All posts

Kusari Score now includes active vulnerability exploits

Kusari Score prioritizes vulnerabilities based on your specific software environment. Now with active exploit intelligence built in.

Kusari Score now includes active vulnerability exploits

When you have one vulnerability, prioritizing which vulnerability to fix is easy — there’s a list of one. But what happens when you have tens, hundreds, or even thousands of vulnerabilities across your application portfolio? Analysis paralysis can lead to nothing getting fixed. Or you invest time and resources into fixing a vulnerability that doesn’t matter while attackers are exploiting a different vulnerability. Customers have always relied on the Kusari Score to provide an environment-specific, transparent prioritization ranking build for modern software risk management. We just rolled out new refinements that make it even better.

The technical severity of a vulnerability is an important signal, but it was never enough. The original version of the Kusari Score combined both a vulnerability’s severity and its prevalence in your software portfolio. All other things being equal, a vulnerability that exists in 20 applications presents a greater risk than a vulnerability that’s only in one application. While we’ve made minor changes to the mechanism since introducing the Kusari Score, the most recent change represents a significant improvement by adding signals for exploitability. A vulnerability that’s actively being exploited needs to jump to the front of the line.

The new Kusari Score calculation continues to combine the technical severity — using the industry standard Common Vulnerability Scoring System (CVSS) — with the breadth across your portfolio. The Kusari Score algorithm then checks CISA’s Known Exploited Vulnerabilities (KEV) catalog to see if the vulnerability is actively being exploited. If it is, the score is set no lower than 9 (out of 10). These are the vulnerabilities that you need to address immediately.

For vulnerabilities that are not known to have active exploits, Kusari Score considers the vulnerability’s likelihood of exploit using the Exploit Prediction Scoring System (EPSS). The higher the likelihood of being exploited within the next 30 days, as measured by EPSS, the higher the score. EPSS is also used to set a floor for Kusari Score. An EPSS above 0.10 sets the minimum score to 7.0, and EPSS above 0.50 results in a minimum Kusari Score of 8.0.

When the Kusari Reachability Analysis agent or your provided Vulnerability Exploitability eXchange (VEX) document determines that a particular vulnerability is not reachable in a given application, Kusari Score excludes that application from the calculation. This gives you a sharper ranking so you fix what matters and skip what doesn't.

For security leaders, this means walking into any executive conversation with the answer already in hand. When leadership asks "are we exposed?" Kusari Score already knows. The Kusari Score is transparent by design and defensible for any CISO to stand on in the next Board meeting or audit. For a deeper explanation of the Kusari Score methodology, see the docs. Ready to see it live? Book a session with our team.