epss
Safeguard articles tagged "epss" — guides, analysis, and best practices for software supply chain and application security.
40 articles
When CVSS Scoring Misleads Severity Context
Only 2-6% of published CVEs are ever exploited in the wild, yet a much larger share carry CVSS 7.0+ scores — a gap that quietly wrecks patch prioritization.
Vulnerability fatigue and the case for risk-based prioritization
48,185 CVEs were published in 2025 alone. Most teams can't triage that volume — reachability and exploit maturity data show which ones actually matter.
A prioritization framework for triaging security alerts at scale
Only 2.6% of CVEs tracked in 2019 saw real-world exploitation, per Kenna Security/Cyentia — yet most teams still triage by CVSS alone. Here's a better framework.
Vulnerability Prioritization FAQ: How to Decide What to Fix First
You can't fix everything at once. This FAQ explains how to prioritize vulnerabilities using severity, exploitation likelihood, active-exploitation evidence, and reachability.
A Step-by-Step Methodology for Mapping and Prioritizing Attack Surface
CVE-2023-34362 sat in one internet-facing file-transfer server and still produced thousands of downstream breaches — attack surface mapping is what catches that server before Cl0p does.
Beyond vulnerability management: a risk-based approach to AppSec
Fewer than 5% of published CVEs are ever exploited in the wild, yet most teams still triage by raw count — here's the exploitability-first alternative.
Continuous vulnerability management: the discovery-to-verification lifecycle
CISA's new BOD 26-04 gives federal agencies as little as 3 days to remediate the highest-risk flaws — a preview of the SLA pressure every engineering org now faces.
CVSS 4.0 vs. 3.1: what actually changed, and why your priority list should too
CVSS 4.0 killed the Scope metric, added Attack Requirements, and split scoring into CVSS-B/BT/BE/BTE labels — here's what that means for triage.
Exploitability vs. breakability: a practical rubric for vulnerability triage
CVSS says a flaw could be bad. CISA's KEV catalog, now past 1,300 entries, says one actually was exploited. Most teams still triage as if the two are the same.
NVD's enrichment backlog and how to build a multi-source vuln database strategy
NIST enriched 42,000 CVEs in 2025 — 45% more than any prior year — and still fell behind. On April 15, 2026, it stopped trying to enrich everything.
Prioritizing vulnerabilities by real-world risk, not raw CVSS score
Kenna/Cyentia found just 2.6% of 2019's tracked CVEs were ever actively exploited — yet most teams still triage backlogs by CVSS score alone.
A framework for scaling risk-based AppSec across many teams
40,009 CVEs were published in 2024 alone — a 38.83% jump over 2023. No security team can triage that volume by hand across dozens of engineering teams.