Every day, new software vulnerabilities are discovered, and new CVEs (Common Vulnerabilities and Exposures) are published. Security teams get overwhelmed by the number of alerts, flagging every new gap as critical. The security plan then follows the rush and falls for remediation with less effectiveness.
Your organization likely has hundreds of open CVEs today. What you do next matters: do you follow traditional rankings and patch blindly, or prioritize the vulnerabilities attackers are actually targeting before they reach you?
The answer changes everything about how you allocate your team's time and strengthen your strategy.
The traditional mechanism attaches each CVE to a CVSS (Common Vulnerability Scoring System) score that measures severity. The score is determined by exploitability factors and the theoretical damage if the vulnerability were exploited.
The problem is, according to Splunk, only 2-7% of newly published vulnerabilities are ever exploited. That means if your team is patching everything flagged as "Critical" by CVSS, the vast majority of that effort goes toward vulnerabilities that will not be used. Meanwhile, a CVE with a modest severity score but active exploitation methods available may receive less attention and present more risk.
A clear signal that classical scores are disconnected from the reality of exploitation, and that a smarter system is needed. Our priority should be what CVEs will actually be exploited, not which ones cause the most theoretical damage.
Exploit predictors come to apply a smarter filter by studying the real situation, analyzing data patterns, and identifying which vulnerabilities are most likely to be targeted next.
It’s a broad category that includes many tools and data sources, both free and commercial. EPSS and CISA KEV are the most widely adopted public ones across organizations:
Started in 2019 as an open, community-driven effort to approach vulnerability risk differently. Instead of asking "how bad could this be?", it asks "how likely is this to actually be used in an attack?" and that’s how the scoring mechanism differs.
Under the hood, the model pulls from over 1,100 variables -vendor reports, researcher data, and white hat disclosures- and updates the scores to reflect what's actually happening in the threat landscape.
In practice, security teams set a threshold (for example, any CVE above 0.3 gets fast-tracked) that turns an overwhelming list of alerts into a manageable queue. And because scores refresh continuously, your priorities shift with those of the threat landscape.
The KEV catalog is an official list of security flaws that attackers have actively exploited. A project maintained by CISA (Cybersecurity and Infrastructure Security Agency) to help organizations prioritize patching based on real-world threat activity.
Unlike EPSS, it doesn't predict or estimate anything. It’s more confirmatory, a binary system that either appends the CVE to the list or not, based on its past verified exploitation evidence.
CISA strongly recommends that all organizations monitor the KEV catalog and prioritize fixing anything on it to reduce the risk of compromise by known threat actors. So if a team detects a CVE that’s on the list, the next step is clear: direct fixing, as it’s surely exploitable.
Algorithms are not enough to decide the future of your defense plan. EPSS and KEV are powerful, but they need more support based on the ”right now” situation. The first layer relies on understanding what’s behind the risk to defend.
Attackers are humans with a process. They don't randomly pick CVEs; they have a specific mindset, patterns, and even private discussions and communities.
Connecting the dots to grasp that CVEs are carefully chosen, not randomly targeted. And that’s the data you need to act faster. Here comes the role of dark web monitoring and cyber threat intelligence.
By continuously monitoring these spaces, CTI can surface the vulnerabilities that are actively being weaponized, even days before any scoring model sees them. That's the difference between patching what looks dangerous on paper and patching what's actually dangerous right now. The earlier you catch that signal, the more your team stays in prevention rather than incident response mode.
Deciding what to fix first may be the most important security decision your team makes.
Severity tells you what's dangerous in theory. Exploit predictors tell you what's likely in practice. And threat intelligence is another layer that tells you what's coming before it becomes a statistic.
Individually, each signal provides only part of the picture. Used together, they turn an overwhelming list of alerts into a defensible action plan.
