Picture the scenario: you log into your vulnerability management dashboard on a Monday morning. The scan ran overnight, and the report lights up with a dozen new high-severity CVEs. One stands out with a CVSS score of 9.8: a critical remote code execution vulnerability.
But looking closer, you notice that this one lives in a seldom-used lab workstation, locked behind layers of firewalls. Way down the list, you come across a 4.6-rated flaw, which is quietly lurking on a financial system your accounting team uses day in and day out.
Which one of these vulnerabilities demands urgent attention?
This scenario is not something you have to stretch to imagine: it’s a daily challenge for security teams attempting to prioritize remediation in environments where vulnerability data is ubiquitous, but meaningful context is scarce. The Common Vulnerability Scoring System (CVSS) does one thing very well: it offers standardized technical insight into the characteristics of known vulnerabilities. But what it is not so good at is telling you what matters most to your business.
As the threat landscape evolves, our approach to vulnerability management needs to evolve along with it. Effective prioritization today requires layering multiple intelligence streams, embracing business-driven context, and designing automation to complement (not replace) human judgment.
Why CVSS Alone Falls Short
CVSS is a technical measure. It describes what a vulnerability can do under idealized conditions, not whether it represents a real threat within your environment. Let’s get back to our example: a remote code execution vulnerability might score a 9.8, but if it's buried inside a system that’s air-gapped and firewalled, the risk is theoretical.
But that 4.6-rated vulnerability? What if it’s a privilege escalation flaw requiring local access? If you’re an attacker that’s already breached a low-privilege account, that might be all you need to achieve full system compromise.
Too many organizations fall into the trap of automating patch deployment based solely on CVSS thresholds. It’s a mistake; a policy guaranteed to introduce blind spots. If you’re remediating issues that pose minimal business risk while leaving truly critical vulnerabilities unaddressed because they don’t trigger an arbitrary score cutoff, are you really making your business more secure?
Enterprise risk is contextual. Asset criticality is just one of the many factors shaping it.
There’s also elements like user behavior, access controls and operational dependencies that must be taken into account. Without this context, even the most accurate technical score is a blunt instrument.
Building Contextual, Business-Aligned Risk Programs
This means that modern vulnerability management strategies must begin with policy, not tools. Security teams need to partner with business leadership to answer some foundational questions. Questions like: “which systems are essential to our daily operations?”; “what data would be catastrophic to lose or expose?”; and “what levels of downtime or disruption can we survive?” All of this should happen before you deploy a single patch.
The answers to these questions are what should guide organizations as they tailor their risk assessment models. It’s not just about examining vulnerabilities. It’s examining the value of the systems they impact, how easily they can be exploited and the likely consequences if there is a compromise. It also means knowing when it’s safe to delay remediation, or when a modest flaw combines with other contextual elements to represent an unacceptable risk.
"Too many organizations fall into the trap of automating patch deployment based solely on CVSS thresholds"
The Exploit Prediction Scoring System (EPSS) has emerged as an effective tool for complementing CVSS because it estimates the likelihood that any given vulnerability will be exploited in the wild, based on historical exploitation patterns, attacker toolkits and current trends in the threat landscape.
EPSS goes beyond CVSS, helping security teams identify wormable vulnerabilities or those likely to be used in chained attacks. But it’s not perfect either. Like any metric, it must be interpreted through the lens of your own environment and infrastructure.
Real-world threat intelligence also plays a role. Threat actors are creatures of habit, which means that means they often develop preferences for certain types of exploits or target specific industries. In order to make informed decisions, it’s critical to map known attacker behavior against your own technology stack and exposure surface.
Automation and Human Oversight: Finding the Right Balance
Scaling remediation manually is not feasible for even mid-size organizations. Automation is indispensable, but only when it’s governed by strong policy. I’ve found that the 80/20 rule serves as a good rule of thumb. Let automation handle the repetitive, well-understood tasks that follow established rules and reserve human intervention and decision-making for the exception. These are the edge cases, the high-impact assets and the judgment calls.
Doomsayers are constantly warning about the perils of automation, but the fact is that automation itself is not a big risk. Automation without boundaries is what will get you into trouble. A script that patches every vulnerability with a score above 7.0 may seem like a great idea. What’s the harm, right? You’ll find out what the harm is when the script takes down a production server running legacy software that’s critical to your business.
Every automated action should be traceable to a specific, pre-approved policy. And when those policies fall short, escalation paths must be clear. Who gets called? Who decides? Who can override?
These policies can’t be static. Security teams should be revising them regularly and comparing them to actual practices. Does your IT environment from two years ago look anything like your IT environment today? Of course not: they’ve constantly evolving.
Outdated policies can quickly become liabilities. If an archaic patching protocol doesn’t reflect your current technology stack or business practices, it’s time to update, not blindly follow.
A Future of Smarter Metrics and Sovereign Intelligence
The shortcomings of traditional vulnerability scoring have not gone unnoticed. As confidence in legacy databases like the US National Vulnerability Database (NVD) wavers, countries are investing in sovereign vulnerability repositories to better reflect regional software use and threat landscapes. The resulting intelligence will likely be more diverse and, if harmonized properly, far more actionable.
At the same time, we’re seeing models emerge that combine historical breach data, threat actor behavior and financial impact in an effort to deliver a more holistic picture of risk in the real world. These models don’t just identify what could go wrong. They attempt to quantify how bad it might be and how likely it is to happen. The goal isn’t to replace CVSS or EPSS, but to augment them with richer, more relevant context.
Of course, with more data comes more noise. The challenge will be filtering for clarity, not just signal. That’s where analytics, historical validation and experienced human interpretation must continue to play a central role.
By now, it should be clear that managing vulnerabilities in 2025 isn’t just about chasing high CVSS scores. It’s about understanding what matters to your business and why. It’s tempting to automate everything or fall back on a scoring threshold and call it a strategy. But that approach misses the nuance.
What organizations really need is a solid plan, grounded in business priorities, with policies that get revisited as things change. Automation can handle the routine stuff, but there will always be decisions that require a human call.
At the end of the day, it’s not about throwing out the old metrics. It’s about using them more wisely: layered with context, business insight and judgment. Because the best data in the world doesn’t help unless it’s tied to what your business actually needs to protect.