Intelligence · CRPS scoring

Severity is not priority.
CRPS is the difference.

The Composite Risk Priority Score combines published severity with real-world exploit pressure and your local context. Every score is deterministic, transparent, and challengeable. No black-box AI weighting.

See CRPS on your findings All platform capabilities

Why this exists

A 9.8 in isolation is not a P0 in your environment.

CVSS publishes severity at the vulnerability level. EPSS publishes exploit probability at the population level. KEV publishes what is actually being exploited right now. Each is necessary; none, alone, tells you what to fix first.

The decision-relevant question is local: given my asset tier, my reachability, my blast radius — what is the actual priority of this finding right now? CRPS answers that with arithmetic, not vibes.

Formula

Four inputs. One transparent score.

The score is normalized to a 0–15 scale. Critical > 13, High 9–13, Medium 4–9, Low < 4. Every component is shown in the finding detail panel — challengeable, exportable, auditable.

CRPS = CVSS × EPSS + KEV bump × context

CVSS 0–10 scale

Severity

NIST NVD · vendor advisories

Industry baseline severity. Published once, tied to the vulnerability itself. CRPS uses CVSS as the floor, not the answer.

EPSS 0.00–1.00

Exploit probability

FIRST.org · daily refresh

A modeled probability that the vulnerability will be exploited in the wild over the next 30 days. Updated daily.

KEV + multiplier

Known exploited

CISA Known Exploited Vulnerabilities · daily sync

Binary signal: is this vulnerability currently being exploited at scale? When yes, CRPS applies a hard multiplier — every finding with a KEV-listed CVE escalates.

Context asset-aware

Your local risk

asset tier · reachability · blast radius · owner SLA

The dimension only you can supply. Captured at scope time, applied at score time. A 9.8 on a tier-3 isolated test box is a 3.8; the same CVE on a tier-0 internet-facing payments path is a 14.6.

Attack-path correlation

The findings that are dangerous together.

Per-finding scoring misses the chains. The intelligence layer correlates findings across surfaces to surface toxic combinations — and re-scores them as a group, not as singletons.

Exposed subdomain + open admin port + KEV-listed CVE

Three medium-severity findings the platforms see in isolation. Together: a viable breach path.

P0 chain
Leaked GitHub token + over-permissioned IAM role

Token alone is a high; role alone is a high. Token-on-role is a complete privilege-escalation path.

P0 chain
Public S3 + Lambda trigger + write access to PII bucket

Three cloud findings; together they form a data-exfiltration path that no single scanner flags.

P1 chain

Risk decay

Scores re-compute as the world changes.

EPSS refreshes daily. KEV gains entries weekly. Your asset tier can shift after a migration. CRPS doesn't lock in a score at finding-time — it re-computes when any input changes, and re-prioritizes the queue accordingly.

Tuning

Weights are yours to set.

Defaults work for most teams. For environments where the asset-tier dimension dominates (financial services, healthcare PHI), the context weight can be increased explicitly. Every change is audit-logged with a reason.

Related capabilities

Validation

Adversarial validation →

High CRPS findings hit validation first

Orchestration

Surface dispatch →

Where scored findings originate

Framework

CTEM loop →

Prioritization in the lifecycle