CVSS vs EPSS vs TRIS: Which Vulnerability Scoring System Should You Trust?
Every security team faces the same fundamental problem: you have thousands of vulnerabilities and limited resources. The scoring system you use to prioritize determines which vulnerabilities get fixed and which sit in the backlog. Choose the wrong system and you spend months patching theoretical risks while actively exploited vulnerabilities go unaddressed.
Three scoring systems dominate the conversation in 2026: CVSS (Common Vulnerability Scoring System), EPSS (Exploit Prediction Scoring System), and TRIS (True Risk Intelligence Score). Each takes a fundamentally different approach to the same question: what should we fix first?
This post breaks down how each system works, where each fails, and why the future of vulnerability prioritization requires more than a single number.
CVSS: The Foundation That Became a Crutch
How CVSS Works
CVSS was developed by NIST and is maintained by FIRST.org. It measures the technical severity of a vulnerability using a standardized set of metrics. The current version, CVSS v4.0, evaluates a vulnerability across four metric groups:
- Base Metrics: Attack vector, attack complexity, privileges required, user interaction, scope, and impact on confidentiality, integrity, and availability
- Threat Metrics: Exploit code maturity (new in v4.0, replacing Temporal)
- Environmental Metrics: Modified base metrics adjusted for your specific environment (rarely used in practice)
- Supplemental Metrics: Safety, automatable, recovery, value density, provider urgency (new in v4.0)
The output is a score from 0.0 to 10.0 with severity labels: None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0).
Where CVSS Fails
CVSS was designed to answer one question: "How technically severe is this vulnerability?" It was never designed to answer the question security teams actually need answered: "How urgently should I fix this vulnerability in my environment?" These are fundamentally different questions, and using CVSS to answer the second one creates serious problems.
Here are the specific failure modes:
- CVSS scores are static. A score assigned when a CVE is published never changes, even as the threat landscape evolves. A CVSS 9.8 from 2019 with no exploit still reads as 9.8 in 2026. The real-world risk has changed dramatically, but the score has not.
- CVSS ignores exploit availability. The base score does not consider whether anyone has written an exploit, whether it is being used in the wild, or whether threat actors are targeting it. A theoretically severe vulnerability with no public exploit gets the same urgency as one being actively used by ransomware groups.
- CVSS has no context. A CVSS 9.8 on a development laptop that never leaves your office and a CVSS 9.8 on a public-facing production database get the same score. The risk is not remotely the same.
- CVSS creates alert fatigue. When everything is Critical, nothing is. The average enterprise has thousands of Critical and High CVSS findings. Teams cannot patch all of them, so they either try to patch everything (and burn out) or start ignoring the scores entirely.
For a deeper analysis of CVSS limitations, read our post on why CVSS alone is creating your patch backlog.
EPSS: Predicting What Actually Gets Exploited
How EPSS Works
EPSS was developed by FIRST.org (the same organization that maintains CVSS) as a direct response to the limitations of severity-only scoring. Instead of asking "how severe is this vulnerability?", EPSS asks "what is the probability that this vulnerability will be exploited in the wild within the next 30 days?"
EPSS uses a machine learning model trained on observed exploitation data from multiple sources including IDS/IPS signatures, exploit databases, honeypots, and threat intelligence feeds. The model considers over 1,400 features for each CVE, including:
- Days since publication
- Vendor and product category
- Whether exploit code exists on Exploit-DB, Metasploit, or GitHub
- References to the CVE on dark web forums and paste sites
- Social media mentions and security researcher activity
- CVSS vector components (as features, not as the score itself)
- Historical exploitation patterns for similar vulnerability types
The output is a probability between 0 and 1. An EPSS score of 0.85 means there is an 85% chance this CVE will be exploited in the next 30 days. An EPSS score of 0.003 means a 0.3% chance.
What EPSS Gets Right
EPSS represents a massive improvement over CVSS for prioritization. Research from FIRST.org shows that using EPSS to prioritize the top 10% of vulnerabilities by exploitation probability captures over 60% of all actually exploited CVEs while only requiring you to address 10% of your total findings. CVSS prioritization of the top 10% by severity score captures less than 30% of exploited CVEs.
Put simply: EPSS is significantly better at identifying what attackers will actually target.
Where EPSS Falls Short
EPSS is a prediction model, and like all prediction models, it has limitations:
- EPSS has no environmental context. An EPSS score of 0.9 means the CVE is likely to be exploited somewhere in the world. It says nothing about whether it is exploitable in your specific environment, on your specific asset, with your specific compensating controls.
