Run a dependency scan on any real codebase and you get a wall of CVEs. Forty highs, a dozen criticals, and a creeping sense that the number is the problem. It is not. The problem is that CVSS alone cannot tell you what to fix first.
Three signals, not one
CVSS describes potential impact in a vacuum. It does not know whether anyone is exploiting the bug. Two extra signals fix that:
- KEV (CISA's Known Exploited Vulnerabilities catalog) is a binary "this is being exploited in the wild". A KEV match jumps the queue regardless of its CVSS.
- EPSS (Exploit Prediction Scoring System) is a probability that a CVE will be exploited in the next 30 days. It turns a flat list into a ranked one.
How NANOTESTING uses them
Dependency findings from the repository scan are enriched with KEV membership and EPSS probability. A medium-CVSS CVE that is on KEV with a high EPSS is more urgent than a critical that nobody has ever exploited and likely never will. The dashboard surfaces that ordering so your patch effort lands where the real-world risk is, not where the biggest number is.
The workflow
Patch every KEV match now. Then walk the EPSS ranking top-down until the probability drops into the noise. Everything below that is real but not this-week urgent, and pretending otherwise just burns your team out. The goal is not zero CVEs. The goal is zero EXPLOITABLE CVEs that you knew about and ignored.