A CVE with a 9.8 score that never executes in your environment is less dangerous than a 5.3 that runs on every request. We built a scoring model around this idea.
Senior Platform Engineer
CVSS remains useful for severity context, but it does not answer the question engineering teams care about first: can this vulnerability execute in our environment right now?
A high CVSS score can still map to dead code paths in production, while a medium score can be tied to hot request flows. Without runtime context, triage queues overweight theory and underweight exploitability.
This mismatch creates patch churn, delayed releases, and alert fatigue because teams repeatedly investigate findings that never become practical attack paths.
Our model combines runtime execution evidence with deployment context: function-level invocation, service lineage, exposed ingress paths, and environment criticality.
The output is not a replacement for CVSS. It is a prioritization layer that reframes severity as business-relevant remediation order.
Teams succeed when they introduce reachability scoring into existing remediation workflows rather than replacing everything at once. Start by ranking the current backlog, then enforce runtime-aware gates in CI for new findings.
Over two to three sprints, queues become smaller, response quality increases, and security conversations move from raw CVE volume to measurable risk reduction.
