🗓️ Live on June 17: The New Rules of Risk: EPSS v5 & Agentic Adversaries Register
runZero CAASM

Black Hat USA 2025: Vulnerability haruspicy: picking out risk signals from scoring system entrails

Vulnerability scoring is supposed to bring order to the chaos of risk management, but in practice, it can feel more like reading tarot cards or poking at entrails than applying science. CVSS performs monkey math to force fractal bell curves, EPSS tries to predict exploitation with statistical black magicks, and SSVC ditches math entirely in favor of structured gut feelings.

Meanwhile, defenders mix and match shortcuts — KEV lists, vendor advisories, and lived experience — to separate the truly urgent from the merely annoying. But are we actually making better risk decisions, or just using these frameworks to justify what we were going to do anyway?

Tod Beardsley, VP of Security Research at runZero digs into the strengths, weaknesses, and absurdities of CVSS, EPSS, and SSVC, comparing them to the reality of how security teams actually handle vulnerabilities. He explores where these models help, where they mislead, and whether any of them are meaningfully better than rolling a D20 saving throw vs exploitation.

Meet Our Speakers

todb

VP, Security Research, runZero

Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Resources

Talks
Detecting Forbidden White Labeled and Counterfeit Devices (SecTor 2025)
Learn how to tell if your expensive router (bought cheap!) really is the real thing, and whether your network really is free from forbidden devices.
Read More
Talks
Turbo Tactical Exploitation: 22 Tips for Tricky Targets
This rapid-fire session delivers 22 practical tips to help you find juicy targets faster, pivot cleaner, and avoid wasting time on noise.
Watch Now
Talks
The once and future rules of cybersecurity (SecTor keynote)
In this session, HD revisits the rules we lived by in the 2000s, reveal which ones still matter, which ones failed us, and what new rules we'll...
Watch Now
Talks
Vulnerability haruspicy: using woo to confirm your biases (NorthSec 25)
This talk digs into the strengths, weaknesses, and absurdities of CVSS, EPSS, and SSVC, comparing them to the reality of how security teams...
Watch Now

See Results in Minutes

See & secure your total attack surface. Even the unknowns & unmanageable.

Try runZero for Free
runZero CAASM
© Copyright 2026 runZero, Inc. All Rights Reserved