The Question
A mid-sized enterprise running Tenable or Qualys at scale typically has between 80,000 and 200,000 open vulnerability findings at any given time. The security operations team can close, through patching, configuration remediation, and compensating controls, somewhere between 2,000 and 8,000 per month. The math does not work: the backlog grows faster than it is resolved.
This is not primarily a resourcing problem. Adding headcount or patching capacity without changing the prioritization model increases throughput on the same queue — and a queue that is ordered by CVSS score contains hundreds of hours of remediation work on vulnerabilities that an attacker is unlikely to use, interleaved with the handful of exposures that represent the most direct paths to the organization's most valuable systems.
The CTEM reframe: the goal is not to minimize the number of open vulnerabilities. The goal is to minimize the probability of a successful attack reaching a business-critical target. These are not the same objective, and optimizing for the first does not optimize for the second. An organization that closes 5,000 CVSS 7.0+ vulnerabilities in systems that have no connection to its crown jewels has improved its vulnerability count metric while leaving its actual risk profile largely unchanged.
Vulnerability prioritization based on CVSS score alone is not a security program — it is a list management exercise that systematically deprioritizes exploitable low-CVSS vulnerabilities in favor of theoretical high-CVSS vulnerabilities that may be unexploitable in your environment.
Why This Matters Now
In October 2023, Cisco disclosed CVE-2023-20198, a critical authentication bypass vulnerability in Cisco IOS XE software's web UI feature — CVSS score 10.0, the maximum. CISA added it to the KEV catalog within 24 hours. Within days, researchers observed tens of thousands of compromised Cisco devices with attacker-installed implants. The devices affected were, in most cases, network infrastructure: routers and switches that, once compromised, gave attackers privileged visibility into network traffic and lateral movement paths across the organization.
The Cisco IOS XE incident illustrates both sides of the prioritization problem. Organizations that had this vulnerability in their environment and had the asset in their active monitoring scope and had CISA KEV as a prioritization trigger responded quickly and contained exposure. Organizations that had the asset buried in a backlog of 150,000 open findings, prioritized below a stack of CVSS 9.8 findings on internal systems with no exploitation activity, did not.
The 2025 Verizon DBIR reinforced the broader pattern: the exploitability gap between what gets patched and what gets exploited is driven not by the most technically severe vulnerabilities but by the vulnerabilities that are internet-facing, have working exploits, and are being actively used in campaigns. The EPSS model, trained on actual exploitation telemetry, predicts that the average CVE has less than a 0.1 percent probability of exploitation in any given 30-day window — but the top one percent of CVEs by EPSS score account for the vast majority of actual exploitation events.
Concentrating remediation effort on that top one percent — filtered by environment context — is the operationally correct response. It is not the response that CVSS-based prioritization produces.
What the CURVE™ Data Shows
The 2026 Stackcurve CTEM CURVE™ Report evaluated vulnerability prioritization capabilities across platforms, with specific attention to the operational impact of layered prioritization models on remediation backlog and breach outcome rates.
Tenable One with Lumin is the most widely adopted platform for context-aware prioritization in the enterprise segment. Lumin's exposure score combines asset criticality (business context layer), CVSS and EPSS (technical severity and exploitability probability), threat intelligence (active campaign data), and exposure context (internet-facing, authentication requirement) into a single prioritized score that is directly actionable by remediation teams. Organizations with Lumin activated show statistically significantly smaller critical exposure windows than those running Tenable.io without Lumin.
Qualys TruRisk Platform takes a comparable approach with its Business Risk Score, mapping vulnerabilities to business asset hierarchies and weighting by revenue-generating criticality. TruRisk is particularly well-integrated with Qualys VMDR and Qualys Patch Management, enabling a closed-loop workflow from prioritization to deployment.
