Your Nessus scan just finished. You have 4,847 findings. CVSS says 200 of them are Critical.
Where do you actually start?
If your answer is "sort by CVSS score and work from the top" — you are making the same mistake most security teams make. And it is costing you hours every week while leaving your most dangerous vulnerabilities unpatched.
This article isn't arguing that CVSS is bad. CVSS is an excellent severity metric. The problem is using it as the only prioritization metric.
Try VulnPilot — free and open source
pip install vulnpilot
vulnpilot update-feeds
vulnpilot analyze scan.csv
Runs locally. MIT licensed. Your scan data never leaves your machine.
github.com/PatchVex/vulnpilot
The problem with CVSS
CVSS (Common Vulnerability Scoring System) measures the theoretical severity of a vulnerability. It answers the question: how bad could this be in the worst case?
It does not answer: is anyone actually exploiting this right now?
A CVSS 9.8 vulnerability on an isolated internal test server with no internet access is less urgent than a CVSS 7.0 vulnerability on your public-facing web server that attackers are actively exploiting today.
CVSS cannot tell you which one to fix first. It was never designed to.
| CVSS only | KEV + EPSS + CVSS |
|---|---|
| Severity score only | Real-world exploit intelligence |
| Manual cross-referencing | Automatic prioritization |
| Hours of triage per scan | Results in seconds |
| No exploit context | Confirmed exploitation data |
| Misses active threats | Flags what attackers use today |
What CISA KEV actually means
The Cybersecurity and Infrastructure Security Agency maintains a catalog called the Known Exploited Vulnerabilities (KEV) list.
This is not a theoretical list. Every CVE on this list has been confirmed as actively exploited in the wild. Real attackers. Real infrastructure. Right now.
At the time of writing, the KEV catalog contains only a tiny percentage of all published CVEs — those confirmed to be actively exploited in the wild.
If your Nessus scan returns 4,847 findings and 19 of them match the KEV catalog — those 19 are your actual priority. Not the 200 that CVSS calls Critical.
What EPSS predicts
FIRST (Forum of Incident Response and Security Teams) publishes the Exploit Prediction Scoring System (EPSS).
EPSS uses machine learning trained on real-world exploitation data to estimate the probability that a CVE will be exploited in the next 30 days.
A CVE with a high EPSS score has a high probability of being exploited in the near term. A CVE with a very low EPSS score is unlikely to be exploited soon — regardless of its CVSS score.
This is far more actionable than severity alone.
A real example — Log4Shell
CVE-2021-44228 (Log4Shell) has:
- CVSS: 10.0 (maximum)
- KEV: Yes — confirmed exploited
- EPSS: Very high exploitation probability
Now consider a CVSS 9.8 vulnerability in an obscure library with no public exploit code, no KEV entry, and a very low EPSS score.
On a CVSS-sorted list it sits above Log4Shell. In reality it should be deprioritized until the confirmed exploited vulnerabilities are patched.
CVSS cannot make this distinction. KEV and EPSS can.
The composite scoring approach
VulnPilot combines KEV, EPSS, CVSS, and scanner severity into a transparent composite score designed to prioritize real-world risk.
The current scoring model uses:
| Signal | Weight | What it tells you |
|---|---|---|
| CISA KEV | 40% | Actively exploited right now |
| FIRST EPSS | 35% | Exploitation probability |
| CVSS | 15% | Severity context |
| Scanner rating | 10% | Additional context |
Any finding confirmed in the KEV catalog scores a minimum of 75/100 regardless of other factors. KEV means patch immediately — no further analysis needed.
The weighting is intentionally transparent and may evolve based on community feedback.
How VulnPilot works
Nessus CSV (local only)
│
▼
VulnPilot CLI
│
┌────┴────────────┐
│ CISA KEV │ ← downloaded from cisa.gov
│ FIRST EPSS │ ← downloaded from first.org
│ CVSS │ ← from your scan data
└────┬────────────┘
│
▼
Composite Score
│
▼
Prioritized Report
Only public threat intelligence feeds are downloaded. Your vulnerability scan data never leaves your machine.
What this looks like in practice
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
VulnPilot by PatchVex — Vulnerability Prioritization
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Total findings : 4,847
KEV matches : 19 ← fix these first
EPSS >= 90% : 31
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# Score Priority CVE Finding
1 100.0 CRITICAL NOW CVE-2021-44228 Log4Shell ★KEV
2 100.0 CRITICAL NOW CVE-2023-34362 MOVEit SQLi ★KEV
3 99.8 CRITICAL NOW CVE-2020-1472 Zerologon ★KEV
4 11.5 LOW N/A SSH Weak Ciphers
The SSH weak ciphers finding sits at the bottom where it belongs — no KEV match, low EPSS. On a CVSS sort it would consume time that should go toward patching actively exploited vulnerabilities.
The time cost of doing this manually
Most security teams spend hours per scan cycle doing this manually:
- Export Nessus CSV
- Open in Excel
- Sort by CVSS
- Manually check KEV catalog
- Manually check EPSS scores
- Build remediation priority list
- Repeat next week
The data already exists. The challenge is bringing it together automatically.
The missing piece for many teams is automating this workflow — locally, privately, without uploading scan data to a third-party service.
Why local-first matters
Vulnerability scan results often contain internal hostnames, IP addresses, software inventories, and infrastructure details. Many organizations prohibit uploading this information to third-party services. A Nessus CSV is essentially a map of every weakness in your infrastructure.
VulnPilot performs all analysis locally on your machine. Only public threat feeds are downloaded. Nothing about your infrastructure is ever transmitted.
What VulnPilot doesn't do
Being honest about limitations builds trust:
- It does not replace your vulnerability scanner
- It does not eliminate false positives
- It does not make business risk decisions for you
- It does not tell you asset criticality — you still need to consider what each host does
It helps prioritize remediation using publicly available exploit intelligence. The rest of the decision still belongs to your team.
VulnPilot currently supports Nessus CSV exports, with additional scanner support planned in future releases.
Install and try it
pip install vulnpilot
vulnpilot update-feeds
vulnpilot analyze scan.csv
# Generate a shareable HTML report
vulnpilot analyze scan.csv --html report.html
Free and open source. MIT licensed. Python 3.10+.
CVSS was designed to measure severity — not remediation priority.
If you're still sorting thousands of findings by CVSS alone, you're doing far more work than necessary.
VulnPilot combines publicly available exploit intelligence to help you answer one simple question:
What should I patch first?
Links:
- GitHub: github.com/PatchVex/vulnpilot
- PyPI: pypi.org/project/vulnpilot
- Website: patchvex.com
Feedback welcome — drop a comment below or open a GitHub issue.
References
- CISA Known Exploited Vulnerabilities Catalog
- FIRST Exploit Prediction Scoring System (EPSS)
- FIRST Common Vulnerability Scoring System (CVSS)
- MITRE CVE Program
Built by PatchVex — privacy-first security tools for DevSecOps and security teams.
Top comments (0)