Skip to main content

Overview

The Prioritization module helps security teams focus on the vulnerabilities that matter most by combining rule-based normalization with context-aware risk scoring. It consists of two major capabilities:
  • Normalization Engine – Standardize and classify vulnerabilities using custom rules.
  • True Risk – Prioritize vulnerabilities using business context, exposure, exploitability, and environmental factors.
Together, these capabilities help reduce alert fatigue, improve remediation efficiency, and ensure resources are focused on the highest-impact risks.

Normalization Engine

The Normalization Engine allows you to automatically classify and standardize vulnerabilities using custom rules. Instead of manually triaging findings, you can:
  • Normalize inconsistent data from multiple sources
  • Apply severity or categorization rules
  • Reduce noise and false positives
  • Enforce consistent vulnerability handling

Rules Dashboard

What You See

  • List of normalization rules
  • Vulnerability count per rule
  • Current action applied
  • Rule status (Active / Inactive)

Create Normalization Rule

Rule Configuration

Each rule consists of:

Rule Details

  • Rule Name
  • Description

Conditions

Define when the rule should apply:
  • Field (e.g., Title, Severity, Source)
  • Operator (contains, equals, regex)
  • Value
Multiple conditions can be combined for precise matching.

Rule Matching & Output

What Happens

Once a rule is applied:
  • Matching vulnerabilities are automatically identified
  • Rules can standardize severity or classification
  • Findings from different tools can be normalized into a consistent format

Search & Rule Navigation

  • Quickly search existing rules
  • Navigate large rule sets
  • Locate specific normalization logic faster

Example Use Cases

  • Tag outdated software findings as High severity
  • Normalize scanner-specific naming differences
  • Reduce duplicate classifications
  • Automatically identify common risk patterns

True Risk

Traditional CVSS scoring only measures the technical severity of a vulnerability. True Risk extends vulnerability prioritization by incorporating environmental, business, and operational context to determine which vulnerabilities should be addressed first. This ensures that vulnerabilities with lower CVSS scores but higher business impact can still receive elevated priority.

Prioritization Strategy

The Prioritization Strategy tab allows you to choose the scoring framework used across the platform.

Available Methodologies

Standard CVSS v3.1

Uses industry-standard CVSS scoring. Prioritization is based entirely on:
  • Attack complexity
  • Privileges required
  • Impact metrics
  • Exploitability metrics
This provides a consistent and widely accepted severity model.

True Risk Framework

The True Risk Framework augments CVSS scoring with additional business and environmental intelligence. It considers factors such as:
  • Asset exposure
  • Business criticality
  • Exploitability likelihood
  • SLA impact
  • Known exploitation activity
This produces a more realistic remediation priority based on actual organizational risk.

True Risk Prioritization Model

When the True Risk Framework is selected, the platform dynamically adjusts vulnerability priority based on contextual factors.

Engine Parameters

The framework combines multiple inputs:
FactorPurpose
CVSS Base MetricTechnical severity
Threat ExploitabilityLikelihood of exploitation
Business CriticalityImportance of affected assets
Network ExposureExternal or internal accessibility

Prioritization Policy

True Risk can elevate vulnerabilities that:
  • Have low CVSS scores
  • Affect critical business assets
  • Are internet-facing
  • Have active exploitation indicators
This prevents teams from overlooking vulnerabilities that present significant operational risk.

Prioritization Preview

The preview section demonstrates how scores can change when contextual risk is applied. Examples include:
  • Public-facing systems receiving higher priority
  • Internal vulnerabilities receiving lower priority
  • Business-critical assets being elevated above standard CVSS rankings

True Risk Scoring

The True Risk Scoring tab provides full control over how risk is calculated.
Administrators can customize how much influence each scoring factor has on the final risk calculation. The total allocation must equal 100%.

Adjustable Risk Factors

Available Risk Components

CVSS Scoring System

Measures technical severity using CVSS.

Exposure Prioritization

Assigns risk based on accessibility. Examples:
  • Internet-facing assets
  • Internal-only assets

SLA Prioritization

Incorporates remediation deadlines into prioritization. Examples:
  • Breached SLA
  • At Risk
  • Within SLA
  • Compliant
  • No SLA

EPSS Scoring System

Uses Exploit Prediction Scoring System (EPSS) data to estimate the likelihood of real-world exploitation.

Known Exploited Vulnerabilities (KEV)

Uses CISA KEV intelligence to prioritize vulnerabilities known to be actively exploited.

Asset Type Prioritization

Assigns different risk values to asset categories. Examples:
  • Web Applications
  • Infrastructure Servers
  • API Endpoints
  • Cloud Storage
  • Source Code Repositories
  • SSL/TLS Certificates

Business Unit Risk

Allows organizations to prioritize vulnerabilities based on business importance. Examples:
  • Payment Systems
  • Customer Platforms
  • Production Services
  • Internal Business Applications

Benefits of True Risk

Context-Aware Prioritization

Prioritize vulnerabilities based on business impact rather than technical severity alone.

Reduced Alert Fatigue

Focus remediation efforts on vulnerabilities that present meaningful organizational risk.

Custom Risk Model

Tailor scoring logic to match your organization’s environment and priorities.

Explore Live Demo

Explore VM Live — No Signup Needed

Experience how Snapsec combines normalization and True Risk scoring to help teams prioritize the vulnerabilities that matter most.