Rapid7 InsightVM's real risk score incorporates CVSS, threat intelligence, and asset criticality, with Metasploit integration providing exploitability validation data as a direct input to scoring. For organizations with active red team or penetration testing programs, the Metasploit integration makes InsightVM's prioritization model uniquely calibrated to actual exploit tooling.
Tenable, Qualys, and Rapid7 all deliver this capability natively, but the CURVE™ data shows that fewer than 40 percent of enterprise deployments have activated and operationalized the context-aware prioritization modules. The platforms have the capability; the programs do not.
The full vendor rankings are in the 2026 Stackcurve CTEM CURVE™ Report — free to download.
The Gap Most Buyers Miss
Layer 1 — Exploitability: CISA KEV Is the Non-Negotiable First Filter
The CISA Known Exploited Vulnerabilities catalog is the federal government's continuously maintained list of CVEs with confirmed active exploitation in the wild. As of early 2026, it contains more than 1,200 entries. CISA mandates that federal agencies remediate KEV entries within defined windows — 14 days for internet-facing systems, 30 days for others — and treats KEV compliance as a minimum security baseline.
For non-federal enterprises, KEV provides the same value: it is the highest-confidence signal that a vulnerability is being actively used by real attackers. A vulnerability in CISA KEV should be automatically elevated to the top of the remediation queue, regardless of its CVSS score. Organizations that do not have an automated workflow triggered by new KEV entries are making prioritization decisions without the most operationally validated external signal available.
The secondary exploitability filter is EPSS. A CVE with an EPSS score above 0.5 — meaning there is at least a 50 percent probability of exploitation in the next 30 days, based on historical exploitation patterns — should be treated as high priority even if its CVSS score is below the organization's normal threshold.
Layer 2 — Asset Criticality: Not All Systems Are Equal
The same CVE on two different systems carries different business risk based on what those systems do and who depends on them. Asset criticality classification — ranking systems by their importance to business operations — is the input that enables the security team to answer: "If this system is compromised, what is the impact to the business?"
Asset criticality classification does not need to be complex to be useful. A three-tier model — critical (revenue-generating, compliance-regulated, or crown jewel data systems), important (business-operational but not directly revenue-generating), and standard (internal tools, development systems, non-critical workloads) — applied consistently across the asset inventory provides sufficient differentiation to materially change prioritization outcomes.
The practical resistance: asset criticality classification requires collaboration between security and business owners, who are often not aligned on what "critical" means. Security teams that cannot get business owners to classify assets default to technical proxies — privileged access, compliance scope, data classification — which are imperfect but better than no criticality weighting.
Layer 3 — Exposure Context: Internet-Facing Changes Everything
A vulnerability on an internet-facing system is categorically different from the same vulnerability on an internal system with no route to the internet. Internet-facing systems are accessible to any attacker, anywhere, without the need for lateral movement. They are the first layer of the attack surface that threat actors enumerate. A CVSS 6.0 vulnerability on an internet-facing authentication gateway should outrank a CVSS 9.0 vulnerability on an air-gapped internal system.
Exposure context also includes authentication requirements (does exploitation require credentials, or is it pre-authentication?), adjacent system relationships (what can an attacker reach after exploitation?), and active exploitation detection (is there evidence of this CVE being scanned or exploited in threat intelligence feeds?).
Layer 4 — Attack Path Context: Where the CVE Sits in the Kill Chain
The highest-value prioritization input — and the hardest to operationalize — is attack path context: does this vulnerability represent a node in a viable attack path from an attacker's initial access point to a crown jewel target? A privilege escalation vulnerability on a system adjacent to the domain controller is more urgent than the same vulnerability on an isolated workstation, because the first represents a lateral movement opportunity in an active attack chain and the second does not.
Attack path context requires a graph model of the environment — network topology, identity relationships, trust boundaries, service dependencies — that most organizations do not maintain in a form that is queryable for security purposes. XM Cyber's attack path management platform and Microsoft Security Exposure Management build and maintain this graph model continuously, enabling automatic identification of which vulnerabilities sit in viable attack paths.
