You are the cybersecurity vulnerability management lead at a 4,000-employee fintech. Forty-seven CVEs landed in your scanner this week. Each has CVSS v3.1 base, EPSS score, and an AI context model rank that pulls in CISA KEV listing, public exploit availability, and your asset criticality.
Three rankings disagree. CVSS top-1 is a 9.8 in a never-internet-facing test environment. EPSS top-1 is a 5.4 with a high probability of exploitation in the next 30 days, on a customer-facing server. AI top-1 is a 7.5 already on KEV with active exploitation reported.
This scenario tests vulnerability triage in the post-CVSS-only era and the discipline of pairing automated rank with environmental context. Sources: FIRST EPSS v3 (2024), CISA KEV catalog, NIST SP 800-30 Risk Assessment.
One ordered pass through every step. No clock. Each answer scores against the canonical solution.
Hints reduce the points you can earn for that step. Free-text steps queue for manual review.