How to Prioritize Vulnerabilities - Understanding Risk Scoring (CVSS) in Penetration Testing

Spoiler alert: base CVSS scoring alone doesn't determine your actual business risk. Discover how to prioritize penetration test findings using EPSS and context-based scoring.

When you receive a penetration test report, the first thing your eyes jump to is the Executive Summary table. You see a list of findings labeled Critical, High, Medium, and Low.

But how are these labels determined? And more importantly, does a "High" severity vulnerability actually mean a high risk to your specific business?

To make sense of the data, let’s first start by understanding the Common Vulnerability Scoring System (CVSS), which is the industry standard for rating IT security vulnerabilities, and why it is often just the starting point, not the final word.

What is CVSS?

CVSS is an open framework for communicating the characteristics and severity of software vulnerabilities. It produces a numerical score ranging from 0.0 to 10.0.

0.0: No Risk (Unlikely!)
0.1 – 3.9: Low
4.0 – 6.9: Medium
7.0 – 8.9: High
9.0 – 10.0: Critical

However, simply looking at the number can be misleading. CVSS is composed of three distinct metric groups, but most automated scanners only show you the first one.

1. The Base Score (The Technical Severity)

This represents the intrinsic qualities of a vulnerability that do not change over time or across user environments.

Attack Vector: Can it be exploited remotely over the internet (Bad), or does the hacker need physical access (Less Bad)?
Complexity: Is it easy to exploit (Bad), or does it require a perfect storm of conditions (Less Bad)?
Impact: If exploited, does it compromise Confidentiality, Integrity, or Availability?

2. The Temporal Score (The "Now" Factor)

This modifies the Base Score based on the current state of the world.

Exploit Code Maturity: Is there a "point-and-click" script available on the internet that allows any teenager to hack this? Or is the exploit purely theoretical?
Remediation Level: Is there an official patch available from the vendor yet?

3. The Environmental Score (The "You" Factor)

This is the most critical and overlooked metric. It customizes the score based on your specific infrastructure.

Asset Value: A "High" vulnerability on a test server with no data is effectively a "Low" risk. That same vulnerability on your primary database is a "Critical" risk.
Mitigating Controls: Do you have a firewall or air-gap that blocks the attack vector? If so, the Environmental score drops significantly.

The Problem: "Base Score" Tunnel Vision

The biggest mistake organizations make is prioritizing remediation based solely on the Base Score.

Example:

Vulnerability A: CVSS Base Score 9.8 (Critical). It is a Remote Code Execution flaw.
Context: It is on a legacy printer inside a locked basement, on a VLAN that cannot talk to the internet or the corporate network.
Vulnerability B: CVSS Base Score 6.5 (Medium). It is a Reflected XSS flaw.
Context: It is on your main login page, and if exploited, it allows an attacker to steal admin session cookies.

Business Reality: Vulnerability B is likely the higher priority, even though Vulnerability A has a scarier number. A good penetration tester will manually adjust the risk rating in the report to reflect this context, whereas an automated scanner will blindly report the 9.8.

The New Standard: EPSS (Exploit Prediction Scoring System)

While CVSS tells you how bad a vulnerability is, it doesn't tell you how likely it is to be exploited. Enter EPSS.

EPSS is a newer, data-driven standard that estimates the probability that a vulnerability will be exploited in the wild in the next 30 days.

Scenario: You have 1,000 "High" vulnerabilities to patch.
Strategy: Cross-reference them with EPSS. You might find that only 50 of them have a high probability of active exploitation. Patch those 50 first.

Risk = Likelihood × Impact

Ultimately, penetration testing is about Business Risk, not just technical flaws.

Technical Risk (CVSS): "This SQL Injection exists."
Business Risk: "If this SQL Injection is exploited, we lose our customer database, face a $5M GDPR fine, and lose consumer trust."

When reading a report, always ask your pentester: "I see the CVSS score is 8.0, but considering our specific environment and controls, what is the realistic likelihood of this happening?"

Need Expert, Context-Driven Penetration Testing?

For organizations seeking comprehensive security testing, we've partnered with leading offensive security specialists who manually validate and contextualize every finding. They don't just hand you a scanner output; they combine deep technical expertise with an attacker-led mindset to uncover the true business risk specific to your unique architecture.

Our pentesting partners focus on:

Context-Aware Attack Scenarios: Business-critical simulations that focus on your most valuable assets, thinking like real attackers to evaluate how a vulnerability actually impacts your specific environment.
Regulatory compliance: Specialized assessments for PCI DSS, SOC 2, ISO 27001, and other industry-specific requirements.
Real-world risk prioritization: Manual testing that uncovers exploitable vulnerabilities beyond automated scanning capabilities.

REQUEST YOUR PENTEST

PreviousInternal vs. External Penetration Testing: Different Methodologies, One Complete Security Picture NextWhat Is Cyber Threat Intelligence and Why Does It Matter for Penetration Testing?

Last updated 10 days ago

hashtagWhat is CVSS?

hashtag1. The Base Score (The Technical Severity)

hashtag2. The Temporal Score (The "Now" Factor)

hashtag3. The Environmental Score (The "You" Factor)

hashtagThe Problem: "Base Score" Tunnel Vision

hashtagThe New Standard: EPSS (Exploit Prediction Scoring System)

hashtagRisk = Likelihood × Impact

hashtagNeed Expert, Context-Driven Penetration Testing?

hashtagOur pentesting partners focus on: