Skip to content
All posts

Why every NANOTESTING report carries a CISA KEV and EPSS priority score

2 min readkev · epss · prioritization · cvss · vulnerability management

CVSS has done a tour of duty since 2005 and it still has the same problem: a 9.8 base score does not tell you whether the bug is being exploited today. Your engineering team has finite time. They need to know which findings to fix first, not which ones could theoretically matter. NANOTESTING adds two signals to every scan that change the answer.

CISA KEV: is anyone exploiting this right now?

The CISA Known Exploited Vulnerabilities catalog is the US government's list of CVEs that are confirmed under active exploitation. Bugs land on the KEV list within days of public exploitation. When a scan finds a CVE on the KEV list, NANOTESTING flags it with a red KEV badge on the dashboard and bumps its priority score above any non-KEV finding of the same severity. We refresh the KEV feed daily via a cron so the dataset is never more than 24 hours stale.

FIRST.org EPSS: what is the 30-day exploit probability?

EPSS is the FIRST.org Exploit Prediction Scoring System: a daily model that estimates the probability that a CVE will be exploited in the next 30 days. EPSS is intentionally probabilistic. A CVSS 9.8 bug with EPSS 0.001 is unlikely to ever be exploited. A CVSS 6.5 bug with EPSS 0.95 is almost guaranteed to be hit. The priority column in our reports multiplies CVSS by the EPSS percentile so the "fix these first" list reflects real-world exploit pressure, not paper severity.

The composite priority score

We combine CVSS severity, CISA KEV membership (a hard multiplier), EPSS percentile, and detector confidence into a single 0-100 priority score. Every report sorts by this column by default. Customers tell us this single change cuts the "fix the right thing first" debate from a half-day meeting to a five-minute review.

The honest part

KEV + EPSS do not replace context you have that we do not. A bug behind WAF on a non-prod target is less urgent than the same bug on prod. We surface every priority input on every finding so your team can override the ranking with full visibility into where the number came from.

Try the prioritisation against a real target on the scan dashboard.