<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: PatchVex</title>
    <description>The latest articles on DEV Community by PatchVex (@patchvex).</description>
    <link>https://dev.to/patchvex</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4011348%2F56b7f790-0ce1-43b9-ac7e-c3910ecba9ef.png</url>
      <title>DEV Community: PatchVex</title>
      <link>https://dev.to/patchvex</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/patchvex"/>
    <language>en</language>
    <item>
      <title>Why CVSS Alone Doesn't Tell You What to Patch First (And How KEV + EPSS Changes Everything)</title>
      <dc:creator>PatchVex</dc:creator>
      <pubDate>Wed, 01 Jul 2026 19:51:17 +0000</pubDate>
      <link>https://dev.to/patchvex/why-cvss-alone-doesnt-tell-you-what-to-patch-first-1cj7</link>
      <guid>https://dev.to/patchvex/why-cvss-alone-doesnt-tell-you-what-to-patch-first-1cj7</guid>
      <description>&lt;p&gt;Your Nessus scan just finished. You have 4,847 findings. CVSS says 200 of them are Critical.&lt;/p&gt;

&lt;p&gt;Where do you actually start?&lt;/p&gt;

&lt;p&gt;If your answer is "sort by CVSS score and work from the top" — you are making the same mistake most security teams make. And it is costing you hours every week while leaving your most dangerous vulnerabilities unpatched.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;This article isn't arguing that CVSS is bad.&lt;/strong&gt; CVSS is an excellent severity metric. The problem is using it as the &lt;em&gt;only&lt;/em&gt; prioritization metric.&lt;/p&gt;
&lt;/blockquote&gt;




&lt;p&gt;&lt;strong&gt;Try VulnPilot — free and open source&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;pip &lt;span class="nb"&gt;install &lt;/span&gt;vulnpilot
vulnpilot update-feeds
vulnpilot analyze scan.csv
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Runs locally. MIT licensed. Your scan data never leaves your machine.&lt;br&gt;
&lt;a href="https://github.com/PatchVex/vulnpilot" rel="noopener noreferrer"&gt;github.com/PatchVex/vulnpilot&lt;/a&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  The problem with CVSS
&lt;/h2&gt;

&lt;p&gt;CVSS (Common Vulnerability Scoring System) measures the theoretical severity of a vulnerability. It answers the question: &lt;em&gt;how bad could this be in the worst case?&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;It does not answer: &lt;em&gt;is anyone actually exploiting this right now?&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;A CVSS 9.8 vulnerability on an isolated internal test server with no internet access is less urgent than a CVSS 7.0 vulnerability on your public-facing web server that attackers are actively exploiting today.&lt;/p&gt;

&lt;p&gt;CVSS cannot tell you which one to fix first. It was never designed to.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;CVSS only&lt;/th&gt;
&lt;th&gt;KEV + EPSS + CVSS&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Severity score only&lt;/td&gt;
&lt;td&gt;Real-world exploit intelligence&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Manual cross-referencing&lt;/td&gt;
&lt;td&gt;Automatic prioritization&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Hours of triage per scan&lt;/td&gt;
&lt;td&gt;Results in seconds&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;No exploit context&lt;/td&gt;
&lt;td&gt;Confirmed exploitation data&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Misses active threats&lt;/td&gt;
&lt;td&gt;Flags what attackers use today&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  What CISA KEV actually means
&lt;/h2&gt;

&lt;p&gt;The Cybersecurity and Infrastructure Security Agency maintains a catalog called the Known Exploited Vulnerabilities (KEV) list.&lt;/p&gt;

&lt;p&gt;This is not a theoretical list. Every CVE on this list has been confirmed as actively exploited in the wild. Real attackers. Real infrastructure. Right now.&lt;/p&gt;

&lt;p&gt;At the time of writing, the KEV catalog contains only a tiny percentage of all published CVEs — those confirmed to be actively exploited in the wild.&lt;/p&gt;

&lt;p&gt;If your Nessus scan returns 4,847 findings and 19 of them match the KEV catalog — those 19 are your actual priority. Not the 200 that CVSS calls Critical.&lt;/p&gt;

&lt;h2&gt;
  
  
  What EPSS predicts
&lt;/h2&gt;

