If you manage vulnerabilities by CVSS score alone, you are letting a number computed without any knowledge of your environment decide where your team spends its time. CVSS is a useful common language. It is a poor prioritization engine, because the thing it deliberately ignores — context — is the thing that actually determines risk.
What the score measures, and what it leaves out
A base CVSS score rates a vulnerability's intrinsic characteristics: how it is exploited, what privileges it requires, what it affects. By design, it says nothing about your specific deployment. It does not know whether the affected system is exposed to the internet or buried three segments deep. It does not know whether it holds your most sensitive data or a public marketing page. It does not know whether a known exploit is circulating in the wild.
Two systems with an identical "9.8 critical" can carry wildly different real-world risk. One is an internet-facing server holding customer records. The other is an internal tool reachable only by ten trusted engineers, behind controls that make exploitation impractical. The score is the same. The risk is not.
A CVSS score tells you how bad a vulnerability is in theory. Only context tells you how bad it is for you.
The three questions a score cannot answer
Before a finding earns a place at the top of the queue, three contextual questions matter more than its base score.
- Is it reachable? Exposure to the internet, or to a network segment an attacker is likely to reach, changes everything. An unreachable critical is, for practical purposes, not critical yet.
- What sits behind it? A vulnerability on a system holding regulated data or guarding a privileged path is worth more attacker effort, and therefore more of yours, than the same flaw on something inconsequential.
- Is it being exploited? A vulnerability with a public, weaponized exploit and active in-the-wild use is a different problem from one that is theoretical. Threat intelligence belongs in the prioritization decision.
Context cuts both ways
Context does not only escalate. It also de-escalates, and that is where it earns most of its value. A backlog of thousands of "critical" and "high" findings is unworkable, and treating them all as urgent guarantees the genuinely urgent ones get the same attention as the rest.
When you layer reachability, asset sensitivity, and exploit availability over raw scores, the backlog reorganizes itself. A small number of findings rise to the top because they are exposed, guard something valuable, and are actively being exploited. A large number recede, not because they are safe to ignore forever, but because they are not where this week's effort belongs.
How attackers prioritize — and why you should mirror it
Attackers do not work down a CVSS-sorted list. They look for the exposed, reachable weakness that gets them closest to something worth taking. Your prioritization should mirror their logic, because you are competing for the same finite attention over the same set of weaknesses.
This is the practical case for assessment over scanning. A scanner hands you scores. An assessment hands you the context: which findings chain into a real path, which are reachable, and which actually threaten something that matters. The score is where triage starts. It should never be where it ends.