Beyond CVE Scores: How to Find and Fix the Vulnerabilities That Matter

Vulnerability management used to depend on a familiar rhythm: A new flaw was disclosed, public databases added analysis and security teams worked through the queue by severity. That model is now straining under its own weight. Vulnerability disclosures keep climbing, but the National Vulnerability Database has faced a significant operational breakdown: Beginning in early 2024, NIST sharply slowed enrichment of new CVE entries, and in April 2026, NIST formally announced it would no longer enrich all CVE entries, moving to a triage model that leaves the majority of submissions without scores, metadata or supporting analysis.

Security leaders need to rethink defensive strategies, from monitoring to remediation. Even with the help of automation, teams with limited resources can’t approach every vulnerability with equal urgency, and waiting for more complete information can leave a business exposed while attackers keep moving. Security teams must learn to weigh new vulnerabilities in terms of the organization’s real environment, operational priorities and potential business impact. 

In a world of incomplete signals, security leaders need a sharper sense of which risks matter now, which can wait and which require a different kind of control altogether. Members of the Senior Executive Cybersecurity Think Tank are leaders in enterprise cybersecurity strategies, data breach prevention, risk management and modern security architecture. Below, they share how organizations can rethink vulnerability risk assessment as public data becomes less complete and focus attention where it can have the greatest protective impact.

“Public registries will increasingly lag or be incomplete, so teams should pay closer attention to software provider advisories and open-source project updates, paired with threat intelligence monitoring for evidence that a vulnerability is being actively exploited or easily weaponized.”

– David Etue, Chief Strategy Officer of Cyberbit

SHARE IT

Make Exploitability the Headline

David Etue, Chief Strategy Officer of Cyberbit, says security leaders need to change the lens they use to evaluate vulnerability risk. As public registries struggle to keep pace with disclosure volume, a generic severity label may not be enough to determine what should move first.

“Security leaders need to make exploitability the headline, not just database severity,” Etue says.

Public information still matters, but Etue says teams need to expand the signals they watch and strengthen the internal processes that turn those signals into action.

“Public registries will increasingly lag or be incomplete, so teams should pay closer attention to software provider advisories and open-source project updates, paired with threat intelligence monitoring for evidence that a vulnerability is being actively exploited or easily weaponized,” he says. “They also need the resourcing and process capability to apply updates quickly or implement mitigating controls.”

That capability will only become more important as vulnerability creation and detection speeds up.

“AI-driven vulnerability discovery will create more exploitable findings faster, so the differentiator will be how efficiently organizations turn incomplete information into risk-based action,” Etue says.

Focus on Running Code

Jamshir Qureshi, Vice President of DevSecOps Engineering for MUFG Bank Ltd., says the scale of disclosed vulnerabilities is forcing leaders to rethink long-standing prioritization habits.

“Public databases are drowning; they can’t give deep analysis on every new CVE,” Qureshi says. “So leaders must stop treating CVSS scores as gospel.”

For Qureshi, the issue isn’t whether vulnerability scores are useful. It’s whether they’re enough to tell a security team what’s actually most important inside its own environment.

“What matters now is exploitability and context, not severity alone,” he says. “A critical vulnerability in an unused library? Ignore it. A medium in your internet-facing auth service? Patch it today.”

That shift requires a closer look at what’s actually happening in production.

“Shift to runtime intelligence: Monitor what actually executes in your environment,” Qureshi says. “Use telemetry to see which components are reachable. Invest in continuous validation and small-scale penetration tests that ask, ‘Can this actually be exploited in our setup?’ Also watch for vulnerability chatter—if threat actors are discussing it on dark forums or PoC code drops, move fast. Otherwise, breathe.”

His ultimate guidance for leaders is straightforward.

“The new rule: Don’t chase every CVE,” Qureshi says. “Chase the ones that matter to your running code.”

“Pay most attention to reachability and exposure. A critical CVE in code that is never executed and behind authentication on a segmented host is noise. A medium CVE on an internet-facing identity provider with credentials in scope is the fire.”

– Rajat Sharma, CEO of CWS

SHARE IT

Rank by Exploitation Likelihood and Blast Radius

Rajat Sharma, CEO of CWS, says the old signals were never as strong as many teams wanted them to be. And with disclosure volumes rising, he says those limits are becoming harder to ignore.

“CVSS plus NVD enrichment was always a weak risk signal; the NVD backlog and AI-driven disclosure volume now make it an unreliable one,” Sharma says.

That means security leaders need to look at a wider set of risk indicators.

“Stop ranking by CVSS and start ranking by exploitation likelihood and blast radius,” Sharma says. “CISA KEV, EPSS, vendor advisories and threat intel feeds tell you what is being weaponized this week.”

The most urgent vulnerabilities aren’t always the ones with the highest score on paper. Sharma says leaders need to connect each finding to assets, the environment and the likely consequences of compromise.

“Pay most attention to reachability and exposure,” he says. “A critical CVE in code that is never executed and behind authentication on a segmented host is noise. A medium CVE on an internet-facing identity provider with credentials in scope is the fire. Map vulnerabilities to assets, asset criticality and compensating controls before you patch.”

Tie Risk to Business Impact

Pavel Mishchenko, Manager of Security and IT Infrastructure Systems for large-scale critical infrastructure projects, says incomplete disclosures should push security leaders toward a more business-centered view of risk.

