CVSS v2/v3.1/v4.0 · EPSS · KEV · business context

Prioritize vulnerabilities the way attackers and business owners think.

A practical risk engine that starts from CVSS, then adds exposure, asset value, exploit maturity, EPSS probability, KEV status, data sensitivity, remediation complexity and compensating controls.

Workflow statusWaiting for calculation
No risk calculated yet

The score appears after you look up or enter source metrics, set business context, and calculate risk.

1. Lookup CVE
Pull NVD, EPSS and KEV data.
2. Set business context
Exposure, asset type, data sensitivity and controls.
3. Calculate and report
Generate output only after inputs are confirmed.

Risk input

Enter a CVE to score it against CVSS, EPSS, CISA KEV and your business context.

Business context

First describe the environment. These values turn a technical CVSS/EPSS finding into a practical business risk decision.

User environment

How reachable is the affected asset from untrusted networks?

What kind of system is affected? Affects business impact and attacker value.

Separates production/customer-facing risk from non-production or isolated environments.

What business damage would successful exploitation most likely create?

How important is this asset or service to the business?

What type of data could be exposed, modified or disrupted?

Authentication required

Attack-path validation. CVSS vector usually describes privileges already, but this lets you reflect a local access gate when needed.

Security controls and compensating context

CISSP-style control classification is shown for each control. These can reduce urgency, but do not remove the underlying vulnerability unless they fully eliminate the exploit path.

Look up a CVE to begin

Enter a CVE ID above to pull NVD, EPSS and CISA KEV data, then layer on your business context to get a prioritized risk score.

CVE-2021-44228CVE-2017-5638

Top risk drivers

Exposure+18
Internet-facing
Asset impact+10
Production Server
Environment tier+5
Production - customer-facing
Business impact+5
Customer / revenue impact
Business criticality+4
High
Data sensitivity+3
Confidential business data

Recommended remediation plan

1Place in the standard remediation queue with a 90 days target. The current risk context, technical severity, exposure level, and exploit intelligence, does not indicate elevated urgency. Apply the vendor patch when the normal patch cycle reaches this asset.
2Monitor for context changes that would require reassessment: if this asset becomes internet-facing, receives a higher criticality classification, or if a KEV listing or weaponized exploit appears for this CVE, re-run the assessment before the next scheduled patch window.
3Apply proportionate effort. Over-prioritising low-risk findings draws capacity away from higher-urgency work. Standard queue placement is the correct response here, not indefinite deferral, and not emergency mobilisation that the current risk profile does not justify.
Active control deductions
EDR active-3
SIEM / monitoring-2
Business risk score
46/100
Low Business Risk
Remediation SLA
90 days
Keep in the standard remediation queue and reassess if risk context changes
Executive summary: This finding is classified Standard Risk (46/100). Internet-facing is the primary driver elevating this classification. The Production Server is reachable under current network conditions in a way that converts the vulnerability's technical severity into an actionable attack surface: an attacker does not need to overcome internal access controls before reaching the vulnerable component, which materially increases the probability that exploitation translates into business impact. Primary risk drivers: Exposure: Internet-facing · Asset impact: Production Server · Environment tier: Production - customer-facing. Place in the standard remediation queue with a 90 days target. No immediate escalation is required; the current risk context, technical severity, exposure tier, and exploit intelligence does not present elevated urgency. Reassess if the asset's exposure classification, business criticality, or exploit maturity changes. Routine monitoring is the proportionate response; mobilising remediation resources at this risk level draws capacity away from findings where the business consequence of deferral is materially higher.
Technical explanation: Composite risk score: 46/100. CVSS v3.1 0 provides the technical severity baseline; contextual factors (network and physical exposure, asset classification, exploit intelligence maturity, business criticality, data sensitivity, and patch complexity) then shift that baseline up or down based on how this vulnerability behaves in this specific operational environment, not in a standardized vacuum. Top scoring contributors: Exposure: Internet-facing (+18 pts); Asset impact: Production Server (+10 pts); Environment tier: Production - customer-facing (+5 pts); Business impact: Customer / revenue impact (+5 pts); Business criticality: High (+4 pts). Compensating controls applied: EDR active (-3 pts), SIEM / monitoring (-2 pts). These reduce the composite score but do not remediate the underlying vulnerability; the exposure source remains active and a formal remediation or documented risk-acceptance decision is still required. The highest-weighted factor is Exposure; addressing it on reassessment provides the greatest score reduction and the clearest path to reclassification. Where formal deferral of remediation is required, this breakdown constitutes the technical basis for a risk-acceptance record: document which factors remain active, which are addressable without patching, and the residual risk posture given any controls in place.

Inputs changed, recalculate to update this score.

Exposure context

Internet-facing placement removes the network perimeter as a practical barrier: any attacker on the public internet can initiate exploitation attempts without requiring prior internal access or lateral movement. This is the highest-exposure tier, it shifts the operative question from 'can this asset be reached?' to 'how quickly can an attacker act?', particularly when exploit tooling is already publicly available.

Asset impact

A production server directly supports live business operations, successful exploitation translates to potential service disruption, unauthorised data access, or downstream impact on dependent services and end users. Remediation delays on production assets carry visible operational cost, not just technical debt. Change-window constraints and rollback risk are real considerations, but they justify careful planning rather than indefinite deferral.

Exploit context

No public exploit is currently known for this vulnerability, which meaningfully reduces the pool of threat actors who can exploit it in the near term, developing a working exploit from scratch requires significant skill and time. This is a moderating factor, not a reason to dismiss the finding. The absence of public exploit evidence can change: monitor for new PoC publications, KEV additions, or significant EPSS increases that would require priority reassessment.

Final step: calculate risk

Confirm CVE lookup and business context, then generate the business risk score and session report.

No calculation yet. Set business context and click Calculate.