Security Operations Tools
CVSS Prioritization Calculator
Enter CVSS score, EPSS probability, and context factors to compute remediation priority, SLA tier, and risk score.
Calculations run locally in your browserTool
Example — CVSS 7.8 · EPSS 0.045 · internet-facing · no KEV
CVSS base score
7.8
High
EPSS probability
4.5%
exploitation in 30 days
Priority tier
P1 — Patch within 7d
Risk score
10.6
CVSS × (1 + EPSS) × exposure × KEV factor
About this tool
CVSS Prioritization Calculator
The CVSS Prioritization Calculator combines CVSS base score, EPSS probability, exposure, and CISA KEV status into a remediation priority score and SLA tier.
• Prioritize a backlog of vulnerabilities by combined CVSS and EPSS score
• Determine SLA tier for a Critical CVE on an internet-facing system
• Calculate priority for a CVE that's in the CISA Known Exploited Vulnerabilities list
• Justify expedited patching for a high-EPSS medium-CVSS vulnerability
Affiliate disclosure
Uptime, incident, and on-call management. Better Stack provides status pages, incident management, and on-call scheduling for engineering teams.
View remediation credentials with 1Password
External site · Independent provider · We may receive a commission · Not a recommendation
FAQ
What does this tool tell you?
The CVSS Prioritization Calculator combines CVSS base score, EPSS probability, exposure, and CISA KEV status into a remediation priority score and SLA tier.
What affects the result most?
Priority ladder: KEV→P0. Critical+internet OR High+EPSS≥0.5→P1 24h. High+internet OR High+EPSS≥0.1→P1 7d. High→P2 14d. Medium+EPSS≥0.1→P2 14d. Medium→P3 30d. Low→P4. EPSS score: Exploit Prediction Scoring System — a 0–1 probability estimate of exploitation activity being observed in the next 30 days. Forecast, not proof of exploitation; see FIRST.org EPSS SIG. Suggested SLAs combine CVSS, exposure, CISA KEV, and EPSS. KEV-listed CVEs are emergency; use EPSS to escalate likely-to-be-exploited non-KEV vulnerabilities.
How should I use the result?
The calculation is deterministic — the same inputs always produce the same output — so the most useful workflow is to vary one input at a time and see which factor moves the result most. That tells you where to focus your attention before committing to a decision.
Related tools