惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V2EX - 技术
V2EX - 技术
P
Privacy International News Feed
Security Latest
Security Latest
H
Hacker News: Front Page
T
Tenable Blog
The Hacker News
The Hacker News
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
S
Security @ Cisco Blogs
Project Zero
Project Zero
O
OpenAI News
AI
AI
Spread Privacy
Spread Privacy
C
CERT Recently Published Vulnerability Notes
The Last Watchdog
The Last Watchdog
G
GRAHAM CLULEY
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Scott Helme
Scott Helme
Application and Cybersecurity Blog
Application and Cybersecurity Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
C
CXSECURITY Database RSS Feed - CXSecurity.com
NISL@THU
NISL@THU
A
Arctic Wolf
T
Threat Research - Cisco Blogs
PCI Perspectives
PCI Perspectives
N
News and Events Feed by Topic
C
Cyber Attacks, Cyber Crime and Cyber Security
C
Cybersecurity and Infrastructure Security Agency CISA
Simon Willison's Weblog
Simon Willison's Weblog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Know Your Adversary
Know Your Adversary
Google Online Security Blog
Google Online Security Blog
罗磊的独立博客
L
LINUX DO - 最新话题
U
Unit 42
S
Security Affairs
有赞技术团队
有赞技术团队
WordPress大学
WordPress大学
博客园 - 【当耐特】
T
The Exploit Database - CXSecurity.com
S
Schneier on Security
月光博客
月光博客
Engineering at Meta
Engineering at Meta
腾讯CDC
F
Full Disclosure
Cyberwarzone
Cyberwarzone
S
SegmentFault 最新的问题
Recorded Future
Recorded Future
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
博客园 - 司徒正美
The Cloudflare Blog