Questions Your Buying Team Should Be Asking
1. Does your vulnerability management platform's prioritization output incorporate all four layers — exploitability, asset criticality, exposure context, and attack path context — or does it rely primarily on CVSS score?
This question has a direct answer: pull the prioritization methodology from your current VM platform's documentation or vendor account team and map it against these four layers. Platforms that only address CVSS, with optional criticality weighting, are delivering two of four layers. The gap is exploitability integration (CISA KEV, EPSS) and attack path context.
2. What is the average age of CVEs currently in your CISA KEV remediation backlog across internet-facing systems?
CISA KEV entries in the remediation backlog for internet-facing systems represent the organization's highest-confidence, most urgently exploitable exposures. If the average age exceeds 30 days — the federal mandate for non-internet-facing systems — the organization has a defined gap in its most important prioritization tier. If the organization cannot answer this question, CISA KEV integration is not operationally active.
3. How does your team handle the "wont-fix" and "risk-accepted" classifications in your vulnerability backlog, and what is the approval and review process for those classifications?
Mature prioritization programs do not only close vulnerabilities — they explicitly classify and document vulnerabilities that will not be patched and the rationale for that decision. A large "risk-accepted" category without review processes is an accountability gap. The question tests whether the organization's deprioritization decisions are deliberate and auditable or whether they are default inaction.
4. What is the organizational relationship between the team that owns vulnerability prioritization and the team that owns patch deployment, and what SLAs govern the handoff?
This question consistently reveals the operationalization gap in enterprise vulnerability management programs. Security owns the finding; IT operations owns the patch; the handoff is informal. Without a defined SLA — with an escalation path when SLAs are missed — prioritization decisions made by the security team do not translate to remediation outcomes. The answer to this question determines whether the CTEM program produces closed exposures or informed decisions that never get implemented.
5. Has your organization conducted a retrospective analysis of the last three security incidents or near-misses to identify whether the initial access vector was a vulnerability that was in your open backlog at the time of the incident?
This question tests whether the organization learns from its own data. If a breach occurred through an exploited CVE that was in the open backlog, the prioritization model failed — the right CVE was present but not elevated appropriately. Retrospective analysis of this pattern is the most direct feedback loop available for improving prioritization model calibration.
The Stackcurve Take
Prioritization is the highest-leverage activity in the vulnerability management workflow because it determines where human remediation effort goes. Improving prioritization without increasing the remediation team's capacity can produce materially better security outcomes — because the same effort, directed at higher-risk exposures, closes more actual attack surface than the same effort directed at a CVSS-ranked queue.
The investment case for context-aware prioritization is straightforward: most enterprises already have the scanning platform capable of delivering it. Tenable Lumin, Qualys TruRisk, and Rapid7's real risk score are not separate product purchases — they are module activations and configuration work on platforms already deployed. The operational change is adding asset criticality data, connecting CISA KEV integration, and enabling EPSS weighting. The result is a prioritized remediation queue that a smaller team can work through with better outcomes than a larger team working through a CVSS-sorted backlog.
The caveat: prioritization without validation still operates on assumptions about exploitability. Organizations that invest in breach and attack simulation — Pentera, Cymulate, AttackIQ — get the additional confidence that their top-priority findings have been confirmed as exploitable in their specific environment. This is the Level 4 capability that builds on the Level 3 prioritization foundation.
The 2026 Stackcurve CTEM CURVE™ Report covers vulnerability prioritization platforms in detail, including scored comparisons of Tenable Lumin, Qualys TruRisk, Rapid7 InsightVM, and specialized prioritization layers like Nucleus Security and Flashpoint's VulnDB. Download it free →
Stackcurve Advisory Briefs are independent research. No vendor pays for placement, tier assignment, or editorial influence. The CURVE™ methodology is disclosed in full at stackcurve.net/research/methodology.