“As vulnerability disclosures become increasingly superficial, security leaders will have to rethink the way they assess risk altogether,” he says. “The only truly reliable point of reference is a deep understanding of their own business.”

That kind of assessment requires knowledge of which systems support the most important functions of the organization.

“CISOs should focus less on how many CVEs exist in their environment and more on which business processes would fail if a specific asset were compromised,” Mishchenko says. “In this model, priorities are no longer driven by the completeness of public vulnerability data but by the potential impact on operations, revenue, human safety and regulatory resilience.”

“Stop prioritizing by severity score alone; focus on what is actually exploitable in your environment. And assume some bad code will get in anyway.”

– Rashid Feroze, Head Of Security Engineering at CRED

SHARE IT

Focus on Damage Control Within Your Unique Environment

Rashid Feroze, Head Of Security Engineering at CRED, says public vulnerability databases can miss more than just detail. Some serious attacker paths may never show up in the traditional disclosure system at all.

“Public vulnerability databases like CVE and NVD are falling behind,” Feroze says. “Volume is outpacing analysis, and many attacker-used paths, including malicious packages, misconfigurations and supply chain compromises, never get a CVE at all.”

For Feroze, the response is both practical and realistic: Concentrate on where your systems are most vulnerable, and accept that no defense is fully impenetrable.

“Two things matter now,” he says. “Stop prioritizing by severity score alone; focus on what is actually exploitable in your environment. And assume some bad code will get in anyway. Limit what your systems and dependencies can do, and monitor how they behave so one compromise doesn’t quietly turn into a breach.”

That makes detection a core part of modern vulnerability risk management, especially when public information is delayed, incomplete or absent.

“Behavioral detection is where real investment is needed,” Feroze says. “For supply chain and zero-day threats, you will often see the attack before you see the vulnerability.”

Move Beyond Severity Scores

Bhavya Bhandari, Cybersecurity Risk Management Leader, Financial Services at Ernst & Young US LLP, says leaders need to make the shift from simple scoring to more careful, individualized decision-making.

“As vulnerability disclosures continue to outpace detailed supporting analysis, leaders are moving beyond severity scores toward contextual, risk-based decisions,” Bhandari says.

That approach helps leaders concentrate limited resources on the issues most likely to affect the organization.

“The focus should be on exploitability, exposure and business impact,” Bhandari says. “Leverage threat intelligence and asset context to focus remediation on what can help drive risk-based decisions and outcomes.”

Eliminate Risk Conditions, Not Just CVEs

Gaurav Kulkarni, Senior Security Manager at Microsoft, says waiting for public databases and CVSS scores to prioritize risk isn’t a viable strategy. He advises security leaders to stop chasing individual CVEs and start working to understand exploitability in the context of their own environments.

“Effective risk prioritization requires context,” he says. “Leaders must understand the criticality of their assets, the reality of their exposure and the potential business impact of compromise. Priorities should be driven by contextual risk and organizational impact, not by generic severity ratings alone.”

Kulkarni says leaders also need to take a more ambitious approach to risk remediation.

“The other essential change is moving from fixing one-off vulnerabilities to defect class elimination,” he says. “Instead of triaging an endless queue, use AI to hunt variants and eliminate the pattern entirely.”

The bottom line? Security leaders shouldn’t lose sight of the forest while they’re chopping down trees. 

“Leaders should pay less attention to the number of vulnerabilities remediated and more to the reduction of underlying risk conditions,” Kulkarni says. “The true measure of progress is risk eliminated, not CVEs closed.”

Smarter Ways to Prioritize Vulnerability Risk

• Make exploitability the first filter. When public databases lag or lack detail, security teams should look for evidence that a vulnerability can be exploited or weaponized, not just whether it carries a high severity score.
• Focus on what actually runs in your environment. Runtime intelligence, telemetry and targeted testing can help teams identify which vulnerabilities are reachable, active and relevant to the systems the business depends on.
• Rank risk by likelihood and blast radius. Inputs such as CISA KEV, EPSS, vendor advisories and threat intelligence can help teams understand what’s being exploited now and how much damage a compromise could cause.
• Connect vulnerability decisions to business operations. Security leaders should prioritize flaws based on which assets support critical processes, revenue, safety and regulatory resilience.
• Assume some risky code or attacker path will get through. Limiting what systems and dependencies can do, then monitoring how they behave, can help prevent one weakness from becoming a full breach.
• Use context to guide remediation. Exploitability, exposure, asset criticality and business impact can help teams direct limited resources toward the vulnerabilities most likely to create real harm.
• Measure risk reduction, not just CVEs closed. Leaders should look beyond one-off fixes and use tools, including AI, to identify recurring patterns and eliminate underlying risk conditions.

From Patch Queues to Real Risk Remediation

As public vulnerability data becomes less complete, security leaders can’t rely on old prioritization habits to decide what deserves urgent attention. Teams need to understand what’s exploitable, what’s exposed, what’s critical to the business, and what could cause the most damage if compromised.

The future of vulnerability management will be less about chasing every new disclosure and more about building a risk intelligence discipline that combines threat signals, asset knowledge, runtime visibility, business impact and strong controls. Organizations that make that shift will be better positioned to act quickly when it matters, avoid costly distraction when it doesn’t, and mitigate the conditions that allow vulnerabilities to become breaches.