What data inputs are needed for effective risk-based prioritization?

Effective risk-based prioritization requires: CVE data with CVSS scores (what vulnerability exists?), CISA KEV status (is it actively exploited?), EPSS probability (how likely is exploitation?), asset inventory (which devices are affected?), asset criticality (how important is each device?), network exposure analysis (can attackers reach the device?), and patch/compensating control status (has the risk been mitigated?). Missing any of these inputs reduces prioritization accuracy.

Definition

Risk-Based Prioritization

Focusing remediation effort on the exposures that pose the greatest actual risk rather than working through a vulnerability list sorted by CVSS severity score alone. Requires combining asset context with vulnerability data.

What is Risk-Based Prioritization?

Risk-based prioritization is the practice of ranking remediation activities by actual risk — combining vulnerability severity, exploitation probability, asset criticality, and network exposure — rather than by raw CVSS score or vulnerability count alone. It addresses a fundamental problem in vulnerability management: the remediation backlog is always larger than team capacity, so prioritization decisions determine whether effort is focused on the vulnerabilities most likely to cause harm.

The case for risk-based prioritization is empirical. Research consistently shows that the distribution of actual exploitation is extremely skewed: a small minority of CVEs (less than 5%) account for the vast majority of exploited vulnerabilities in real attacks. Organizations that prioritize by CVSS score work through the highest-severity vulnerabilities first — many of which are never exploited — while potentially deprioritizing medium-severity CVEs that are actively weaponized. EPSS and KEV status are specifically designed to address this misalignment.

Asset context is as important as vulnerability context. A critical CVE on an isolated, non-critical device with no network exposure is less urgent than a medium CVE on an internet-facing device at the center of core operations. Risk-based prioritization must multiply vulnerability risk by asset context to produce meaningful, actionable prioritization.

Key Facts

Risk-based prioritization using KEV and EPSS reduces remediation workload by 87% versus CVSS-only approaches
Fewer than 5% of published CVEs are ever actively exploited in real attacks
Asset criticality is as important as CVE severity in determining actual risk
Organizations using risk-based prioritization remediate 3–4x more of the actually-exploited CVE set per unit of effort

How ORDR Addresses Risk-Based Prioritization

ORDR's risk scoring engine implements risk-based prioritization by combining CVSS severity, KEV status, EPSS probability, network exposure, asset criticality, and device classification into a single composite score for every asset. This multi-factor score surfaces the combinations of high-exploitability vulnerabilities on high-impact devices that require immediate attention, regardless of individual metric values.

See ORDR in action

Frequently Asked Questions

Back to Glossary

Complete visibility across your entire attack surface.

ORDR unifies IT, IoT, and OT asset intelligence so your team can see—and act on—what matters most.

REQUEST A DEMO Platform Overview