Range Scenario · crucible · 30 min
Vulnerability Prioritization: EPSS Plus AI Context
This cybersecurity training scenario simulates a working incident. Forty-seven cybersecurity CVEs hit your asset inventory this week. CVSS, EPSS, and an AI context model rank them. Reconcile the rankings, pick the top 5 to remediate first, defend the call.
Scenario briefing
You are the cybersecurity vulnerability management lead at a 4,000-employee fintech. Forty-seven CVEs landed in your scanner this week. Each has CVSS v3.1 base, EPSS score, and an AI context model rank that pulls in CISA KEV listing, public exploit availability, and your asset criticality.
Three rankings disagree. CVSS top-1 is a 9.8 in a never-internet-facing test environment. EPSS top-1 is a 5.4 with a high probability of exploitation in the next 30 days, on a customer-facing server. AI top-1 is a 7.5 already on KEV with active exploitation reported.
This scenario tests vulnerability triage in the post-CVSS-only era and the discipline of pairing automated rank with environmental context. Sources: FIRST EPSS v3 (2024), CISA KEV catalog, NIST SP 800-30 Risk Assessment.
What you will practice
- Read CVSS, EPSS, and KEV signals together
- Use AI context output without abdicating triage judgment
- Defend a prioritization call to leadership in plain language
- Recognize the limits of CVSS alone for prioritization
How this scenario is scored
The scenario has 6 ordered steps. Most steps are exact-match (a MITRE ATT&CK technique ID, a tool name, or a yes/no decision) or multiple choice. Free-text steps queue for manual review and do not affect the auto-final-score in the MVP.
Each step has a max score of 100 points. Hints deduct points up front, listed before you reveal them. Your final score is the sum across steps. Range Elo updates on completion based on scenario difficulty (Intermediate) and your final score percentage.
Frequently asked questions
What is EPSS and how does it differ from CVSS?
CVSS rates intrinsic severity (how bad if exploited). EPSS, run by FIRST.org, models the probability of exploitation in the next 30 days using historical exploit-in-the-wild data. A CVE can have CVSS 9.8 and EPSS 0.01 (severe but unlikely to be exploited) or CVSS 5.5 and EPSS 0.92 (moderate but actively used). Both signals matter.
What is CISA KEV?
CISA KEV (Known Exploited Vulnerabilities) is a public catalog of CVEs with confirmed in-the-wild exploitation. KEV listing comes with federal due dates for civilian agencies but is widely used in the private sector as a top-priority signal. Combining KEV listing with EPSS and asset criticality gives the right triage triangle.
How should the AI context model be used?
The AI context model joins CVE data to your asset inventory, exploit availability, and exposure. It is a starting rank, not a verdict. Verify by spot-checking that the asset criticality is correct, the exposure is real, and the exploit reference is verifiable. Wrong asset tagging is the most common AI context failure.
Course content is for educational purposes only and does not constitute professional advice. All claims are supported by cited peer-reviewed academic research. DecipherU does not teach or reproduce any proprietary sales methodology. Verify all referenced sources independently.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.