- EPSS does not know your assets. A high-EPSS vulnerability on an air-gapped test server is very different from the same vulnerability on a public-facing production database. EPSS cannot distinguish between these because it has no visibility into your infrastructure.
- EPSS is probabilistic, not validated. It predicts exploitation probability based on historical patterns. It does not prove whether a vulnerability is actually exploitable right now in your configuration. Prediction and validation are different things.
- EPSS can lag zero-days. The model is trained on historical data. A brand new zero-day with no exploitation history may receive a low initial EPSS score even when it is being actively exploited, simply because the model has not yet observed exploitation signals.
- EPSS does not track threat actors. It predicts exploitation probability in aggregate. It does not tell you whether APT29, FIN7, or a specific ransomware group is targeting a CVE. Industry-specific threat context is absent.
For a deeper look at how EPSS fits into a broader scoring strategy, see our post on EPSS + KEV + enterprise context.
TRIS v2: 12 Layers of Intelligence
How TRIS Works
TRIS (True Risk Intelligence Score) is the proprietary scoring system built into CVEasy AI. It was designed from the ground up to solve the problems that both CVSS and EPSS leave unaddressed. Rather than relying on a single signal, TRIS v2 combines 12 independent intelligence layers into a normalized composite score from 0 to 100.
Here is the shape of the formula:
TRIS = w1(CVSS) + w2(EPSS) + w3(KEV) + w4(BusinessImpact) + w5(Exposure)
+ w6(ThreatPressure) + w7(Temporal) + w8(BlastRadius) + w9(SupplyChain)
+ w10(DefenseEfficacy) + w11(Trajectory) + w12(FinancialImpact)
The 12 Layers
Layer 1: Severity Foundation (CVSS)
TRIS does not discard CVSS. Technical severity still matters. But TRIS v2 weights it at just 8% of the total score, down from 15% in v1, reflecting the reality that severity alone is a poor predictor of real-world risk. A CVSS 9.8 and a CVSS 7.5 may receive similar TRIS scores depending on the other 11 layers. This is the only layer weight we publish, and it is deliberately low.
Layer 2: Exploitation Probability (EPSS)
EPSS is one of the strongest predictive signals available, and TRIS weights it heavily because real-world exploitation probability is more actionable than theoretical severity. A CVE with an EPSS score above 0.5 (50% chance of exploitation in 30 days) receives a major TRIS boost regardless of its CVSS score.
Layer 3: Confirmed Exploitation (CISA KEV)
The CISA Known Exploited Vulnerabilities catalog is the definitive list of CVEs currently being used in real attacks. KEV presence acts as a hard override boost: confirmed exploitation pushes a score up no matter what the predictive layers say. CISA mandates that federal agencies patch KEV entries within 14 days, and for good reason. Our deep dive on the CISA KEV catalog covers why this matters.
Layer 4: Business Impact Context
Not all assets are equal. A vulnerability on a development laptop is less urgent than the same vulnerability on a production domain controller. TRIS classifies assets by role (web server, database, domain controller, workstation) and business criticality. Crown jewel assets push scores up sharply.
Layer 5: Network Exposure Topology
Internet-facing assets with exploitable vulnerabilities are exponentially more urgent than internal-only assets with the same CVE. TRIS factors in whether the affected asset is publicly accessible, on which ports, and whether those ports are running the vulnerable service. This layer matters because attack surface management begins with understanding exposure.
Layer 6: Threat Pressure (Attacker Readiness)
TRIS tracks 49 APT groups and their known toolkits, TTPs, and targeted industries. If APT29 (Cozy Bear) is known to exploit a specific CVE and your organization operates in their target industry (government, defense, energy), this layer significantly boosts the TRIS score. This is the threat context that neither CVSS nor EPSS provide.
Layer 7: Temporal Dynamics
Risk is not static. Exploit code that dropped on GitHub yesterday matters more than exploit code from 2019. This layer tracks how the risk picture moves over time, including exploit release recency, disclosure age, and patch availability, so scores rise and fall as the threat landscape shifts. CVSS never updates. TRIS updates continuously.
Layer 8: Attack Path Blast Radius (Novel)
The first of five novel layers unique to TRIS v2, and part of the patent-pending core of the model. Blast radius measures what an attacker can reach after exploiting a given vulnerability. A foothold that leads nowhere scores differently from one that opens a path to the domain controller. BASzy maps and validates these attack paths against your real environment, which is the "validate" stage of CTEM that no other scoring system includes. Read our guide to breach and attack simulation for more on why validation changes the game.
