Vulnerability scores promise precision, clarity, and objectivity. But often, the results they deliver can just add noise to an already cacophonous symphony of security alerts.
Security teams today are drowning in high-severity findings, yet still miss critical exposures. Why? Because the three most commonly used systems — CVSS, EPSS, and SSVC — weren’t built to tell the same story. And relying on just one is like reading a fortune with only half the cards.
In our new report, Divining Risk: Deciphering Signals From Vulnerability Scores, we break down these scoring systems to help defenders understand not just what each tells us, but also what they don’t.
Here’s a preview of the strengths and limitations of each scoring system — and how to best leverage them to inform your triage strategy.
CVSS: The Foundational and Familiar #
The Common Vulnerability Scoring System (CVSS) is the foundation of most vulnerability management programs. Built to provide a consistent, objective description of a vulnerability’s severity, CVSS distills technical characteristics into a tidy number from 0.0 to 10.0. But what does a “critical” score really mean? It can be hard to find out.
Strengths
Universally adopted and widely understood
Easy to parse with vector strings (AV:N, AC:L, PR:N, etc.)
Useful for filtering: attack vectors like AV:P (physical) or PR:H (high privileges required) let you quickly down-prioritize low-likelihood threats
Limitations
Scores reflect theoretical severity, not real-world exploitability
The distribution is oddly consistent — collections of CVEs cluster around 7–8 regardless of when they were disclosed, creating an illusion of predictability
Nearly never accounts for context or environmental impact
CVSS gives information, not strategy. You can use it to narrow down the list, but not necessarily how to prioritize it.
EPSS: The Statistically-Driven Newcomer #
Where CVSS is static, EPSS (Exploit Prediction Scoring System) is dynamic. Updated daily, it uses machine learning to estimate the probability that a vulnerability will be exploited in the next 30 days. It’s a probability, classically expressed as a decimal from 0 to 1. But this score is not a crystal-clear prediction. It’s a probability model fed by thousands of data points.
Strengths
Captures real-world signals of exploitation: honeypots, IDS alerts, exploit chatter, and more
Helpful in identifying “movers”—CVEs with big score jumps that may indicate emerging threats
Offers additional triage value when used in time series
Limitations
Highly opaque—exact inputs and weights are not publicly understood
Can be misinterpreted as certainty when it’s actually probability
Predicts exploitation activity, not necessarily successful exploits
If CVSS describes the storm, EPSS tells you whether or not it’s headed your way. But rather than a guarantee, it’s a prompt to dig deeper.
SSVC: The Human-Centric Decision Framework #
SSVC (Stakeholder-Specific Vulnerability Categorization) is more of a decision framework, less of a “score.” Designed for situational awareness, it walks you through decision trees to determine whether you should Track, Monitor, Attend, or Act. Unlike CVSS or EPSS, SSVC leans heavily on local context: mission impact, asset exposure, and environmental risk.
Strengths
Forces organizations to bring context into the decision-making process
Supports meaningful prioritization aligned to business risk
Integrates nicely with structured sources like CISA’s Vulnrichment
Limitations
Requires deep asset visibility and environmental awareness
Demands time and expertise—hard to scale across large CVE volumes
Subjectivity can lead to inconsistent results across analysts or teams
SSVC works best when paired with mature asset inventory and clear business objectives. In the right hands, it’s a powerful prioritization tool rather than a replacement for broader coverage.
No Silver Bullets #
CVSS, EPSS, and SSVC each offer valuable clues, but none of these scores tell the whole story. The real power comes from learning how to combine them, filter the noise, and surface what matters most for your environment.
Our report, Divining Risk: Deciphering Signals From Vulnerability Scores, helps you do just that. In it, you’ll get:
A clear-eyed breakdown of CVSS, EPSS, and SSVC — how they work, where they mislead, and what signals are actually useful
Data-backed insights from analyzing 270,000+ CVEs, including the biggest EPSS score movers and what they reveal
Practical guidance on combining score systems with PoCs, asset context, and data to triage smarter
We're unpacking this data in a lot of channels this week and next. I'll be diving into these insights live at the NorthSec Conference in Montreal on Friday, May 16 at 11:30AM EST—come join me if you're attending! In the meantime, you can dig into the full report here.
And don’t miss the companion episode of runZero Hour, featuring a spirited debate between vulnerability scoring expert Jay Jacobs and runZero’s own Tod Beardsley and Rob King. It’s a deep dive into CVSS, EPSS, and SSVC you won’t want to miss.
