Safeguard.sh
← Concepts & Glossary
Detection & Analysis

CVE, CWE, EPSS, KEV

The four vulnerability intelligence signals you actually need to prioritise work.

What are CVE, CWE, EPSS, and KEV?

These are four distinct vulnerability-intelligence signals, maintained by different organisations, that answer different questions. CVE (Common Vulnerabilities and Exposures) is the unique identifier — which bug. CWE (Common Weakness Enumeration) is the taxonomic class — what kind of bug. EPSS (Exploit Prediction Scoring System) is a probability — how likely it is to be exploited in the next 30 days. KEV (CISA Known Exploited Vulnerabilities) is a binary list — is it already being exploited in the wild.

Most programs default to CVSS severity alone. That is useful, but it answers none of the four questions above well. A mature triage process layers all four signals plus reachability to decide what actually deserves an engineer's attention today.

How they fit together

Think of the four signals as a funnel:

  1. CVE tells you which vulnerability you are looking at — the public record you can link to and audit against.
  2. CWE tells you what category of weakness it is (e.g. CWE-89 SQLi, CWE-79 XSS, CWE-502 insecure deserialization). Useful for trend analysis and for routing findings to the right guardrail or training module.
  3. EPSS gives you a numeric probability of exploitation. A CVSS 9.8 with EPSS 0.1% is rarely weaponised in practice; a CVSS 6.5 with EPSS 60% should be fixed this week.
  4. KEV is the "stop what you are doing" list. A CVE on KEV means an attacker is already using it somewhere on the internet — remediation timelines collapse from weeks to hours.

Why it matters

Programs that sort by CVSS alone spend a lot of time patching high-severity bugs nobody is exploiting, while medium-severity KEV entries sit in the backlog. Attackers do not read the CVSS score — they read exploit databases and pick the easiest working weapon.

Composite prioritisation — reachable × EPSS × KEV × asset criticality — gets you closer to "fix the things most likely to cause an incident." That is the shape of a defensible program, and the shape a regulator or auditor now expects to see.

What value it adds

  • Prioritisation beyond CVSS

    CVSS measures potential severity. EPSS and KEV measure actual exploit activity. Combining them aligns remediation with real-world risk.

  • KEV-first SLAs are defensible

    "KEV in 24 hours, EPSS > 10% in 7 days, everything else by risk score" is a policy regulators and boards understand.

  • CWE trend data improves secure-SDLC

    If 40% of your findings are CWE-89, the fix is a parameterised-query guardrail, not another round of point patches.

  • Composite scoring cuts noise further

    Reachable × EPSS × KEV shortens the critical queue by another order of magnitude relative to raw CVSS triage.

  • Audit narrative improves immediately

    "Here is every KEV entry in our estate, when we detected it, and when we mitigated" is the table every assessor wants to see.

How Safeguard uses it

Every finding in Safeguard carries its CVE, CWE, EPSS, and KEV status. The platform composes them with reachability and asset criticality to rank triage queues and drive vulnerability-exposure workflows.

Eliminate Vulnerability Exposure →Reachability Analysis →VEX →

Prioritise by what attackers actually use.

Point Safeguard at a repo. See every finding scored by reachable × EPSS × KEV, not CVSS alone.

Book a walkthroughBrowse all concepts