PRACTITIONER GUIDE | VULNERABILITY MANAGEMENT
Practitioner GuideUpdated 14 min read

We Got 847 CVEs This Month. Here's the Exact Process I Use to Cut It to 12 That Matter.

EPSS > 0.10
is the threshold where a CVE has greater than 10% probability of exploitation in the wild within 30 days, the practical floor for immediate attention regardless of CVSS score
Step one is always CISA KEV
any CVE on the Known Exploited Vulnerabilities catalog is being actively weaponized right now, it skips all other prioritization logic and goes straight to your 24-hour SLA
~4% of CVEs published annually
ever see exploitation in the wild according to FIRST research, meaning 96% of your scanner output is noise if filtered correctly

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Your scanner ran last night. It found 847 vulnerabilities. Your CVSS score breakdown: 63 critical, 214 high, 401 medium, 169 low. Your patch SLA says critical issues must be remediated in 24 hours. You have a two-person security team. This is the situation most vulnerability management programs operate in, and the reason so many of them fail. CVSS was designed to describe vulnerability severity in isolation, it was never designed to tell you what to patch first given your specific environment, your actual asset inventory, and what threat actors are actually doing right now. Here is the exact process I use to take a queue of 800+ CVEs and cut it to a working list of under 15 within two hours.

Step one: CISA KEV check, non-negotiable

Before touching CVSS scores, EPSS probabilities, or anything else, pull every CVE in your queue against the CISA Known Exploited Vulnerabilities catalog. Any match is immediately escalated to your highest priority SLA regardless of CVSS score.

CISA KEV is curated by analysts who only add CVEs when they have confirmed evidence of active exploitation. A CVE-2021-44228 (Log4Shell, CVSS 10.0) and a CVE-2022-36537 (ZK Framework, CVSS 7.5) are equally urgent if both are on KEV, because both are being weaponized against production systems right now.

How to do this in practice: Download the KEV catalog as JSON from cisa.gov/known-exploited-vulnerabilities-catalog. Pipe your scanner output through a simple script that flags any CVE ID match. In Tenable or Qualys, there's a built-in KEV filter you can apply as a saved search. In Rapid7, it's a tag.

Typical result: 3-15 CVEs from your 847 hit KEV. Those get a separate ticket, an owner assigned before you leave the triage session, and a 24-hour deadline regardless of your normal SLA tier.

Step two: EPSS filter with a 0.10 threshold

Exploit Prediction Scoring System (EPSS) is a machine learning model maintained by FIRST that estimates the probability a given CVE will be exploited in the wild within the next 30 days. It's updated daily. It factors in actual exploitation telemetry from threat intelligence sources, not just vulnerability characteristics.

The threshold I use: EPSS score >= 0.10 (10% probability of exploitation within 30 days).

This sounds low but it's not. The average CVE has an EPSS score of around 0.002. A score of 0.10 puts a vulnerability in roughly the top 3-5% of all published CVEs by exploitation likelihood. Anything above 0.50 is being actively probed in the wild almost certainly.

Pull EPSS scores: The FIRST API at api.first.org/graphql lets you submit CVE IDs in bulk and get EPSS scores back. Or use the daily CSV download at epss.cyentia.com. Most enterprise scanners are adding EPSS natively, Tenable added it in 2022, Qualys in 2023.

After KEV removal and EPSS filter: your 847 CVEs are typically down to 40-80 items.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Step three: The three-question filter

For every CVE remaining after steps one and two, ask three questions. If the answer to any of them is no, the CVE drops to your normal monthly remediation cycle.

Question 1: Do we actually run the affected software or hardware?

Scanner false positives on version detection are common, especially for end-of-life software that a scanner fingerprints incorrectly, or library dependencies that are included but not exposed. Verify you actually have the affected component in your environment before spending more time on it. This eliminates 20-40% of remaining items in most environments.

Question 2: Is the vulnerable component exposed to an untrusted network or reachable by an unprivileged user?

A CVSS 9.8 RCE in a library that only processes data from authenticated internal users in an isolated subnet is categorically different from the same vulnerability in a public-facing API. Network exposure is the single biggest multiplier on actual risk. If the vulnerable component requires local access, an authenticated session, or is isolated behind multiple network controls, it drops in priority.

Question 3: Is there a patch, workaround, or compensating control available right now?

If there's no patch and no workaround, escalation without a fix is noise. Document it, set a watch, and move on. If there's a patch, assign an owner and a deadline. If there's a workaround (WAF rule, config change, feature disable), implement it immediately and document it as interim remediation.

After the three-question filter: 847 CVEs becomes 12-20 items with clear owners and deadlines.

