Why CVSS Scores Don't Tell the Real Story of Risk

In most security operations centers, CVSS quietly dictates remediation priorities. Dashboards are sorted by severity. "Critical" vulnerabilities float to the top. Quarterly summaries celebrate how many 9.0+ findings were closed.

On paper, it looks rational. In practice, it's often wrong.

CVSS was designed to standardize how vulnerabilities are scored. Its origins and main purpose have been to measure technical severity, including exploit complexity, required privileges, impact on confidentiality, integrity, and availability. It provides a shared language. But where it has perpetually struggled is measuring context within, like whether the asset is internet-facing, how critical it is to the business, and whether attackers are actively exploiting the vulnerability. And context is where real risk lives.

How Abstract Scores Turn Vulnerability Management Into "Severity Theater"

A vulnerability scored 9.8 in a non-production environment with no external access may demand immediate attention under a severity-first model. Meanwhile, a 7.2-rated flaw in a public-facing authentication API supporting millions of users might sit lower in the queue. One is technically severe. The other is strategically dangerous.

Attackers understand this distinction instinctively. They prioritize reachability, business value, and exploit paths — not abstract severity numbers. When defenders prioritize differently, they create misalignment between perceived risk and actual exposure.

The problem becomes even more pronounced once vulnerability data leaves the original source. Pentest findings are often delivered as static reports. Scanner results populate separate dashboards. Cloud misconfigurations surface elsewhere. Identity-related risks appear in yet another console. Each tool applies its own scoring model, and none of them understands business impact holistically. CVSS was designed to attempt to solve this problem; however, it still has gaps.

In many organizations, findings are manually translated into ticketing systems, often stripped of original context. Screenshots disappear. Exploit paths are condensed into short descriptions. Severity labels survive, but environmental nuance does not. Over time, remediation becomes a process of chasing numbers rather than reducing meaningful exposure.

This fragmentation creates what might be called "severity theater." Teams appear busy addressing critical findings, but leadership struggles to answer a more important question: Are we reducing real risk across our most important assets?

Putting the Severity Score in Its Proper Place

Modern security programs are beginning to shift toward contextual risk scoring. Instead of treating CVSS as the final word, they treat it as one signal among many. Asset classification, internet exposure, exploit availability, threat intelligence, business criticality, and compensating controls all inform prioritization decisions. A vulnerability's importance changes depending on where it exists and what it protects.

This is where exposure management platforms are reshaping workflows. By centralizing findings from penetration tests, vulnerability scanners, cloud tools, and identity systems, organizations can enrich technical data with business context. Findings are normalized, duplicates are reconciled, and risk equations can be customized to reflect what truly matters to the organization.

Moving From Theory to Reality

Platforms such as PlexTrac exemplify this shift by transforming vulnerability data into operational workflow objects rather than static report entries. Findings can be scored based on asset sensitivity and exposure, automatically routed into remediation systems, tracked through validation, and measured over time. Instead of asking which vulnerabilities are "critical," teams can ask which exposures materially threaten revenue, customer trust, or operational continuity.

The distinction is subtle but profound. CVSS answers, "How severe is this vulnerability in theory?" Contextual prioritization answers, "How dangerous is this vulnerability for us right now?"

Embracing Continuous Contextualization

As hybrid environments expand and attack surfaces blur across cloud, SaaS, APIs, and identity layers, static severity models struggle to keep up. Attackers exploit chains of weaknesses that span systems. They move laterally across identity misconfigurations. They leverage exposed services rather than the highest CVSS score in the room.

Frameworks such as Continuous Threat Exposure Management (CTEM) reflect this evolving reality. They emphasize continuous scoping, discovery, prioritization, validation, and mobilization, not periodic reporting cycles. In this model, risk reduction is not measured by the number of critical findings closed, but by demonstrable decreases in exploitable exposure over time.

Organizations that continue to treat severity as synonymous with risk will remain trapped in reactive remediation cycles. Those that enrich vulnerability data with context and embed it into collaborative workflows will move closer to what security ultimately promises: measurable reduction of real-world exposure.

Security teams that align prioritization with context and operationalize remediation accordingly are the ones that remove it.

About the author: Dan DeCloss is the Founder of PlexTrac and has over 20 years of experience in Cybersecurity. Dan started his career in the Department of Defense and then moved on to the private sector, where he worked for various companies, including Telos, Veracode, Mayo Clinic, and Anthem. Dan's background is in application security and penetration testing.

Dan has a master's degree in Computer Science from the Naval Postgraduate School with an emphasis in Information Security. Additionally, Dan holds the OSCP and CISSP certifications.

Dan has a passion for helping everyone understand cybersecurity at a practical level, ensuring that focus is on the right work to reduce risk.