Vulnerability Intelligence

Vulnerability intelligence is the practice of enriching raw CVE data with exploitation context — including EPSS probability scores, CISA KEV catalog status, threat actor targeting patterns, weaponisation stage, and asset reachability — to produce actionable prioritisation guidance. It moves security teams beyond severity-based patch lists toward exploitation-driven remediation decisions aligned with real attacker behaviour.

CVSS measures the theoretical severity of a vulnerability based on its technical characteristics — attack vector, complexity, impact scope. It does not predict whether attackers will actually exploit it. EPSS (Exploit Prediction Scoring System) estimates the probability that a vulnerability will be exploited in the wild within the next 30 days, based on historical exploitation patterns and threat intelligence signals. For operational prioritisation, EPSS is significantly more predictive than CVSS alone.

The CISA Known Exploited Vulnerabilities catalog is a continuously updated list of CVEs confirmed as actively exploited in real-world attacks. CISA mandates remediation deadlines for US federal agencies, but the catalog is publicly available and operationally valuable for any organisation. Any vulnerability appearing in the KEV catalog should bypass standard SLA queues and move to emergency remediation, regardless of its CVSS score. In 2025, 28.96% of KEV entries showed exploitation before or on their public disclosure date — making KEV status the highest-urgency signal available.

Start with three free signals available without any tooling. First, check CISA KEV status — any CVE on that list is an immediate priority. Second, check the EPSS score via FIRST.org or Hackerstorm's CVE search — anything above 0.10 (10% exploitation probability) warrants elevated attention. Third, assess internet exposure — vulnerabilities on internet-facing or edge infrastructure carry substantially higher operational risk than internal-only systems regardless of CVSS score. Combining these three signals without any commercial platform produces significantly better prioritisation than CVSS alone.

Weaponisation is the stage at which a vulnerability moves from theoretical exploitability to active operational use by threat actors. A vulnerability with a published proof-of-concept is more dangerous than one without — but a vulnerability integrated into automated exploitation frameworks or active ransomware toolkits represents immediate operational risk. Weaponisation stage is a critical signal that CVSS does not capture and that EPSS only partially reflects. Hackerstorm tracks weaponisation progression as part of its vulnerability intelligence analysis.

Hackerstorm was built on the principle that practitioner-grade security intelligence should not sit behind paywalls or sales processes. Security teams — particularly those in under-resourced organisations — need the same quality of exploitation context that enterprise platforms charge thousands for. Hackerstorm provides free, vendor-neutral vulnerability intelligence with no account requirements, no marketing content, and no commercial agenda. The platform is supported by its community of security practitioners.