Vulnerability Management: Assessing the Risks with CVSS, CISA KEV, EPSS, and SSVC
1h 11mIntermediate2025-07-14
Authors

Lora Vaughn
Cybersecurity Executive in Financial Services
Course details
Vulnerability management is a critical part of an effective information security program, but determining which vulnerabilities to address first is a daunting challenge. In this course, learn how to differentiate between vulnerability severity and vulnerability risk. Discover what elements can be combined to determine vulnerability severity, techniques you can use to determine the risk a vulnerability poses to your specific environment, and things to consider when building a vulnerability management program.
Learning objectives
Analyze vulnerability characteristics to accurately assess the severity of identified vulnerabilities in information systems.
Evaluate the interplay between exploitability, severity, and business criticality to determine the risk level of specific vulnerabilities in your organization's environment.
Differentiate between vulnerability severity and vulnerability risk in the context of an effective vulnerability management program.
Synthesize various elements to construct a comprehensive method for determining vulnerability severity in diverse information systems.
Design a structured vulnerability management program that prioritizes addressing critical vulnerabilities based on both severity and organizational risk factors.
Learning objectives
Analyze vulnerability characteristics to accurately assess the severity of identified vulnerabilities in information systems.
Evaluate the interplay between exploitability, severity, and business criticality to determine the risk level of specific vulnerabilities in your organization's environment.
Differentiate between vulnerability severity and vulnerability risk in the context of an effective vulnerability management program.
Synthesize various elements to construct a comprehensive method for determining vulnerability severity in diverse information systems.
Design a structured vulnerability management program that prioritizes addressing critical vulnerabilities based on both severity and organizational risk factors.
Skills covered
Vulnerability ManagementCybersecurityOne-Off
Concepts
Vulnerability Basics
- 01 - Vulnerability risk assessment
- 02 - Vulnerability types and their causes
- 03 - Methods for addressing vulnerabilities
1. Vulnerability Severity Conversations
- 04 - Intro to determining severity with CVSS
- 05 - Making sense of the CVSS Vector String
- 06 - Attack method or vector when determining severity
- 07 - How attack complexity impacts severity
- 08 - How access or privileges required affects severity
- 09 - How user interaction affects severity
- 10 - Security Scope in CVSS v 3.1
- 11 - How impacts affect severity
2. Severity vs. Risk
- 12 - Severity and risk are not the same
- 13 - Challenges with CVSS and severity scores
- 14 - Vendor-specific severity scoring methodologies
- 15 - Other vulnerability scoring methodologies - KEV and EPSS
- 16 - Solution - Comparing vulnerabilty severity scores
3. Moving from Severity to Risk
- 17 - Why severity scores alone aren't enough
- 18 - Risk assessment basics
- 19 - Exploit availability
- 20 - Asset categorization
- 21 - Combining severity and risk to drive action
- 22 - Solution - Prioritize vulnerabilities for remediation
4. Stakeholder-Specific Vulnerability Categorization
- 23 - Intro to SSVC
- 24 - SSVC - Exploitation
- 25 - SSVC - Automatable
- 26 - SSVC - Technical impact
- 27 - SSVC - Mission prevalence and public well-being
- 28 - Using SSVC
- 29 - Solution - Using SSVC to prioritize vulnerabilities
5. Building a RIsk-Based Vulnerability Management Program
- 30 - Core components to a program
- 31 - Detect vulnerabilities
- 32 - Assess the risk
- 33 - Assign vulnerablities for remediation
- 34 - Remediate and confirm vulnerabilities
- 35 - Outliers - Handling celebrity vulnerabilities
Conclusion
- 36 - Just the beginning
Related courses
- Vulnerability Management: Assessing the Risks with CVSS v3.1
- Implementing Zero Trust for 5G and Open RAN
- CompTIA CySA+ (CS0-002) Cert Prep: 1 Threat Management
- OWASP Top 10: #5 Security Misconfiguration and #6 Vulnerable and Outdated Components
- Vulnerability Management in Cybersecurity: The Basics
- Vulnerability Management with Nessus
- Security Testing: Vulnerability Management with Nessus
- Implementing a Vulnerability Management Lifecycle
Related learn paths
- Become an Ethical Hacker
- Prepare for the CompTIA Cybersecurity Analyst + (CySA+) (CS0-002) Certification Exam
- Working with Data: Collecting, Processing, and Storing Data for AI
- Prepare for the CompTIA Cybersecurity Analyst (CySA+) (CS0-003) Certification
- Become an IT Security Specialist
- Prepare for the CompTIA Security+ (SY0-701) Certification
- Leverage AI as a Cybersecurity Analyst
- Communication Skills for Senior Managers