TRIS v2 is the first vulnerability scoring system that answers not just how bad is this? but can we actually defend against it?, how much money will this cost?, and is it getting more dangerous right now?
TRIS v1 combined seven signals into a single vulnerability risk score: CVSS, EPSS, CISA KEV, threat actor targeting, asset criticality, exposure, and BASzy exploit validation. It shipped 30 days ago. It worked. It beat CVSS-only prioritization by a wide margin from the first week. But after 30 days of production feedback across healthcare, finance, federal systems integrators, and critical infrastructure, the same five gaps kept surfacing independently from five different practitioner cohorts. We did not wait for a Q4 release cycle to close them. TRIS v2 shipped 30 days after v1.
Seven layers told you whether a vulnerability was dangerous in theory and active in the wild. They didn't tell you whether your controls could actually stop it. They didn't tell you how deep it sat in your software supply chain. They didn't tell you whether it was accelerating or decaying on the exploitation curve. And they didn't translate technical severity into the one language every board understands: money.
TRIS v2 adds five new intelligence layers that no other vulnerability scoring system combines: attack-path blast radius, supply-chain dependency propagation, defense efficacy coefficient, predictive threat trajectory, and FAIR-based financial impact quantification.
The result is a 0-100 score that correlates with actual breach probability and actual business impact for your specific organization. It runs entirely on your hardware. Your data never leaves your network.
One number. Twelve signals. Your reality, not a generic worst-case. TRIS v2 is the only scoring engine that combines static severity, exploitation probability, active exploitation, organizational context, network topology, threat actor targeting, BAS validation, and five novel dimensions, attack paths, supply chains, defense efficacy, predictive trajectory, and financial impact.
Every scoring system in the market today answers a subset of the questions security teams actually need answered. CVSS, EPSS, SSVC, Tenable VPR, Qualys TruRisk, Picus PXS, TRIS v1, every one of them misses something critical. That's not an exaggeration. It's the conclusion of a twelve-month audit of the vulnerability scoring landscape.
Here's what every existing system misses:
TRIS v2 closes every one of these gaps.
TRIS v2 organizes its scoring into three tiers: foundational signals (Layers 1-3), contextual signals (Layers 4-7), and the five novel dimensions (Layers 8-12) that separate TRIS v2 from every competitor.
TRIS v2 outputs a 0-100 score and a priority band. The bands map directly to SLA obligations and team workflows:
Score separation is meaningful. Because TRIS v2 uses a diminishing returns function across its twelve layers, a vulnerability scoring 94 is materially different from one scoring 76. Compare this to CVSS, where 57% of all CVEs score 7.0 or higher and only 2.3% are ever actually exploited, a compression problem TRIS v2 was designed to eliminate.
| Capability | TRIS v2 | CVSS | EPSS | SSVC | VPR (Tenable) | TruRisk (Qualys) | PXS (Picus) | TRIS v1 |
|---|---|---|---|---|---|---|---|---|
| Technical severity | ✓ | ✓ | , | ✓ | ✓ | ✓ | ✓ | ✓ |
| Exploit prediction | ✓ | , | ✓ | partial | ✓ | ✓ | ✓ | ✓ |
| Active exploitation (KEV) | ✓ | , | , | , | ✓ | ✓ | ✓ | ✓ |
| Threat actor targeting | ✓ | , | , | , | limited | , | limited | ✓ |
| Asset criticality (auto) | ✓ | , | , | manual | manual | manual | , | ✓ |
| BAS exploit validation | ✓ | , | , | , | , | , | ✓ | ✓ |
| Attack path blast radius | ✓ | , | , | , | , | , | , | , |
| Supply chain (SBOM) | ✓ | , | , | , | , | , | , | , |
| Defense efficacy (ATT&CK) | ✓ | , | , | , | , | , | partial | , |
| Predictive trajectory | ✓ | , | , | , | , | , | , | , |
| Financial quantification | ✓ | , | , | , | , | , | , | , |
| Runs locally / air-gapped | ✓ | n/a | , | n/a | cloud | cloud | cloud | ✓ |
TRIS v2 is the only scoring system with a checkmark in every row.
