Analyzing Data to Prioritize Vulnerabilities
Not sure you’re ready?
Take the ~3-minute readiness diagnostic and see where you stand.
A security scanner dumping thousands of alerts onto a dashboard is not providing intelligence; it is creating noise. Without a systematic method to evaluate the severity of a software flaw and a rigorous process to verify its actual existence, a Security Operations Center (SOC) is reduced to chasing ghosts while ignoring the genuine intruders slipping through the floorboards. The core challenge of modern vulnerability management is not merely discovering vulnerabilities—it is contextualizing and triaging them. To do this, analysts must dissect how industry-standard severity metrics map the anatomy of an exploit, and critically examine raw scanner outputs to distill the mathematical reality of a network's actual risk.
If we are to measure risk, we must have a common language. The Common Vulnerability Scoring System (CVSS) provides a standardized method for assessing the severity of computer system security vulnerabilities. A vulnerability is not a monolithic entity; it has physical requirements, dependencies, and specific fallout.
To capture this, the CVSS framework consists of three distinct metric groups: Base, Temporal, and Environmental. When calculated, these groups yield a numeric score. The CVSS version 3.1 base score range is exactly 0.0 to 10.0, which maps directly to qualitative severity ratings:
- 0.0 maps to the qualitative severity rating of None.
- 0.1 to 3.9 maps to the qualitative severity rating of Low.
- 4.0 to 6.9 maps to the qualitative severity rating of Medium.
- 7.0 to 8.9 maps to the qualitative severity rating of High.
- 9.0 to 10.0 maps to the qualitative severity rating of Critical.
Security tools output this mathematical assessment as a CVSS vector string, a text representation of a set of CVSS metrics. By standard convention, the CVSS version 3.1 vector string prefix is strictly CVSS:3.1, followed by the specific values, looking something like CVSS:3.1/AV:N/AC:L/...
The Base Metrics: The Immutable Physics of the Vulnerability
The CVSS Base metric group represents the intrinsic qualities of a vulnerability. Because it describes the fundamental nature of the software flaw, CVSS Base metrics remain constant over time and remain constant across different user environments. A buffer overflow in a specific version of an Apache web server is structurally identical whether it sits in a university lab today or a bank's datacenter five years from now.

The CVSS Base metric group is composed of two distinct halves: Exploitability metrics and Impact metrics.
Exploitability Metrics
CVSS Exploitability metrics reflect the ease and technical means by which a vulnerability can be exploited. Think of this as the "how."
- Attack Vector (AV): This evaluates the context by which vulnerability exploitation is possible. The CVSS version 3.1 Attack Vector metric values are:
- Network: Indicates that the vulnerable component is bound to the network stack. An attacker can exploit it from across the internet.
- Adjacent: The attacker must be on the same shared physical or logical network (e.g., Bluetooth, local subnet).
- Local: The attacker must have interactive access to the system via keyboard or SSH.
- Physical: The most restrictive. A CVSS Attack Vector value of Physical requires the attacker to physically touch or manipulate the vulnerable component (e.g., inserting a malicious USB drive).
- Attack Complexity (AC): This describes the conditions beyond the attacker's control that must exist to exploit the vulnerability. If an exploit relies on a race condition or an exceedingly rare system configuration, complexity is high. The metric values are simply Low and High.
- Privileges Required (PR): This describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. The values are None, Low (standard user), and High (administrator).
- User Interaction (UI): This captures the requirement for a human user to participate in the successful compromise of the vulnerable component. Does the user have to click a malicious link or open an attachment? The metric values are None and Required.
- Scope (S): One of the most critical concepts in CVSS v3.1. The CVSS Scope metric captures whether a vulnerability in one component impacts resources in components beyond its security authority. For example, a virtual machine escape compromises the underlying hypervisor. The metric values are Unchanged and Changed.
Impact Metrics
If Exploitability is the "how," Impact is the "what happens next." CVSS Impact metrics reflect the direct consequence of a successful exploit on the vulnerable component, broken into the classic CIA triad. The CVSS version 3.1 Confidentiality, Integrity, and Availability metric values are universally None, Low, and High.
- Confidentiality (C): Measures the impact to the confidentiality of the information resources managed by a software component due to an exploited vulnerability (e.g., data theft).
- Integrity (I): Measures the impact to the integrity of the information resources managed by a software component (e.g., malicious alteration of records).
- Availability (A): Measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability (e.g., a system crash or denial of service).

The Temporal Metrics: The Element of Time
While the Base score maps the fundamental mechanics of a flaw, the world around that flaw is dynamic. The CVSS Temporal metric group reflects the characteristics of a vulnerability that may change over time. It dynamically lowers the Base score depending on the threat landscape.
- Exploit Code Maturity (E): Measures the likelihood of the vulnerability being attacked based on the current state of exploit techniques. When a flaw is discovered, there may be no known way to weaponize it. Over time, that changes. The CVSS version 3.1 Exploit Code Maturity metric values are Unproven, Proof of Concept, Functional, and High.
- Remediation Level (RL): Indicates the availability of official fixes or workarounds for the vulnerability. A zero-day has no fix, making it highly dangerous, but eventual patches lower the risk. The values are Official Fix, Temporary Fix, Workaround, and Unavailable.
- Report Confidence (RC): Measures the degree of confidence in the existence of the vulnerability. Early, unverified rumors of a bug score lower than confirmed vendor reports. The metric values are Unknown, Reasonable, and Confirmed.