Layer 9: Supply Chain Dependency Propagation (Novel)
A vulnerability in a shared library, build pipeline, or upstream vendor does not stay put. This layer models how exposure propagates through your dependency graph, so a flaw in one component is scored against everything downstream of it, not just the asset it was found on.
Layer 10: Defense Efficacy Coefficient (Novel)
Your compensating controls change your real risk. A CVE that is theoretically critical but blocked by your WAF, EDR, or network segmentation receives a TRIS reduction. A CVE that BASzy proves is exploitable with no detection receives a major boost. This layer measures whether your defenses actually work against each specific threat, not whether they exist on paper.
Layer 11: Predictive Threat Trajectory (Novel)
Where is exploitation heading? This layer projects near-term exploitation momentum from researcher chatter, proof-of-concept activity, and historical patterns for similar vulnerability classes, so you can get ahead of a CVE that is about to land on KEV instead of reacting after it does.
Layer 12: Financial Impact Quantification (Novel)
The final layer translates technical risk into dollars using FAIR-based modeling: revenue exposure, regulatory penalties, and operational disruption. This is what lets a TRIS score speak the language of the board, not just the SOC.
The Same CVE, Scored Three Ways
Theory is useful, but a concrete example makes the differences clear. Let us take a real-world scenario with two vulnerabilities and see how CVSS, EPSS, and TRIS each prioritize them.
CVE-2024-21762: Fortinet FortiOS Out-of-Bound Write
| Signal | CVE-2024-21762 (FortiOS) | CVE-2024-3400 (PAN-OS) |
|---|---|---|
| CVSS Score | 9.8 (Critical) | 10.0 (Critical) |
| EPSS Score | 0.93 (93%) | 0.97 (97%) |
| CISA KEV | Yes | Yes |
| Threat Actors | APT28 (Fancy Bear), multiple ransomware groups | UTA0218 (state-sponsored), ransomware groups |
| Your Asset | Internal-only FortiGate (management VLAN, no public exposure) | Internet-facing PA-5200 (primary perimeter firewall) |
| Exposure | Not publicly reachable | Public IP on ports 443, 80 |
| BASzy Result | Exploit blocked by network segmentation | Exploitable, full command execution confirmed |
How Each System Prioritizes
| Scoring System | CVE-2024-21762 Priority | CVE-2024-3400 Priority | Fix First |
|---|---|---|---|
| CVSS | 9.8. Critical | 10.0. Critical | CVE-2024-3400 (by 0.2 points) |
| EPSS | 0.93. Very High | 0.97. Very High | CVE-2024-3400 (by 0.04 points) |
| TRIS | TRIS 52. Medium | TRIS 97. Critical | CVE-2024-3400 (by 45 points) |
All three systems agree that CVE-2024-3400 should be fixed first. But the degree of differentiation tells a completely different story.
CVSS sees both as essentially equal. They are 0.2 points apart. A security team using CVSS would treat them with identical urgency, potentially patching whichever is more convenient first.
EPSS sees both as very high probability exploitation targets. The difference is 0.04 points. Again, a team using EPSS alone would reasonably treat them as equal priority.
TRIS sees a 45-point gap. CVE-2024-3400 scores 97 because it lights up layer after layer of the v2 model: high severity, near-certain exploitation, on the KEV list, heavy threat pressure from state-sponsored actors, a business-critical perimeter asset, direct public exposure, a validated attack path with a wide blast radius, and no compensating control that holds up under BASzy testing. CVE-2024-21762 scores 52 because, despite its high CVSS and EPSS scores and KEV presence, it sits on an internal-only asset with no public exposure, and the defense efficacy layer credits the network segmentation that BASzy proved blocks the exploit. The risk is real but the urgency is dramatically lower.
A Side-by-Side Comparison
| Capability | CVSS | EPSS | TRIS |
|---|---|---|---|
| Measures technical severity | Yes (primary purpose) | No | Yes (Layer 1, 8% weight) |
| Predicts exploitation probability | No | Yes (primary purpose) | Yes (Layer 2, heavily weighted) |
| Tracks active exploitation | No | Indirectly | Yes (Layer 3, KEV, hard override boost) |
| Threat actor context | No | No | Yes (Layer 6, 49 APTs tracked) |
| Asset criticality awareness | No (env, metrics rarely used) | No | Yes (Layer 4, auto-classified) |
| Public exposure awareness | Attack vector only | No | Yes (Layer 5, auto-detected) |
| Exploit validation | No | No | Yes (Layers 8 and 10, BASzy) |
| Scores update dynamically | Never | Daily | Real-time |
| Maintained by | FIRST.org / NVD | FIRST.org | CVEasy AI |
| Open standard | Yes | Yes | Proprietary |
| Scale | 0.0, 10.0 | 0, 1 (probability) | 0 - 100 |
Common Objections and Honest Answers
"CVSS is good enough for compliance"
This is technically true. Most compliance frameworks (PCI DSS, HIPAA, SOC 2, FedRAMP) reference CVSS scores as thresholds for patch SLAs. You need CVSS for compliance. But compliance is the floor, not the ceiling. Meeting a "patch all Criticals in 30 days" SLA does not mean you are secure. It means you are compliant. Those are different things. TRIS gives you CVSS-based compliance reporting and risk-based operational prioritization in the same platform.