Mapping to SLA tiers

Once you have your working list, assign SLA tiers based on the combination of KEV status, EPSS score, and your three-question answers:

Tier 1, 24 hours: Any KEV hit, or EPSS >= 0.50 with network exposure confirmed on a critical asset.

Tier 2, 7 days: EPSS 0.10-0.49 with network exposure, or KEV hit on a non-critical asset, or EPSS >= 0.50 on an isolated asset.

Tier 3, 30 days: EPSS 0.10-0.49 on an isolated asset, or any item that passed the filter on question 1 alone (confirmed affected but low exposure).

Everything else: Monthly remediation cycle. Track, don't sprint.

What to do with the 835 you deprioritized

They don't disappear. They go into your tracking system (Jira, ServiceNow, whatever you use) with the reason for deprioritization documented against each one. Run the KEV check again weekly, a CVE that was deprioritized today can be on KEV next Tuesday if an exploit drops. EPSS scores also change daily; set a monthly re-score on anything in your Tier 3 queue.

The actual time investment

Once the process is established and your tooling is configured:

  • KEV check: 10 minutes (automated with a simple script)
  • EPSS filter: 15 minutes (automated)
  • Three-question filter on 40-80 remaining items: 60-90 minutes with someone who knows your environment

Two hours total. Every month. That's a defensible, documented vulnerability management program even with a two-person team.

The bottom line

The goal is not to patch everything, it's to patch the things that will actually get you breached. CISA KEV, EPSS above 0.10, and a three-question exposure filter are the three instruments that let you make that call systematically rather than guessing. Once your tooling is in place, this takes under two hours a month.

Frequently asked questions

Why not just patch everything with a CVSS score above 7.0?

CVSS measures inherent vulnerability severity in isolation, it does not account for whether you run the affected software, whether it's network-exposed, or whether anyone is actually exploiting it. A CVSS 9.8 in software you don't run is irrelevant. A CVSS 5.5 on KEV in your internet-facing VPN is critical. Patching by CVSS alone creates massive remediation backlogs while potentially missing the CVEs that actually get you breached.

What's the difference between EPSS and CVSS?

CVSS scores the severity of a vulnerability based on its technical characteristics, attack vector, complexity, privileges required, impact. It's a static score assigned at publication. EPSS predicts the probability that a vulnerability will be exploited in the wild within the next 30 days, updated daily based on actual exploitation telemetry. They measure different things: CVSS is 'how bad could this be,' EPSS is 'how likely is this to happen soon.'

How do I get EPSS scores for my vulnerability list?

Three options: the FIRST API (api.first.org/graphql) accepts bulk CVE ID queries and returns EPSS scores and percentiles; the daily CSV download at epss.cyentia.com contains scores for all published CVEs; or your scanner natively if you use Tenable (added EPSS in 2022) or Qualys (added EPSS in 2023). For ad-hoc lookups, first.org/epss has a search interface.

What EPSS threshold should I use?

0.10 (10%) is a reasonable practical floor for most security teams, it filters to the top 3-5% of CVEs by exploitation likelihood while still catching meaningful risk. Teams with very limited capacity may raise this to 0.20 or 0.30. Teams in high-risk industries or managing critical infrastructure may lower it to 0.05. The threshold should be calibrated against your team's capacity to actually remediate within SLA.

Is CISA KEV the only source I should check for active exploitation?

KEV is the most authoritative and conservative source, CISA only adds CVEs with confirmed exploitation evidence. For broader coverage, also check VulnCheck KEV (which adds CVEs faster than CISA), Shadowserver's exploitation data, and GreyNoise for CVEs being actively scanned. Google Project Zero's 0-day tracker covers vulnerabilities exploited before patches existed.

What tool should I use to automate this triage process?

For pure automation: a Python script that ingests your scanner's CSV export, hits the CISA KEV JSON feed, queries the FIRST EPSS API in bulk, and outputs a prioritized list with tier assignments. Takes a day to build. For commercial options, Nucleus Security and PlexTrac both support EPSS-based prioritization workflows natively. Tines and Torq can automate the workflow end-to-end if you're already using a SOAR platform.

How do I handle zero-days that aren't in CISA KEV yet?

Zero-days won't be in KEV or have an EPSS score until they're publicly disclosed and assigned a CVE. Track vendor security advisories, follow threat intelligence feeds (ISACs, vendor bulletins, CISA alerts), and monitor for public exploit releases on GitHub and ExploitDB. When a zero-day is disclosed in software you run, treat it as Tier 1 automatically and apply all available workarounds immediately regardless of whether a CVE exists yet.

Sources & references

  1. FIRST EPSS Model
  2. CISA Known Exploited Vulnerabilities Catalog
  3. NIST NVD CVE Database
  4. SSVC Decision Tree, CISA
  5. VulnCheck KEV

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.