&lt;p&gt;FIRST (Forum of Incident Response and Security Teams) publishes the Exploit Prediction Scoring System (EPSS).&lt;/p&gt;

&lt;p&gt;EPSS uses machine learning trained on real-world exploitation data to estimate the probability that a CVE will be exploited in the next 30 days.&lt;/p&gt;

&lt;p&gt;A CVE with a high EPSS score has a high probability of being exploited in the near term. A CVE with a very low EPSS score is unlikely to be exploited soon — regardless of its CVSS score.&lt;/p&gt;

&lt;p&gt;This is far more actionable than severity alone.&lt;/p&gt;

&lt;h2&gt;
  
  
  A real example — Log4Shell
&lt;/h2&gt;

&lt;p&gt;CVE-2021-44228 (Log4Shell) has:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;CVSS: 10.0 (maximum)&lt;/li&gt;
&lt;li&gt;KEV: Yes — confirmed exploited&lt;/li&gt;
&lt;li&gt;EPSS: Very high exploitation probability&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Now consider a CVSS 9.8 vulnerability in an obscure library with no public exploit code, no KEV entry, and a very low EPSS score.&lt;/p&gt;

&lt;p&gt;On a CVSS-sorted list it sits above Log4Shell. In reality it should be deprioritized until the confirmed exploited vulnerabilities are patched.&lt;/p&gt;

&lt;p&gt;CVSS cannot make this distinction. KEV and EPSS can.&lt;/p&gt;

&lt;h2&gt;
  
  
  The composite scoring approach
&lt;/h2&gt;

&lt;p&gt;VulnPilot combines KEV, EPSS, CVSS, and scanner severity into a transparent composite score designed to prioritize real-world risk.&lt;/p&gt;

&lt;p&gt;The current scoring model uses:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Signal&lt;/th&gt;
&lt;th&gt;Weight&lt;/th&gt;
&lt;th&gt;What it tells you&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;CISA KEV&lt;/td&gt;
&lt;td&gt;40%&lt;/td&gt;
&lt;td&gt;Actively exploited right now&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;FIRST EPSS&lt;/td&gt;
&lt;td&gt;35%&lt;/td&gt;
&lt;td&gt;Exploitation probability&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;CVSS&lt;/td&gt;
&lt;td&gt;15%&lt;/td&gt;
&lt;td&gt;Severity context&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Scanner rating&lt;/td&gt;
&lt;td&gt;10%&lt;/td&gt;
&lt;td&gt;Additional context&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Any finding confirmed in the KEV catalog scores a minimum of 75/100 regardless of other factors. KEV means patch immediately — no further analysis needed.&lt;/p&gt;

&lt;p&gt;The weighting is intentionally transparent and may evolve based on community feedback.&lt;/p&gt;

&lt;h2&gt;
  
  
  How VulnPilot works
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Nessus CSV (local only)
        │
        ▼
   VulnPilot CLI
        │
   ┌────┴────────────┐
   │  CISA KEV       │  ← downloaded from cisa.gov
   │  FIRST EPSS     │  ← downloaded from first.org
   │  CVSS           │  ← from your scan data
   └────┬────────────┘
        │
        ▼
  Composite Score
        │
        ▼
  Prioritized Report
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Only public threat intelligence feeds are downloaded. Your vulnerability scan data never leaves your machine.&lt;/p&gt;

&lt;h2&gt;
  
  
  What this looks like in practice
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  VulnPilot by PatchVex — Vulnerability Prioritization
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  Total findings   : 4,847
  KEV matches      : 19    ← fix these first
  EPSS &amp;gt;= 90%      : 31
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  #  Score   Priority      CVE              Finding
  1  100.0   CRITICAL NOW  CVE-2021-44228   Log4Shell ★KEV
  2  100.0   CRITICAL NOW  CVE-2023-34362   MOVEit SQLi ★KEV
  3  99.8    CRITICAL NOW  CVE-2020-1472    Zerologon ★KEV
  4  11.5    LOW           N/A              SSH Weak Ciphers
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The SSH weak ciphers finding sits at the bottom where it belongs — no KEV match, low EPSS. On a CVSS sort it would consume time that should go toward patching actively exploited vulnerabilities.&lt;/p&gt;

&lt;h2&gt;
  