To see what TRIS v2 changes in practice, consider how it handles two vulnerabilities that CVSS and TRIS v1 would score similarly.
CVSS: 9.8 Critical · EPSS: 0.04 · KEV: No
L8 Attack Path: Asset is 4 hops from crown-jewel via network segmentation. Limited blast radius.
L9 Supply Chain: Direct dependency only. Single application affected. Patch available.
L10 Defense Efficacy: Mapped ATT&CK techniques 92% covered by your EDR; BAS validation 12 days old.
L11 Trajectory: Decaying. No new exploit activity in the last 30 days.
L12 Financial: $38K expected loss (primarily productivity).
CVSS says: Fix first. TRIS v2 says: Band 03 · TRACK (score: 52).
CVSS: 7.5 High · EPSS: 0.91 · KEV: Yes
L8 Attack Path: Asset is directly adjacent to the identity provider. 47 downstream systems reachable.
L9 Supply Chain: Transitive dependency, 3 hops deep. Affects 12 production applications. No coordinated patch yet.
L10 Defense Efficacy: Mapped ATT&CK techniques 31% covered. BAS validation failed last run.
L11 Trajectory: Accelerating. Exploit forks tripled week-over-week. Two named APT groups adopting.
L12 Financial: $1.94M expected loss (primary + regulatory under SOC 2 + productivity).
CVSS says: Fix second. TRIS v2 says: Band 01 · ACT (score: 94).
The CVSS ordering is backwards. Every hour spent patching CVE-A while CVE-B is live and accelerating is an hour burned on the wrong problem. TRIS v2 surfaces this inversion on day one, not after the incident.
TRIS v2 operates entirely on your hardware. There is no SaaS telemetry bus, no cloud scoring service, no vendor-side database storing your asset inventory. Every layer computes locally against the data CVEasy AI already has in its SQLite database.
This is a deliberate architectural choice. Three of TRIS v2's twelve layers. L5 Asset Criticality, L8 Attack Path Blast Radius, and L9 Supply Chain Propagation, require deep knowledge of your internal network topology, your asset inventory, and your SBOM. Sending that information to a cloud scoring service isn't just a compliance problem for air-gapped environments and regulated industries. It's a competitive intelligence leak. TRIS v2 refuses to make that tradeoff.
Your data never leaves your network. Your scoring never depends on someone else's cloud being up. Your patent-pending intelligence engine runs on the same hardware that hosts your CVE database. That's not a marketing position. It's the architecture.
TRIS v2 is built into CVEasy AI and runs automatically. There is no configuration required. As soon as vulnerability data is imported (from Nessus, Qualys, Rapid7, OpenVAS, Nuclei, Burp, ZAP, Trivy, or CSV), TRIS v2 scores are calculated for every CVE on every asset.
Scores update dynamically when:
TRIS v2 is protected by patent claims covering its novel scoring dimensions and their composition. The five novel layers, attack path blast radius, supply chain dependency propagation, defense efficacy coefficient, predictive threat trajectory, and financial impact quantification, are protected both individually and as a composite scoring system.
Specific formulas, multipliers, diminishing-returns parameters, and threshold values are proprietary and not disclosed in this paper. CVEasy AI customers receive access to the full specification under mutual NDA as part of enterprise deployments.
CVSS answers: how severe is this?
EPSS answers: how likely is this to be exploited?
KEV answers: is this being exploited right now?
TRIS v2 answers: how urgently do I need to fix this, on this asset, in my environment, given my defenses, given my dependencies, given where the threat is heading, and given what it will cost if I'm wrong?
Twelve independent intelligence layers. Five of them brand new. Zero cloud dependency. One actionable score.
Your scoring engine should answer to practitioners, not to someone else's cloud.
Request a demo and see how TRIS v2 prioritizes your actual vulnerability data across all twelve layers.
Request a Demo →