TRIS v2 scores every vulnerability across 12 layers of contextual intelligence, including five dimensions no competitor has. Know exactly what to patch first.
When everything is "critical," nothing is. Your analysts are drowning in noise while real threats hide in the backlog.
Based on CVSS alone, nearly 30% are "Critical"
CVSS was designed to measure technical severity, not business risk. It tells you HOW BAD a bug could be, not whether anyone is actually exploiting it or if it even affects your environment.
The result? Security teams burn weeks patching theoretical "Critical" vulnerabilities while actively exploited, moderate-scoring bugs slip through.
Every vulnerability is evaluated across twelve intelligence dimensions. Seven originated in TRIS v1 and remain core to the model. Five are brand new in TRIS v2, and no other scoring system combines them. Read the v2 white paper →
Confirmed active exploitation from the CISA Known Exploited Vulnerabilities catalog. If attackers are using it in the wild right now, it moves to the top of your queue.
Technical severity straight from NVD. The starting point, but never the final answer. Attack vector, complexity, privileges required, and impact are all factored in.
Machine learning-based exploitation probability from FIRST.org. Predicts the likelihood a vulnerability will be exploited in the next 30 days using real-world threat data.
Asset criticality combined with sector-specific targeting intelligence. A vuln in your payment processing server matters more than the same vuln on a dev sandbox.
Combined attacker score from active campaigns, exploit kit availability, proof-of-concept code, dark web chatter, and threat actor interest. Real-time signal, not static data.
Your actual scanner data mapped against affected assets. Internet-facing, DMZ, internal-only, air-gapped. A network-exploitable vuln on an internet-facing host is radically different from the same CVE on an isolated system.
How long the vuln has existed, exploit maturity trajectory, patch availability, wormability indicators, and velocity of exploit development. Fresh zero-days score differently than 5-year-old bugs.
TRIS v2 adds five entirely novel scoring layers. No other vulnerability scoring system. CVSS, EPSS, SSVC, Tenable VPR, Qualys TruRisk, or Picus PXS, combines any of these five dimensions, let alone all of them.
Graph-based lateral movement modeling. TRIS v2 models your network as a directed graph and quantifies how many assets a vulnerability can reach, how many pivot paths exist to crown-jewel systems, and topological proximity to Tier 1 assets. No competitor models attack paths at all.
SBOM-aware transitive risk. TRIS v2 ingests your software bill of materials and quantifies how deep a vulnerability sits in your dependency tree, how many applications are transitively affected, and whether a fixed version exists. Log4Shell-class events, modeled properly. Zero competitor coverage.
MITRE ATT&CK technique coverage mapping. TRIS v2 maps each CVE's exploitation chain to ATT&CK techniques and scores the percentage your defenses actually cover, freshness-weighted by BAS validation age. Answers the question no other scoring system asks: how well defended are we against this specific chain?
Forward-looking momentum modeling. Where EPSS predicts probability, TRIS v2 predicts acceleration. Tracks week-over-week changes in exploit development, dark-web chatter, public PoC commit velocity, and fork activity. Identifies fast-movers before they hit the KEV catalog.
FAIR-based dollar-value risk quantification. TRIS v2 translates technical severity into expected monetary loss: primary loss (IR, forensics, containment), secondary loss (GDPR/HIPAA/PCI fines, notification, legal), and productivity loss (downtime against measured per-hour revenue). Finally, a number the board understands.
See how TRIS transforms a panic-inducing CVSS score into an actionable, contextualized priority.
Windows TCP/IP Remote Code Execution. CVSS says: drop everything and patch immediately across your entire fleet.
TRIS v2 evaluated 12 layers and determined: this is not an emergency for YOUR environment right now.
This is one example. Every organization gets different TRIS scores based on their unique asset exposure, business context, and threat landscape.
TRIS maps every vulnerability into actionable SLA bands so your team always knows the timeline.
SLA windows are defaults. Fully configurable per organization, asset group, or compliance framework.
Each scoring system was designed with a different purpose. TRIS combines the best of both and adds five more dimensions.
| Capability | TRIS™ | CVSS v3.1/4.0 | EPSS |
|---|---|---|---|
| Technical severity | ✓ | ✓ | ✗ |
| Exploitation probability | ✓ | ✗ | ✓ |
| Active exploitation (KEV) | ✓ | ✗ | ✗ |
| Business context | ✓ | ✗ | ✗ |
| Your asset exposure | ✓ | ✗ | ✗ |
| Threat campaign data | ✓ | ✗ | Partial |
| Temporal / exploit maturity | ✓ | Optional metric | ✗ |
| Actionable SLA bands | 5 bands with timelines | 4 static labels | Raw percentage |
| Environment-specific | Unique per org | Same for everyone | Same for everyone |
| Auto-remediation guidance | ✓ AI-generated | ✗ | ✗ |
CVSS and EPSS are valuable inputs. TRIS v2 uses both as part of its 12-layer scoring. The difference is that TRIS v2 also adds your environment, your business, real-time threat data, attack-path analysis, supply-chain propagation, defense efficacy, predictive trajectory, and FAIR-based financial impact.
Once TRIS tells you what to patch first, CVEasy AI generates the exact fix commands for your operating systems.
TRIS scoring does not stop at prioritization. For every vulnerability that needs action, CVEasy AI's local LLM generates step-by-step remediation tailored to your actual environment.
See how TRIS v2 scoring transforms your vulnerability management program. 12 layers of intelligence. One clear answer.