"EPSS is enough if we combine it with CVSS"
Combining CVSS and EPSS is better than either alone. Several vendors do this. But two signals still miss three critical dimensions: your asset context, your exposure profile, and whether the vulnerability is actually exploitable in your specific environment. A CVE with a CVSS 9.8 and EPSS 0.95 that is blocked by your WAF is less urgent than a CVE with CVSS 7.5 and EPSS 0.6 that BASzy proves is exploitable on your unprotected production database. Two signals cannot make this distinction. Twelve can.
"TRIS is proprietary, so we cannot audit it"
Fair concern. The TRIS v2 methodology white paper documents all 12 layers, how they combine, and the data sources for each. Every TRIS score in CVEasy AI shows the contribution from each layer, so you can see exactly why a vulnerability received its score. Transparency is a design principle, not an afterthought. We also want to point out that Tenable VPR, Qualys TruRisk, and CrowdStrike ExPRT.AI are all proprietary scoring systems that provide less transparency about their methodology than TRIS does.
"We should just focus on KEV and patch those first"
KEV-first is a strong strategy and vastly better than CVSS-first. But the KEV catalog is intentionally conservative. CISA only adds CVEs with confirmed active exploitation AND a clear remediation path. There are actively exploited vulnerabilities that are not yet on KEV. TRIS uses KEV as one of 12 signals, not the only signal. This catches both the confirmed-exploited (KEV) and the likely-to-be-exploited-next (EPSS + threat actor targeting).
When to Use Each System
These systems are not mutually exclusive. Here is a practical guide for when each one adds the most value:
Use CVSS when you need a standardized severity assessment for compliance reporting, vendor advisories, or communicating with non-technical stakeholders who understand the 0-10 scale. CVSS is a universal language.
Use EPSS when you want to filter noise quickly. If you have 10,000 open findings and need to cut to the ones most likely to be exploited soon, sorting by EPSS is a fast way to separate signal from noise. EPSS is freely available at api.first.org and does not require any commercial tool.
Use TRIS when you need to make real-world patching decisions that account for your specific environment, assets, exposure, and validated exploitability. TRIS is the operational scoring system that drives daily prioritization. It is built into CVEasy AI and runs automatically on every imported scan.
Building a Scoring Strategy
If you are designing a vulnerability management program from scratch, here is how to build a scoring strategy that works:
- Start with EPSS to filter. Any CVE with EPSS below 0.1 (10% exploitation probability) can be deprioritized in most environments. This immediately reduces your actionable finding count by 80-90%.
- Use KEV as a hard override. Anything on the CISA KEV list gets patched regardless of other scores. No exceptions, no delays.
- Layer in asset context. A High-EPSS finding on a development VM is less urgent than a Medium-EPSS finding on a production database. Your scoring system needs to know which assets matter.
- Validate with BAS. Before dedicating engineering time to a complex patch, prove the vulnerability is actually exploitable in your environment. BASzy does this automatically for 19,608 attack techniques mapped to MITRE ATT&CK.
- Report with CVSS. When presenting to the board or meeting compliance requirements, translate your TRIS-driven priorities back into CVSS language that auditors understand. See our CISO board reporting guide for practical templates.
For a full guide to building this workflow, read building a vulnerability management program from scratch.
The Future of Vulnerability Scoring
The industry is moving away from single-signal scoring. CVSS will remain the universal severity language, the same way Fahrenheit and Celsius remain temperature scales even though neither tells you whether to bring an umbrella. EPSS will become table stakes for any serious vulnerability management platform. The competitive frontier is in environmental context, threat intelligence correlation, and exploit validation.
Gartner's CTEM framework explicitly includes "validation" as a required stage. Scoring systems that cannot incorporate validation data will increasingly fall behind. TRIS is built around this insight: the score should change when you prove whether a vulnerability is actually exploitable, not just when someone publishes a new advisory.