Contextual Risk Scoring: Prioritizing Vulnerabilities with IntelliScore™

CVSS (Common Vulnerability Scoring System) provides a standardized severity score for vulnerabilities based on their intrinsic characteristics—exploitability, scope, impact. A CVSS 9.8 vulnerability is inherently severe. But CVSS scores are environmental-context-blind: a CVSS 9.8 vulnerability in a software package that isn't deployed in your environment, or that's deployed only on an isolated internal system with no sensitive data access, may be lower priority than a CVSS 7.0 vulnerability in an internet-facing application that handles payment data. Organizations that prioritize remediation purely by CVSS score waste significant effort patching high-severity vulnerabilities that present minimal actual risk to their specific environment, while potentially under-prioritizing moderate-severity vulnerabilities that are actively exploitable in their context.

IntelliScore™ computes contextual risk scores by combining four inputs: Vulnerability Severity (CVSS + EPSS probability of exploitation in the wild), Asset Criticality (business value and data sensitivity of the affected system, sourced from the asset registry), Exposure Context (is the vulnerable system internet-facing, network-isolated, or accessible from a compromised position in a kill chain), and Active Threat Intelligence (are threat actors currently exploiting this vulnerability against organizations similar in profile to the target). The combination produces a score that reflects actual risk exposure rather than theoretical severity—enabling security teams to confidently deprioritize high-CVSS findings with low contextual risk and focus remediation capacity on the findings where exploitation would have material business impact.

IntelliScore™ integrates into security operations through Verastel's posture management dashboard and API, which enables consumption by existing ticketing and ITSM workflows. When a new vulnerability scan runs, IntelliScore™ automatically computes contextual risk scores for all new findings, updates scores for existing findings (asset criticality changes when a system is promoted to production, exposure context changes when security group rules are modified), and re-ranks the remediation queue accordingly. Security teams see a continuously updated prioritized remediation backlog that reflects the current state of their environment and the current threat landscape—not a static list generated at the last scan date.