< Back to CVEasy AI
TECHNICAL WHITE PAPER
TRIS Scoring Methodology
TrueRisk Intelligence Score - the proprietary 7-layer methodology that replaces CVSS for vulnerability prioritization.
Published: March 2026 | Author: CVEasy AI Research | Version: 1.0
Executive Summary
CVSS was designed to measure the technical severity of a vulnerability. It was never designed to tell you what to fix first. A CVSS 9.8 that has no public exploit, no active exploitation, and affects a test server is less urgent than a CVSS 7.5 that APT29 is actively exploiting against your industry on an internet-facing production database.
TRIS (TrueRisk Intelligence Score) solves this by combining seven independent intelligence signals into a single actionable priority score. It tells security teams not just how bad a vulnerability is, but how urgently they need to fix it in their specific environment.
"Organizations using CTEM will be 3x less likely to suffer a breach by 2026." - Gartner, July 2025
The Problem with CVSS-Only Prioritization
Today, the average enterprise has 15,000+ open vulnerabilities. Of those:
- 73% of critical CVSS scores (9.0+) have no known exploit in the wild
- Only 2-5% of all CVEs are ever actively exploited
- 60% of breaches exploit vulnerabilities rated High or Medium, not Critical
- CVSS scores never change after initial publication, even as threat landscape evolves
Security teams using CVSS alone are fighting the wrong battles. They patch theoretical Critical vulnerabilities while actively exploited High vulnerabilities go unaddressed.
The TRIS 7-Layer Model
TRIS combines seven distinct intelligence layers, each contributing a weighted signal to the final score. The result is a dynamic, context-aware priority score from 0-100 that updates as conditions change.
TRIS = w1(CVSS) + w2(EPSS) + w3(KEV) + w4(ThreatActor) + w5(AssetCrit) + w6(Exposure) + w7(BASzy)
LAYER 1
CVSS Base Score (Weight: 15%)
The foundational technical severity score from NVD. TRIS uses this as a baseline but reduces its weight significantly compared to CVSS-only approaches. A CVSS 9.8 and a CVSS 7.5 may receive similar TRIS scores depending on other factors.
LAYER 2
EPSS Weaponization Probability (Weight: 20%)
The Exploit Prediction Scoring System from FIRST.org predicts the probability that a vulnerability will be exploited in the wild within 30 days. TRIS heavily weights this signal because it reflects real-world attacker behavior, not theoretical severity. A CVE with EPSS > 0.5 (50% chance of exploitation) receives a major TRIS boost regardless of CVSS.
LAYER 3
CISA KEV Active Exploitation (Weight: 20%)
CISA's Known Exploited Vulnerabilities catalog is the definitive list of CVEs actively being used in attacks right now. Any CVE on the KEV list receives maximum weight in this layer. This is binary - either it's being exploited (maximum score) or it isn't (zero). CISA mandates federal agencies patch KEV entries within 14 days.
LAYER 4
Threat Actor Targeting (Weight: 15%)
TRIS tracks 49 APT groups and their known toolkits, TTPs, and targeted industries. If APT29 (Cozy Bear) is known to exploit a specific CVE and your organization is in their target industry (government, defense, energy), this layer significantly boosts the TRIS score. This contextualizes the vulnerability to your specific threat landscape.
LAYER 5
Asset Criticality (Weight: 10%)
Not all assets are equal. A vulnerability on a development laptop is less urgent than the same vulnerability on a production database server or domain controller. TRIS automatically classifies assets by role (web server, database, DC, workstation) and business criticality. Crown jewel assets receive maximum weight.
LAYER 6
Public Exposure (Weight: 10%)
Internet-facing assets with exploitable vulnerabilities are exponentially more urgent than internal-only assets with the same CVE. TRIS factors in whether the affected asset is publicly accessible, on which ports, and whether those ports are running the vulnerable service.
LAYER 7
BASzy Exploit Validation (Weight: 10%)
This is what makes TRIS unique. BASzy runs real attack simulations against your environment and proves whether a vulnerability is actually exploitable in your specific configuration. A CVE that's theoretically critical but blocked by your WAF, EDR, or network segmentation receives a TRIS reduction. A CVE that BASzy proves is exploitable with no detection receives a major boost. This is the "validate" stage of CTEM that no other scoring system includes.
TRIS vs. Competitor Scoring
| Capability | TRIS | Tenable VPR | Qualys TruRisk | CVSS |
|---|
| Technical severity | Yes | Yes | Yes | Yes |
| Exploit prediction (EPSS) | Yes | Yes | Yes | No |
| Active exploitation (KEV) | Yes | Yes | Yes | No |
| Threat actor context | Yes (49 APTs) | Limited | No | No |
| Asset criticality | Yes (auto-classified) | Manual | Manual | No |
| Public exposure | Yes (auto-detected) | No | No | No |
| Exploit validation (BAS) | Yes (BASzy built-in) | No | No | No |
| Score updates dynamically | Yes (real-time) | Daily | Daily | Never |
| Runs locally / air-gapped | Yes | No (cloud) | No (cloud) | N/A |
How TRIS Changes Prioritization
Example: Two vulnerabilities, one choice
| Signal | CVE-2024-AAAA | CVE-2024-BBBB |
|---|
| CVSS | 9.8 (Critical) | 7.5 (High) |
| EPSS | 0.02 (2%) | 0.87 (87%) |
| KEV | No | Yes |
| Threat actors | None known | APT29, FIN7 |
| Asset | Dev laptop | Production DB |
| Public facing | No | Yes (port 5432) |
| BASzy validated | Blocked by EDR | Exploitable, undetected |
| CVSS priority | Fix first (9.8) | Fix second (7.5) |
| TRIS priority | Fix second (TRIS: 28) | Fix first (TRIS: 94) |
CVSS says fix the 9.8 first. TRIS says fix the 7.5 first because it's actively being exploited by known threat actors, on a public-facing production database, and BASzy proved it's exploitable with no detection. The 9.8 is theoretical. The 7.5 is an active threat.
Implementation
TRIS is built into CVEasy AI and runs automatically. There is no configuration required. As soon as scan data is imported (from Nessus, Qualys, Rapid7, OpenVAS, Nuclei, Burp, ZAP, Trivy, or CSV), TRIS scores are calculated for every CVE on every asset.
Scores update dynamically as:
- EPSS scores change (synced from FIRST.org)
- New CVEs are added to the CISA KEV catalog
- Threat actor intelligence is updated
- BASzy runs new attack simulations
- Asset criticality or exposure changes
- Remediation is applied and verified
Conclusion
CVSS answers one question: "How severe is this vulnerability?"
TRIS answers the question that actually matters: "How urgently do I need to fix this vulnerability, on this asset, in my environment, right now?"
By combining seven independent intelligence layers, including real-world exploit validation through BASzy, TRIS eliminates the noise that causes security teams to spend the majority of their patching effort on vulnerabilities that will never be exploited, while leaving actively targeted exposures unaddressed.
TRIS is available exclusively in CVEasy AI, the first local-first CTEM platform. Every score runs on your hardware. Your vulnerability data never leaves your building.
See TRIS in action
Request a demo and see how TRIS prioritizes your actual vulnerability data.
Request a Demo