The Register - Security: CSO

Anthropic's Mythos has The Kettle crew curious, skeptical 'People's Panel' to check if UK wants controversial Digital ID will cost £630K Top npm package backdoored to drop dirty RAT on dev machines Lightning-fast exploits mean patch fast, says Cisco Talos Lightning-fast exploits mean patch fast, says Cisco Talos Smooth criminals talking their way into cloud environments, Google says Cybercrime up 245% since the start of the Iran war Scattered Lapsus$ Hunters seeks women to defraud helpdesks Every day in every way, passwords are getting worse CISA quietly updated ransomware flags on 59 flaws last year Deepfake job seeker applied to work for an AI security firm Deepfake job seeker applied to work for an AI security firm AI-powered cyberattack kits are 'just a matter of time' AI-powered cyberattack kits are 'just a matter of time' FortiGate SSO bug still exploitable despite December patch FortiGate SSO bug still exploitable despite December patch Judge tosses CrowdStrike shareholder suit over 2024 outage DRAM shortage may drive firewall prices higher: analysts Ransomware attacks kept climbing in 2025 as gangs refused to stay dead Around 1,000 systems compromised in ransomware attack on Romanian water agency 1,000 systems pwned in Romanian Waters ransomware attack Half of exposed React servers remain unpatched amid attacks CISA warns spyware crews are breaking into Signal and WhatsApp accounts FCC guts Salt Typhoon telco rules despite espionage risk CISA orders feds to patch Oracle Identity Manager zero-day SEC drops SolarWinds lawsuit that painted a target on CISOs everywhere SEC bails on SolarWinds lawsuit Palo Alto kit sees massive surge in malicious activity amid mystery traffic flood Palo Alto kit sees massive surge in malicious activity Countries use cyber targeting to plan strikes: Amazon CSO Overconfidence is the new zero-day as teams stumble through cyber simulations UK's Cyber Security and Resilience Bill makes Parliamentary debut Cyber insurers paid out over twice as much for UK ransomware attacks last year Cyberpunks mess with Canada's water, energy, and farm systems Trump's workforce cuts blamed as America's cyber edge dulls Feds flag active exploitation of patched Windows SMB vuln How malware vaccines could stop ransomware's rampage Salesforce refuses to pay ransomware crims' extortion demand Germany slams brakes on EU's Chat Control snoopfest Germany slams brakes on EU's Chat Control snoopfest Employees regularly paste company secrets into ChatGPT Oracle tells Clop-targeted EBS users to apply July patch Red Hat repos raided, claims cybercrew, files stolen Suspected Chinese spies broke into 'numerous' enterprises UK gov acknowledges 'strong case' for JLR financial support JLR extends shutdown – again – as toll on workers laid bare UK chancellor blames cyberattacks on Russia despite evidence Fortra discloses 10/10 severity bug in GoAnywhere MFT Entra ID bug could have granted access to every tenant UEFI Secure Boot for Linux Arm64 – where do we stand? JLR says cyber cleanup to take additional week Insider blamed for FinWise data breach affecting nearly 700K Nork snoops whip up fake military ID with help from ChatGPT UK government dragged for incomplete security reforms Church of England abuse victims exposed by lawyer's email US spy chief claims UK backdown on Apple backdoor demand Workday confirms CRM breach via social engineering Black Hat/DEF CON: AI more useful for defense than hacking Ex-White House cyber guru talks Microsoft security fails CISA releases malware analysis for Sharepoint Server attack China: US spies used Microsoft Exchange 0-day to steal info Security pros drowning in threat-intel data Identity attacks surge 156% as phishermen get craftier Organizations can’t keep up with supply chain security musts Amazon CISO: Iranian hacking crews ‘on high alert’ UK data watchdog fines 23andMe £2.3M over 2023 breach Employers are demanding too much from junior cyber recruits FCA warned four staffers who pocketed regulator data Ransomware just wrecked your network – now what? Ivanti RCE attacks 'ongoing,' exploitation hits clouds Ex-NSA listened to Scattered Spider's calls: 'They're good' Snowflake CISO talks lessons learned from breaches, improv Infosec pros still aren't nailing the basics of AI security Ransomware crims targeting systems between IT and operations Why aggregating asset inventory leads to better security NCSC and industry at odds over how to tackle shoddy software Powerschool extortionists may not have deleted stolen data CrowdStrike trims workforce by 5 percent, aims to rely on AI NSO Group must pay Meta $168M in WhatsApp spy case Ghost in the shell script: Boffins seek code correctness How Intruder finds what others miss in cloud security Linux malware can avoid syscall-based endpoint protection Infosec pro blabs about alleged malware mishap on LinkedIn The future of AI in cybersecurity in a word – optimistic CVE board 'kept in the dark' on funding, members say Security snafus caused by third parties up from 15% to 30% Blue Shield shared 4.7M people's health info with Google Ads Who needs phishing when your login's already in the wild? US cyber defenses are being dismantled from the inside Bug hunter obtains an SSL cert for Alibaba Cloud in 5 steps
Why CVSS is failing us and what we can do about it
Sıla Özeren, Security Research Engineer, Picus Security · 2025-05-15 · via The Register - Security: CSO

PARTNER CONTENT Two decades ago, CVSS revolutionized vulnerability management, enabling security teams to speak a common language when measuring and prioritizing risks posed by the vulnerability to the affected asset. However, today, the same tool that once guided us in the right direction is holding us back.

In an environment where adversaries are faster, attack surfaces are broader, and resource constraints are tighter than ever, relying only on CVSS ratings to drive remediation efforts is no longer enough. Yet many organizations still patch vulnerabilities based on severity scores alone without asking the critical question necessary to determine real risk: Does this exposure actually pose a real risk in our environment?

Legacy severity scores tell us what could happen in a vacuum, not what would happen in a context of live, defended infrastructure. Adversarial exposure validation seeks to cross this bridge between theoretical risk and real-world exposure.

Legacy severity scoring systems are useful tools but not the final answer

CVSS scores introduced risk assessment that was more about standardization than anything else. The intention was for security professionals in the vulnerability domain to use the same notational system to refer to the same phenomenon. However, CVSS scores are broad generalizations that don't take vital variables into account. These include compensating controls (e.g., firewalls, segmentation, endpoint protection), the attack paths an adversary would traverse by successfully chaining together multiple exploits, and finally, the importance of the business context and assets.

A vulnerability designated as critical might be found on a non-sensitive server, seated behind layers of defensive technology. In contrast, a medium-level misconfiguration that's on an asset exposed to the internet could be the opening move in an impactful compromise. By ignoring this context, CVSS leads teams down a misguided path.