  
  The time cost of doing this manually
&lt;/h2&gt;

&lt;p&gt;Most security teams spend hours per scan cycle doing this manually:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Export Nessus CSV&lt;/li&gt;
&lt;li&gt;Open in Excel&lt;/li&gt;
&lt;li&gt;Sort by CVSS&lt;/li&gt;
&lt;li&gt;Manually check KEV catalog&lt;/li&gt;
&lt;li&gt;Manually check EPSS scores&lt;/li&gt;
&lt;li&gt;Build remediation priority list&lt;/li&gt;
&lt;li&gt;Repeat next week&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The data already exists. The challenge is bringing it together automatically.&lt;/p&gt;

&lt;p&gt;The missing piece for many teams is automating this workflow — locally, privately, without uploading scan data to a third-party service.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why local-first matters
&lt;/h2&gt;

&lt;p&gt;Vulnerability scan results often contain internal hostnames, IP addresses, software inventories, and infrastructure details. Many organizations prohibit uploading this information to third-party services. A Nessus CSV is essentially a map of every weakness in your infrastructure.&lt;/p&gt;

&lt;p&gt;VulnPilot performs all analysis locally on your machine. Only public threat feeds are downloaded. Nothing about your infrastructure is ever transmitted.&lt;/p&gt;

&lt;h2&gt;
  
  
  What VulnPilot doesn't do
&lt;/h2&gt;

&lt;p&gt;Being honest about limitations builds trust:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;It does not replace your vulnerability scanner&lt;/li&gt;
&lt;li&gt;It does not eliminate false positives&lt;/li&gt;
&lt;li&gt;It does not make business risk decisions for you&lt;/li&gt;
&lt;li&gt;It does not tell you asset criticality — you still need to consider what each host does&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;It helps prioritize remediation using publicly available exploit intelligence. The rest of the decision still belongs to your team.&lt;/p&gt;

&lt;p&gt;VulnPilot currently supports Nessus CSV exports, with additional scanner support planned in future releases.&lt;/p&gt;

&lt;h2&gt;
  
  
  Install and try it
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;pip &lt;span class="nb"&gt;install &lt;/span&gt;vulnpilot
vulnpilot update-feeds
vulnpilot analyze scan.csv

&lt;span class="c"&gt;# Generate a shareable HTML report&lt;/span&gt;
vulnpilot analyze scan.csv &lt;span class="nt"&gt;--html&lt;/span&gt; report.html
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Free and open source. MIT licensed. Python 3.10+.&lt;/p&gt;




&lt;p&gt;CVSS was designed to measure severity — not remediation priority.&lt;/p&gt;

&lt;p&gt;If you're still sorting thousands of findings by CVSS alone, you're doing far more work than necessary.&lt;/p&gt;

&lt;p&gt;VulnPilot combines publicly available exploit intelligence to help you answer one simple question:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What should I patch first?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Links:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;GitHub: &lt;a href="https://github.com/PatchVex/vulnpilot" rel="noopener noreferrer"&gt;github.com/PatchVex/vulnpilot&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;PyPI: &lt;a href="https://pypi.org/project/vulnpilot" rel="noopener noreferrer"&gt;pypi.org/project/vulnpilot&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;Website: &lt;a href="https://patchvex.com" rel="noopener noreferrer"&gt;patchvex.com&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Feedback welcome — drop a comment below or open a GitHub issue.&lt;/p&gt;




&lt;h2&gt;
  
  
  References
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" rel="noopener noreferrer"&gt;CISA Known Exploited Vulnerabilities Catalog&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.first.org/epss/" rel="noopener noreferrer"&gt;FIRST Exploit Prediction Scoring System (EPSS)&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.first.org/cvss/" rel="noopener noreferrer"&gt;FIRST Common Vulnerability Scoring System (CVSS)&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://cve.mitre.org/" rel="noopener noreferrer"&gt;MITRE CVE Program&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;&lt;em&gt;Built by &lt;a href="https://patchvex.com" rel="noopener noreferrer"&gt;PatchVex&lt;/a&gt; — privacy-first security tools for DevSecOps and security teams.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>devsecops</category>
      <category>vulnerabilities</category>
      <category>nessus</category>
    </item>
  </channel>
</rss>