The Environmental Metrics: The Reality Check
A vulnerability's raw severity means little without understanding where it lives. The CVSS Environmental metric group represents vulnerability characteristics that are unique to a specific user's IT environment.
CVSS Environmental metrics allow analysts to customize the CVSS score based on the importance of the affected IT asset to a user's organization. A critical flaw on a public-facing e-commerce server is drastically more dangerous than that exact same flaw on an isolated, decommissioned test server. Furthermore, CVSS Environmental metrics account for the presence of mitigating security controls within an organization's specific network. If you implement a strict firewall rule blocking the vulnerable port, you alter the environmental impact.
Understanding CVSS scores is only useful if the vulnerabilities you are looking at actually exist. Security scanners are imperfect observational tools. When an analyst reviews scanner output, they are dealing with a matrix of four possible truths.
The Scanner Outcomes Matrix
- True Positive: Occurs when a security scanner correctly identifies a vulnerability that actually exists in the environment. This is accurate intelligence.
- False Positive: Occurs when a security scanner reports a vulnerability that does not actually exist in the environment.
- True Negative: Occurs when a security scanner correctly identifies that a specific vulnerability is absent from the environment.
- False Negative: Occurs when a security scanner fails to detect a vulnerability that actually exists in the environment.

The cost of scanning errors is immense. False positive vulnerability scan results waste security operations center (SOC) analyst time, creating alert fatigue that distracts from real threats. Conversely, false negative vulnerability scan results leave the organization unknowingly exposed to cyber attacks.
Why Scanners Fail
To understand why scanners generate false positives and false negatives, you must understand how they "see" the network.
Non-credentialed vulnerability scans rely on network behavior and banner grabbing. The scanner acts as an outsider, pinging ports and reading the headers (banners) that services send back. Naturally, non-credentialed vulnerability scans produce more false positives than credentialed vulnerability scans. Why? Because banner grabbing techniques used by network scanners often lead to false positives when software administrators obscure the application version number to confuse attackers. The scanner assumes the worst and flags the system. Furthermore, false positives often occur when a scanner detects an installed vulnerable software package without checking if the vulnerable service is actively running. If the binary is on the disk but the service is off, it cannot be exploited via the network.
To fix this, organizations use credentialed vulnerability scans. These scans reduce false positives by allowing the scanner to inspect the local registry and file system of the target host. By authenticating via SSH or Windows Management Instrumentation (WMI), the scanner acts as an insider, checking exact patch levels and running processes rather than guessing based on network banners.
However, scanners can still be blinded, leading to dangerous false negatives. False negatives can occur if network firewalls block the vulnerability scanner from reaching the target host altogether—the scanner sees no open ports and assumes the host is secure. Additionally, false negatives can occur if the vulnerability scanner's signature database is out of date, blinding it to newly discovered CVEs.

The Analyst's Burden: Manual Validation
Because scanners are fallible, humans must verify the data. Security analysts validate vulnerability scanner results using several distinct methods:
- Vendor Documentation: Security analysts validate vulnerability scanner results by verifying the application version numbers against vendor patch notes. If the scanner flags Apache 2.4.49, the analyst checks the exact running version and confirms with Apache's official security advisories if that version is truly vulnerable.
- Verification by Fire: Security analysts validate vulnerability scanner results by attempting to manually exploit the reported vulnerability in a controlled manner. If an analyst can pop a reverse shell using a Metasploit module, the true positive is undeniable.
- Active Threat Intelligence: Evaluating threat intelligence feeds helps analysts prioritize vulnerabilities based on active exploitation in the wild. A vulnerability with a CVSS score of 7.5 that is currently being exploited by ransomware gangs is an immediate, burning priority compared to a CVSS 9.0 that only exists as a theoretical lab paper.

Validation yields truth, but truth requires prioritization. Security analysts perform risk prioritization by combining the CVSS severity score with the business criticality of the affected system. A medium-severity flaw on the primary domain controller poses a greater business risk than a critical-severity flaw on a digital cafeteria menu board.
When immediate patching is impossible—perhaps because a patch would break a legacy proprietary application—analysts look to compensating controls. Compensating controls can reduce the actual exploitability of a vulnerability. For example, network segmentation acts as an environmental mitigation that can lower the CVSS Environmental score of a vulnerability. By isolating the vulnerable legacy machine onto its own restricted VLAN, the Attack Vector is effectively altered, mitigating the threat.

When this happens, the business assumes the residual risk. A vulnerability exception is a formal business decision to accept the risk of a known vulnerability without immediately remediating it. This is not an excuse to ignore the problem; it is a meticulously documented process. Security analysts document compensating controls when granting a vulnerability exception, ensuring that institutional knowledge of the vulnerability and its environmental bandages is preserved for future audits.
Ultimately, analyzing data to prioritize vulnerabilities is the practice of imposing order onto chaos. It is the transition from raw, panicky alerts to calculated, mathematical risk management.