Misplaced priorities happen when risk rankings mislead

The sole reliance on CVSS leads to three dangerous outcomes. First, it causes teams to waste valuable time patching exposures that pose little or no real risk, such as vulnerabilities that are unlikely to be exploited or are already mitigated by existing security controls.

The second is a non-deliberate lack of attention to critical attack paths. This is another misguided practice stemming from a lack of insight. Teams often overlook subtle, highly exploitable exposures because they don't come with a “critical” label.

The final one is something your security team is probably facing right now: vulnerability overload. Security teams find themselves trapped in a never-ending cycle of vulnerability scanning, patching and score chasing. When they look up, adversaries are already ahead of them and moving faster than remediation cycles can cope with.

Hence, security leaders must ask: Are we remedying what is truly significant, or are we diverting our attention to problems that appear urgent on paper (i.e. compliance box ticking?)

The shift to adversarial exposure validation

Adversarial Exposure Validation (AEV) marks a fundamental shift in how organizations prioritize and address vulnerabilities, such as those traditionally managed through vulnerability management programs.

AEV doesn't assign equal importance to each vulnerability based on a static number. Instead, it runs simulations of real-world attack techniques and scenarios in an organization's unique environment. It asks if this exposure can actually be exploited right now. What would the impact be if it were? Does this exposure contribute to an attack path toward critical assets?

When security teams validate the identified exposure to see if they can be exploited in the real world, they focus on the significant, small number of exposures that matter. In other words, they are not just theorizing about the exploitability of vulnerabilities.

By doing so, AEV supplies what CVSS is unable to: proof with business context.

How exposure validation changes the game

Organizations that embrace exposure validation see instant rewards. The first is sharper and clearer prioritization, enabling remediation efforts to focus on exposures with real attack potential instead of chasing vulnerabilities based on abstract severity scores. This leads to efficiency gains, in which security teams spend less time patching a pool of noise and faux issues and more time fixing real, exploitable weaknesses.

Exposure validation also improves communication throughout the organization, allowing CISOs to report risk in a much more straightforward, more understandable way based on validated attack scenarios rather than those pesky theoretical scoring models.

Beyond improved communication, exposure validation also drives smarter security control testing. It continuously highlights which security controls perform as intended and which ones are ineffective or simply need adjustment. This approach aligns with the reality that trying to fix every vulnerability is a losing proposition. Instead, organizations validate, prioritize, and act with precision.

From static prediction to dynamic proof

CVSS will always have a place in cybersecurity. It offers a quick reference point and helps with initial triage. But in a world where attackers adapt faster than risk models, prediction alone is not enough.

Organizations need proof. They need real-world validation of exposures, informed by how adversaries actually operate, and grounded in the realities of their unique infrastructures.

Exposure validation doesn’t discard risk scores: it challenges them, augments them, and transforms them into a dynamic decision-making tool. By continuously validating exposures against real attack behaviors, organizations move from making assumptions about their security posture to proving it every day.

This shift has a profound impact on how security operations function. Instead of reacting to a flood of theoretical vulnerabilities, teams can act with clarity and precision. Instead of treating all risks as equal, they can focus their efforts on the few exposures that truly endanger critical assets. And instead of relying solely on periodic assessments, they can establish a state of sustainable readiness, where validation is continuous, automated, and deeply integrated into daily workflows.

Proof, not prediction. Context, not theory. Focus, not noise. This is the evolution that modern cybersecurity demands, and exposure validation makes possible.

The future is evidence-based security

The challenges security teams face today are not only about the volume of vulnerabilities but about the need to adapt faster than adversaries. Attackers are creative, determined, and opportunistic. Thus, they don’t wait for patch cycles or annual audits. To outpace them, defenders must anchor their strategies in continuous, real-world validation.

AEV empowers organizations to prioritize with evidence, remediate with confidence, and align resources to where they will have the greatest impact. It elevates cybersecurity from reactive defense to proactive resilience.

Risk scores will remain part of the ecosystem, but organizations that succeed in the future will be those that supplement prediction with proof, looking beyond CVSS and into the actual conditions shaping their risk at every moment.

The move from CVSS-based risk scoring to dynamic exposure validation is not just a technical upgrade; it’s a strategic imperative.

If you want to learn more about how AEV helps prioritize security efforts, check out our white paper: Introduction to Adversarial Exposure Validation.

Contributed by Picus Security