Does Your Vuln Score Tell You Where Attacks Will Hit?

Perhaps this resonates. Based on our experience, it starts similarly for many security teams: a scan runs, the report is generated, and a dashboard lights up like a Christmas tree. Thousands of vulnerabilities, each stamped with a severity label “Critical,” “High,” or “Medium.” Another ticket gets assigned, and another backlog grows. The SOC analysts triage, the vulnerability team chases CVEs, and leadership wonders, “Are we getting better?”

And according to the numbers and the scores, you may be.

After all, you’ve patched 72% of critical vulns. You’ve met your SLA on remediation timelines. You’ve even implemented risk-based prioritization, assigning effort to what’s supposedly most dangerous. But do you still have doubts?  

I ask because every once in a while, an alert might break through. Usually, an incident that wasn’t supposed to happen. Probably through an old misconfiguration. A breach via a low-rated vuln nobody flagged. Or even worse, an attack that started with something you already “fixed.”

This is where it may get uncomfortable: You might be measuring the wrong thing.

In theory, CVSS scores and scanner outputs tell you what can be exploited. However, they don’t tell you what will be exploited in your specific environment by an adversary chaining together weaknesses you didn’t think mattered.

Attackers don’t use your severity rankings. They use what works. And that leads us to a big problem.  Mind you, it’s not a lack of effort or tooling, but rather a lack of context.

So how do attackers see what we don’t? They see paths, not points. They don’t care if a vuln is “low” or “critical” in isolation. They care if it gives them reach: internet exposure, an overprivileged identity, a blind spot in your controls. 

That’s what CVSS misses; however, CVSS isn’t broken. It was never meant to tell you what to fix first. It’s a severity index. A technical score. A way to classify, not prioritize. But somewhere along the way, the industry started treating it as gospel. We built workflows around it. Dashboards. SLAs. KPIs. And in doing so, we forgot something critical …

The Adversary’s Playbook: Why Context Is King

CVSS is static. Reality is dynamic. Again, attackers aren’t looking at the CVSS score. They’re examining how they can move through your environment. They care about exposure. Reachability. Choke points. Most especially, they care about blind spots.

What doesn’t CVSS factor in?

• Whether the asset is exposed to the internet or buried behind five layers of auth.
• Whether the identity on that box has limited access or domain admin.
• Whether a compensating control is in place, such as EDR, WAF, IAM, etc.
• Whether they can chain this “medium” vuln with an unmonitored misconfig and get blast radius.

So, a low CVE, an overprivileged identity, and an unsegmented network walk into a bar … Okay, no proper end to that joke, but the punchline is “that’s an attack path.”  And it’s a hell of a lot more dangerous than 90% of your “criticals.”

Attackers think in paths, not points, and if we want to stop them, we need to start thinking the same way.