams thrash, SLAs slip, and the important fixes are lost in the noise (§4).
No asset contextWithout knowing exposure and business value, you can't tell a critical-on-a-crown-jewel from a critical-on-a-test-box. Context is what turns severity into risk (§2, §4).
Zero-day obsessionChasing the exotic while known, patchable vulnerabilities sit open — which is what most breaches actually use (§5).
No verificationMarking something "remediated" without re-scanning to confirm; failed patches and partial fixes then hide as "done" (§1).
10

Myths That Mislead

BeliefReality
"Patch the criticals first"CVSS is severity, not priority. A critical no one is exploiting on an unreachable box can wait behind a lower-scored, actively-exploited, exposed one (§3, §4).
"A high CVSS means patch now"Only with exploitation and exposure. A CVSS 9.8 with no known exploit on an isolated system is often deferrable; read the vector and check KEV/EPSS (§3, §4).
"We can patch everything"New vulnerabilities outpace remediation capacity. The job is prioritizing and consciously deferring, not reaching zero (§1, §4).
"A clean scan means we're secure"It means no findings within that scan's coverage. Blind spots, un-enriched CVEs, and unknown assets don't show up (§6, §8).
"Zero-days are the main threat"Most breaches exploit known, unpatched vulnerabilities with a fix already available. The backlog is the bigger risk (§5).
"Accepting a risk closes it"Acceptance leaves the full risk in place; it's a documented decision with an owner and a review date, not a fix (§7).
11

Quick-Reference Card

Vulnerability management on one screen

The loop

Discover → assess → prioritize → remediate → verify → report, continuously. Built on an accurate asset inventory. Goal isn't zero — it's the things that matter fixed within a defensible window.


The identifiers

CVE = the id (MITRE). CWE = weakness class. CPE = product/version. Layered on top: CVSS (severity), KEV (exploited now?), EPSS (likely soon?), SSVC (act/attend/track). The CVE is the what; the rest is how urgent.


CVSS

Severity, not risk. v4.0: Base / Threat / Environmental / Supplemental. Always read the vector (AV/PR/UI + impact), not just the 0-10 number. Vendors publish Base only; context is yours.


Prioritize

KEV match on an in-scope asset = act now. Else high EPSS + internet-facing = pull forward. Else walk SSVC with asset value and reachability. Keep CVSS in records; don't decide on it alone. This typically cuts the list to a small fraction.


Stay honest

No score knows your environment. Patch / mitigate / accept / remove — each reduces a specific risk and leaves stated residual; nothing makes you "secure." A clean scan = coverage, not safety. Public data (NVD/CVE) is strained — cross-reference KEV, EPSS, and vendor advisories.

Systems and figures verified this session and flagged to re-check against the primary source, since this ecosystem changes fast. CVSS v4.0 (owned by FIRST, released November 2023) is current, with metric groups Base, Threat, Environmental, and Supplemental; FIRST requires a score be published with its vector string, and NVD states CVSS measures severity, not risk. The illustrative vector shown is a format example, not a real vulnerability's score — never treat a bare number as authoritative, and never cite a CVSS score without its vector. CVE (MITRE, CISA-sponsored, assigned by CNAs), CWE (weakness classes; the specific IDs cited such as CWE-79 and CWE-89 are stable but worth confirming), and CPE identify vulnerabilities; KEV (CISA's Known Exploited Vulnerabilities catalog, established under BOD 22-01 and, as of 2026, governed by CISA's updated directive — verify the current BOD), EPSS (FIRST's daily exploitation-probability model, which is versioned and retrained — confirm the current model), SSVC (CMU SEI/CISA decision tree), and the newer LEV (NIST, 2025) inform prioritization. The CVE program's April 2025 near-lapse and short-term funding extension, the NVD enrichment backlog and its risk-based "Not Scheduled" triage, and the associated dates and figures are drawn from reporting current to early-to-mid 2026 — verify present status before relying on them. Any specific exploitation statistic (e.g. the share of ransomware incidents using KEV-listed CVEs) comes from a single secondary analysis and should be treated as indicative, not established. No score, scan, or remediation here constitutes a security assurance: severity is not risk, a clean scan reflects coverage rather than safety, and patch/mitigate/accept each reduce a named risk while leaving stated residuals. Companion to the Attack Taxonomy Field Guide (ATT&CK, how these flaws are exploited), Detection Engineering (the same false-positive/false-negative discipline applied to scanners), Incident Response and Logging & Evidence (a breach often traces to a known-unpatched CVE), and Identity & Authentication and Zero Trust (reducing the exposure that makes a vulnerability reachable).