Safeguard
Tag

epss

Safeguard articles tagged "epss" — guides, analysis, and best practices for software supply chain and application security.

40 articles

Vulnerability Management

When CVSS Scoring Misleads Severity Context

Only 2-6% of published CVEs are ever exploited in the wild, yet a much larger share carry CVSS 7.0+ scores — a gap that quietly wrecks patch prioritization.

Jul 16, 20267 min read
Vulnerability Management

Vulnerability fatigue and the case for risk-based prioritization

48,185 CVEs were published in 2025 alone. Most teams can't triage that volume — reachability and exploit maturity data show which ones actually matter.

Jul 10, 20267 min read
Vulnerability Management

A prioritization framework for triaging security alerts at scale

Only 2.6% of CVEs tracked in 2019 saw real-world exploitation, per Kenna Security/Cyentia — yet most teams still triage by CVSS alone. Here's a better framework.

Jul 9, 20267 min read
FAQ

Vulnerability Prioritization FAQ: How to Decide What to Fix First

You can't fix everything at once. This FAQ explains how to prioritize vulnerabilities using severity, exploitation likelihood, active-exploitation evidence, and reachability.

Jul 8, 20266 min read
Best Practices

A Step-by-Step Methodology for Mapping and Prioritizing Attack Surface

CVE-2023-34362 sat in one internet-facing file-transfer server and still produced thousands of downstream breaches — attack surface mapping is what catches that server before Cl0p does.

Jul 8, 20267 min read
Application Security

Beyond vulnerability management: a risk-based approach to AppSec

Fewer than 5% of published CVEs are ever exploited in the wild, yet most teams still triage by raw count — here's the exploitability-first alternative.

Jul 8, 20267 min read
Vulnerability Management

Continuous vulnerability management: the discovery-to-verification lifecycle

CISA's new BOD 26-04 gives federal agencies as little as 3 days to remediate the highest-risk flaws — a preview of the SLA pressure every engineering org now faces.

Jul 8, 20267 min read
Vulnerability Management

CVSS 4.0 vs. 3.1: what actually changed, and why your priority list should too

CVSS 4.0 killed the Scope metric, added Attack Requirements, and split scoring into CVSS-B/BT/BE/BTE labels — here's what that means for triage.

Jul 8, 20266 min read
Vulnerability Management

Exploitability vs. breakability: a practical rubric for vulnerability triage

CVSS says a flaw could be bad. CISA's KEV catalog, now past 1,300 entries, says one actually was exploited. Most teams still triage as if the two are the same.

Jul 8, 20267 min read
Vulnerability Management

NVD's enrichment backlog and how to build a multi-source vuln database strategy

NIST enriched 42,000 CVEs in 2025 — 45% more than any prior year — and still fell behind. On April 15, 2026, it stopped trying to enrich everything.

Jul 8, 20266 min read
Vulnerability Management

Prioritizing vulnerabilities by real-world risk, not raw CVSS score

Kenna/Cyentia found just 2.6% of 2019's tracked CVEs were ever actively exploited — yet most teams still triage backlogs by CVSS score alone.

Jul 8, 20267 min read
DevSecOps

A framework for scaling risk-based AppSec across many teams

40,009 CVEs were published in 2024 alone — a 38.83% jump over 2023. No security team can triage that volume by hand across dozens of engineering teams.

Jul 8, 20267 min read
epss — Safeguard Blog