CVSS 

Statical Technical Scoring

CVSS assigns fixed scores based on technical characteristics of the vulnerability itself. It measures technical severity factors, such as how the vulnerability can be exploited and what access it provides, but does not correlate with environmental factors, including where the vulnerable system is deployed or how it's configured within a specific organization.

EPSS

Exploitation Likelihood

EPSS takes a data-driven effort for estimating the likelihood that a vulnerability will be exploited in the wild. It analyzes real-world exploitation patterns and threat intelligence to predict which vulnerabilities are more likely to be actively targeted by attackers.

The Fundamental Mismatch 

Organizations may focus on vulnerabilities with high technical severity scores or high exploitation probability, but these may not represent the highest risk as they lack business and dynamic environmental context. This creates a fundamental mismatch between patching efforts and risk reduction.

The TruRisk Difference

While EPSS correctly identifies CVE-2021-36942 as actively exploited (HIGH priority), TruRisk goes further by considering environmental context. For a critical, internet-facing server, the actively exploited vulnerability becomes CRITICAL priority. Meanwhile, CVE-2020-13112, despite its high CVSS score, gets deprioritized to LOW when it's on a non-critical, internal system with no active threats.

TruRisk Advantage

Unlike static scoring systems, TruRisk addresses critical gaps by being dynamic and contextual. This alignment helps organizations prioritize vulnerabilities that pose the greatest actual risk to their specific environment, ensuring effective resource allocation and meaningful risk reduction.

TruRisk helps organizations identify which CVEs are being actively exploited, even if they do not yet have QIDs. It also identifies which malware, ransomware, or threat groups are responsible for these attacks. This information allows teams to focus on the most critical vulnerabilities.

TruRisk goes beyond traditional CVSS and EPSS scoring by incorporating comprehensive threat factors, including:

• Weaponized exploits and exploit code maturity
• CISA KEV (Known Exploited Vulnerabilities) catalog
• Active malware and ransomware campaigns
• Trending risks and Real-Time Threat Indicators (RTIs)
• Specific threat actors and ransomware groups

This multi-layered approach provides organizations with a clear view of their risks, enabling them to address the vulnerabilities that pose real and urgent threats.