Scoring How-To

How to Read Your TRIS Score (and Stop Drowning in CVSS)

CVSS tells you how bad a vulnerability could be in theory. TRIS tells you what to do about it today. Here is how to read it.

March 18, 2026·7 min read·Chris Boker, Founder of CVEasy AI
A CVEasy AI CVE detail page showing the TRIS ring, EPSS, CISA KEV status and attacker pressure

If you have ever exported a scan and watched it return four thousand "critical" findings, you already know the problem. The scanner did its job. It told you what is theoretically dangerous. What it did not tell you is where to start on Monday morning. That gap, between a list of severities and an actual plan of work, is the entire reason TRIS exists.

This post is a practitioner's guide to reading the score. Not the math behind it, CVEasy computes that for you, but what the number means and what it tells you to do.

Why CVSS alone leaves you stuck

CVSS is a static severity rating. It answers one question well: in the worst case, how bad could exploitation of this flaw be? That is genuinely useful information, and TRIS uses it. But notice everything CVSS cannot know. It does not know whether anyone is actually exploiting the CVE in the wild. It does not know who is exploiting it, a ransomware crew, a nation-state, or nobody at all. And critically, it has no idea whether the affected asset matters to your business or sits forgotten on a lab subnet nobody can reach.

Because CVSS is identical for every organization on earth, every scanner hands you the same undifferentiated pile of 9.8s and 10.0s and leaves you to sort it out. A CVSS score cannot be a priority, because a priority is relative to your environment and CVSS is relative to nothing. That is why teams drown. They are handed severity and asked to produce order, and those are not the same thing.

What TRIS actually folds in

TRIS, the True Risk Intelligence Score, is CVEasy AI's proprietary scoring engine. It collapses twelve layers of intelligence into a single number from 0 to 100. You do not compute any of this. The point of the score is not the inputs, it is what the output lets you decide. The twelve layers are:

  • CVSS base. The theoretical severity ceiling, the same input you already trust.
  • EPSS exploitation probability. The statistical likelihood this CVE gets exploited in the near term.
  • CISA KEV. Whether it is on the Known Exploited Vulnerabilities catalog, meaning active, confirmed exploitation.
  • Threat-actor targeting. Whether named adversaries are using it, and whether they hit your industry.
  • Asset criticality. How much the affected asset matters to your business.
  • Public exposure. Whether the asset is internet-facing or tucked behind segmentation.
  • BASzy validation. Proven exploitability against your real environment, not assumed.
  • Attack-path blast radius. What an attacker reaches if this one falls.
  • Supply-chain propagation. How far the affected component spreads through your stack.
  • Defense efficacy. What your existing control coverage already buys you.
  • Predictive trajectory. Whether exploitation is accelerating or cooling off.
  • FAIR-based financial impact. The dollars-and-cents business cost, modeled, not guessed.

Read that list again and notice the shift. Half of those layers are about your environment and your attackers, not the abstract flaw. That is the whole difference. CVSS scores the vulnerability. TRIS scores the risk that vulnerability poses to you specifically.

The action bands, and the deadlines they imply

A score on its own is still just a number. What makes TRIS operational is that every score lands in one of four action bands, and each band carries a real timeframe you can put on a calendar:

  • ACT (90 to 100). Actively dangerous right now. Patch within 72 hours. These are the findings where every layer is screaming at once.
  • ATTEND (75 to 89). Schedule it into this sprint. Inside of two weeks. Serious, but you have room to plan it properly.
  • TRACK (50 to 74). Address it this quarter. It belongs on the roadmap, not the fire drill.
  • MONITOR (25 to 49). Watch for change. Low priority today, but flagged so you notice the day its trajectory shifts.

Those bands are not decoration. They drive the TRIS Sprint Board, which lives under the Remediate group in CVEasy. Every finding sorts itself into its band automatically, so the board is your work queue. You do not triage four thousand items by hand. You open ACT, you clear it, you move to ATTEND. The list became a plan.

CVEasy AI TRIS Sprint Board grouping findings into ACT, ATTEND and TRACK bands
The TRIS Sprint Board sorts every finding into an action band with a real deadline.

A worked example: Log4Shell

Take the one everybody remembers, Log4Shell, CVE-2021-44228. CVSS scored it 10.0, the absolute ceiling. Useful, but a 10.0 only tells you it could be catastrophic. TRIS goes further, and the CVE detail page shows you exactly why.

On that page you see EPSS sitting at the 100th percentile, the model is as confident as it gets that this will be exploited. You see an active CISA KEV listing carrying a federal remediation deadline, which is confirmation that exploitation is not hypothetical, it is happening, and the government has put a clock on it. Attacker pressure is scored high with public exploit code observed in the wild. And the page surfaces the compliance frameworks the finding puts at risk, so the business consequence is on the screen, not buried in a spreadsheet somewhere.

CVEasy AI CVE browser listing findings with their TRIS scores and exploitation signals
Browsing CVEs with their TRIS scores attached turns a flat severity list into a ranked queue.

Here is the contrast that makes the whole approach click. A CVSS 7.5 that is under active exploitation by a named actor who targets your industry will outrank a theoretical CVSS 9.0 that nobody has ever weaponized. Read on a pure CVSS list, the 9.0 wins every time and you waste your sprint on it. TRIS encodes the judgment a senior analyst would make in their head, the exploited 7.5 is the real fire, and it does it for every finding, consistently, without anyone having to argue about it in a meeting.

Go deeper: For the full breakdown of how the 12-layer TRIS engine works, see the reference docs. For the hands-on version that walks you through prioritizing a live scan, read the first-scan prioritization guide.

Reading a single finding all the way down

The score and the band tell you what to do. When you need to know why a finding landed where it did, click any score chip on the Sprint Board. That opens the full twelve-layer breakdown, every input laid out, so you can see which layers drove the number up or pulled it down. Maybe it is ACT because it is KEV-listed and internet-facing. Maybe it dropped to TRACK because your existing controls already neutralize the attack path. Either way, the reasoning is right there, which means you can defend the priority to an auditor, a CISO, or a skeptical engineer without hand-waving.

That transparency matters more than it sounds. Plenty of tools will hand you a "risk score" and ask you to trust it. The reason TRIS earns the decision is that it shows its work. You are never asked to take the band on faith. You can always click down to the twelve layers and see the case.

The shift in one sentence

CVSS told you how bad each flaw could be in a vacuum. TRIS tells you which flaws are dangerous to your business right now, sorts them into bands with real deadlines, and puts them on a board you can actually work. Stop ranking by severity. Start working by risk. That is the entire difference between drowning in criticals and clearing them in order.

This is the thesis we built CVEasy AI around.

All five stages of Gartner's CTEM framework, running local-first on your own hardware. Inventory, prioritization, validation, and remediation in one place, so you know your exact exposure before the zero-day drops.

See the CTEM Platform → Why Local-First →

No relationship with the tools named above. Credit belongs where it lands.

Related Reading

Getting Started
How to Run Your First Vulnerability Scan
From install to first findings, the complete walkthrough.
Workflow
From Scan to Remediation in 30 Minutes
The fast path from raw findings to a fix you can ship.
Scoring
TRIS v2: The 12-Layer Intelligence Engine
The intelligence layers behind every score, in depth.