Pick a famous CVE or build your own scenario. TRIS v2 scores it across all 12 layers in real time. Watch the score diverge from CVSS as you add context. The part your scanner is missing.
CVSS and TRIS v2 agree. Active exploitation with crown-jewel exposure, accelerating trajectory, and high financial impact. This is a real fire.
These aren't CVEasy marketing stats. Every number below is publicly sourced and verifiable. If you're running CVSS-only triage, you're working on the wrong backlog.
Email me a branded PDF of the current TRIS v2 breakdown with all 12 layer contributions, the insight, the CVSS comparison, and the shareable summary. No demo call required. No credit card. Just a PDF you can forward to your team.
Everything above this section is interactive. Everything below is the plain-English explanation of how the scoring engine works, what each of the twelve layers measures, and why we weighted them the way we did. Read it if you want the methodology. Skip it if you came for the tool.
TRIS v2 organizes its scoring into three tiers: foundational signals (Layers 1 through 3), contextual signals (Layers 4 through 7), and the five novel dimensions (Layers 8 through 12) that separate TRIS v2 from every competitor.
The foundational technical severity score from NVD. TRIS v2 uses it as a baseline but deliberately weights it lower than most scoring systems so it does not dominate the composite. A CVSS 9.8 and a CVSS 7.5 can land within a few points of each other when the other eleven layers disagree.
FIRST.org's Exploit Prediction Scoring System estimates the probability that a vulnerability will be exploited in the wild within 30 days. TRIS v2 heavily weights this signal because it reflects real-world attacker economics, not theoretical severity.
CISA's Known Exploited Vulnerabilities catalog is the definitive "this is being used right now" signal. Any CVE on the KEV list triggers a hard override boost. CISA mandates federal agencies patch KEV entries within 14 days.
TRIS v2 tracks 49+ named APT groups, their known toolkits, their TTPs, and the industries they target. When APT29 is known to use a specific CVE and your organization is in their target sector, this layer significantly boosts the score. Your threat landscape, not a generic one.
A vulnerability on a development laptop is not the same risk as the same vulnerability on a production database or domain controller. TRIS v2 auto-classifies assets by role and business criticality and applies a criticality coefficient. Crown-jewel assets receive maximum weight.
Internet-facing assets with exploitable services are categorically more urgent than internal-only assets with the same CVE. TRIS v2 factors in whether the affected asset is publicly reachable, which ports are exposed, and whether the vulnerable service is actually running on those ports.
TRIS v2 runs real attack simulations against your environment using 12,868 BASzy payloads and records whether the exploit actually works in your specific configuration. A theoretically-critical CVE blocked by your WAF or EDR gets a reduction. A mid-severity CVE that BASzy proves is exploitable with no detection gets a major boost.
Graph-based lateral movement modeling. TRIS v2 models your network as a directed graph and quantifies how many assets a vulnerability can reach through lateral movement, how many distinct pivot paths exist to reach crown-jewel systems, and how close the affected asset sits to Tier 1 assets. No competitor offers this. Most treat all assets as topologically equivalent.
SBOM-aware transitive risk scoring. TRIS v2 ingests your software bill of materials and quantifies how deep a vulnerability sits in your dependency tree, how many applications are transitively affected, and whether a fixed version exists. Log4Shell, modeled correctly. Zero competitor coverage.
Continuous control validation, inverted. TRIS v2 maps exploitation chains to MITRE ATT&CK techniques and scores the percentage of those techniques covered by your organization's actual defenses, freshness-weighted by BAS validation age. Asks the question no other scoring system asks: how well defended are we against this specific attack sequence?
Forward-looking momentum forecast. Tracks week-over-week changes in exploit development, dark-web chatter, public PoC commit velocity, and fork activity on known exploit repositories. Identifies fast-movers accelerating from proof-of-concept to weaponized before they hit the KEV catalog.
FAIR-based dollar-value risk. TRIS v2 bridges security and finance by translating technical severity into expected monetary loss: primary loss (incident response, forensics, containment), secondary loss (regulatory fines under GDPR, HIPAA, PCI, notification costs, legal exposure), and productivity loss (downtime cost against your measured per-hour revenue).
The raw weighted sum of all twelve layers is passed through a diminishing-returns function before being normalized to a 0-100 score. This matters because linear scoring systems suffer from severity compression: half your catalog ends up clustered between 75 and 100 with no meaningful separation. TRIS v2 uses an exponential saturation curve that creates real separation between "critical" and "merely important" vulnerabilities. The practical ceiling is 94, which is only reachable with extreme signals across all twelve layers.
Five priority bands. ACT (90 to 100): immediate action, drop what you're doing, sub-24-hour SLA. ATTEND (75 to 89): same-week remediation, sprint commitment. TRACK (50 to 74): scheduled patching cycle, SLA-bounded. MONITOR (25 to 49): watch for trajectory change. INFORMATIONAL (0 to 24): document and move on. The cutoffs are deliberately asymmetric so ACT is rare, INFORMATIONAL is common, and everything meaningful lives in the middle three bands.
The free TRIS Lab above runs a simplified version of the scoring engine client-side in your browser. The production CVEasy AI platform runs the full engine against your actual data. Three critical capabilities are gated behind a demo request because they require your real environment: industry-specific threat modeling (sector multipliers), compliance-weighted scoring (HIPAA, PCI, SOC 2, FedRAMP), and your real network topology and SBOM for Layers 5, 8, and 9. If you want to see TRIS v2 running against your actual scan data, request a 30-minute demo. Your data stays entirely in your environment.