True Risk Intelligence Score, the original proprietary 7-layer methodology that replaced CVSS for vulnerability prioritization.
This paper documents TRIS v1 and is retained for reference. TRIS v1 has been superseded by the TRIS v2 12-layer engine, which adds five novel dimensions: attack-path blast radius, supply-chain propagation, defense efficacy, predictive trajectory, and FAIR-based financial impact. Read the current TRIS v2 white paper →
CVSS was designed to measure the technical severity of a vulnerability. It was never designed to tell you what to fix first. A CVSS 9.8 that has no public exploit, no active exploitation, and affects a test server is less urgent than a CVSS 7.5 that APT29 is actively exploiting against your industry on an internet-facing production database.
TRIS (True Risk Intelligence Score) solves this by combining seven independent intelligence signals into a single actionable priority score. It tells security teams not just how bad a vulnerability is, but how urgently they need to fix it in their specific environment.
"Organizations using CTEM will be 3x less likely to suffer a breach by 2026.". Gartner, July 2025
Today, the average enterprise has 15,000+ open vulnerabilities. Of those:
Security teams using CVSS alone are fighting the wrong battles. They patch theoretical Critical vulnerabilities while actively exploited High vulnerabilities go unaddressed.
TRIS combines seven distinct intelligence layers, each contributing a weighted signal to the final score. The result is a dynamic, context-aware priority score from 0-100 that updates as conditions change.
| Capability | TRIS | Tenable VPR | Qualys TruRisk | CVSS |
|---|---|---|---|---|
| Technical severity | Yes | Yes | Yes | Yes |
| Exploit prediction (EPSS) | Yes | Yes | Yes | No |
| Active exploitation (KEV) | Yes | Yes | Yes | No |
| Threat actor context | Yes (49 APTs) | Limited | No | No |
| Asset criticality | Yes (auto-classified) | Manual | Manual | No |
| Public exposure | Yes (auto-detected) | No | No | No |
| Exploit validation (BAS) | Yes (BASzy built-in) | No | No | No |
| Score updates dynamically | Yes (real-time) | Daily | Daily | Never |
| Runs locally / air-gapped | Yes | No (cloud) | No (cloud) | N/A |
| Signal | CVE-2024-AAAA | CVE-2024-BBBB |
|---|---|---|
| CVSS | 9.8 (Critical) | 7.5 (High) |
| EPSS | 0.02 (2%) | 0.87 (87%) |
| KEV | No | Yes |
| Threat actors | None known | APT29, FIN7 |
| Asset | Dev laptop | Production DB |
| Public facing | No | Yes (port 5432) |
| BASzy validated | Blocked by EDR | Exploitable, undetected |
| CVSS priority | Fix first (9.8) | Fix second (7.5) |
| TRIS priority | Fix second (TRIS: 28) | Fix first (TRIS: 94) |
CVSS says fix the 9.8 first. TRIS says fix the 7.5 first because it's actively being exploited by known threat actors, on a public-facing production database, and BASzy proved it's exploitable with no detection. The 9.8 is theoretical. The 7.5 is an active threat.
TRIS is built into CVEasy AI and runs automatically. There is no configuration required. As soon as scan data is imported (from Nessus, Qualys, Rapid7, OpenVAS, Nuclei, Burp, ZAP, Trivy, or CSV), TRIS scores are calculated for every CVE on every asset.
Scores update dynamically as:
CVSS answers one question: "How severe is this vulnerability?"
TRIS answers the question that actually matters: "How urgently do I need to fix this vulnerability, on this asset, in my environment, right now?"
By combining seven independent intelligence layers, including real-world exploit validation through BASzy, TRIS eliminates the noise that causes security teams to spend the majority of their patching effort on vulnerabilities that will never be exploited, while leaving actively targeted exposures unaddressed.
TRIS is available exclusively in CVEasy AI, the first local-first CTEM platform on Apple hardware. Every score runs on your hardware. Your vulnerability data never leaves your building.
Request a demo and see how TRIS prioritizes your actual vulnerability data.
Request a Demo