Security teams don’t have a discovery problem. They have a prioritisation problem.
In 2025, 48,185 CVEs were published… a new record. No team is patching all of those. The question is whether you’re patching the right ones, and whether your continuous security testing solutions give you the intelligence to answer that confidently.
Most organisations still lean heavily on CVSS scores to make that call. CVSS tells you how severe a vulnerability could be in the worst case. What it doesn’t tell you is how likely it is to be exploited, whether it’s being actively targeted right now, or whether your specific environment makes it a genuine priority.
That gap is where breaches happen.
Why CVSS on its own falls short
CVSS is a useful baseline. It measures severity based on factors like attack complexity, privileges required, and potential impact. But it’s a static score. It doesn’t change when a new exploit kit starts targeting that vulnerability. It doesn’t account for whether your asset is internet-facing or sitting behind seven layers of controls. It rates the vulnerability in isolation, not in context.
The result is a prioritisation model where high-severity vulnerabilities compete for the same attention regardless of their real-world risk. Teams spend time on vulnerabilities that will never be exploited while genuinely dangerous ones sit in the queue.
Our own data from thousands of assessments confirms the problem. Vulnerabilities with an EPSS score above 0.1 (meaning a known probability of exploitation) are taking organisations an average of 210 days to remediate. That’s seven months for vulnerabilities with a documented likelihood of being targeted.
A layered approach to risk scoring
Effective vulnerability prioritisation in continuous vulnerability management programmes combines multiple signals. Three of the most important are CVSS, EPSS, and CISA KEV.
EPSS, the Exploit Prediction Scoring System, uses machine learning to estimate the probability a given vulnerability will be exploited in the next 30 days. It’s forward-looking and continuously updated, making it a strong indicator of what attackers are actually targeting right now.
CISA KEV, the Known Exploited Vulnerabilities catalogue, goes a step further. It lists vulnerabilities confirmed to be exploited in the wild. Not theoretical. Not probable. Confirmed. By the end of 2025, the catalogue contained 1,484 entries, with 246 added during the year alone.
Used together, EPSS and CISA KEV give you two distinct but complementary signals: what’s likely to be exploited soon, and what’s already being used against real targets. Layer CVSS on top for technical severity context, and you have a much richer picture than any single score provides.
At Edgescan, we combine all three within our EXF (eXposure Factor) scoring, a 0–100 risk score that also draws on AI threat intel, ransomware campaign data, and asset context to surface the vulnerabilities that genuinely need your attention first.
Validation matters too
Scoring signals are only part of the equation. The other part is knowing whether a vulnerability is real.
Automated scanning generates noise. False positives waste time and erode trust in the data. When your team can’t tell signal from noise, everything slows down – including remediation of the things that genuinely matter.
This is where human-led pen testing, integrated into a continuous security testing programme, earns its place. Experienced testers verify flagged vulnerabilities, chain exploits to understand real-world impact, and confirm exploitability before anything lands on the priority queue. If it’s in the platform, it’s real. That’s the standard.
The DevSecOps connection
Risk scoring has a direct impact on DevSecOps velocity. When developers receive a prioritised list of validated, high-risk vulnerabilities with clear remediation guidance, they can act quickly and confidently. When they receive a dump of unranked findings with no context, nothing moves.
Continuous security testing solutions that integrate with tools like Jira and GitHub put validated, risk-scored findings directly into the development workflow. Developers don’t need to interpret security reports. They see what needs fixing, how critical it is, and what to do about it, in the tools they already use every day.
That’s how you reduce mean time to remediation. Not by working harder, but by working from better data.
What the numbers tell us
Our 2026 Vulnerability Statistics Report shows that 37% of enterprise vulnerabilities remain unresolved after 12 months. Nearly one in five of those are high or critical severity. These aren’t unknown risks… they’re documented, scored, and sitting in backlogs.
The teams closing vulnerabilities fastest aren’t the ones with the most resources. They’re the ones working from clean, validated, well-prioritised data.
6.2% of vulnerabilities in our dataset are linked to active ransomware campaigns. If your scoring model doesn’t surface that signal, you’re missing context that attackers are already using against your peers.
Prioritise what’s actually exploitable
CVSS gave the industry a common language for severity. EPSS and CISA KEV brought exploitation intelligence into the picture. Combined with validation and asset context, modern risk scoring in continuous security testing solutions can tell you something far more useful than “this vulnerability is critical” – it can tell you which critical vulnerabilities are most likely to be exploited, which are already being used against organisations like yours, and which ones to close first.
That’s the difference between a vulnerability backlog and a security posture.
To see how Edgescan’s risk scoring and continuous vulnerability management works in practice, request a demo.
