FAQ

CAPEC attack patterns are used to document the tactics and techniques used by attackers to exploit systems. By studying them, security analysts, developers, and architects can understand the goals of an attack, its typical steps, and the vulnerabilities being exploited. This helps anticipate threats and design more effective countermeasures.

They are also useful for training, risk analysis, attack simulation (red teaming), and implementing defensive security controls. By linking CAPEC to CWE and CVE, one can build a complete chain from weakness to real-world exploitation, enriching threat modeling and security-by-design approaches.

CVSS is divided into three sub-scores:

• Base score: evaluates the intrinsic severity of the vulnerability, regardless of context. It is usually public.
• Temporal score: adjusts the rating based on factors such as exploit availability or the existence of a patch. It reflects the maturity of the threat.
• Environmental score: allows organizations to adapt the evaluation to their own context (asset importance, exposure, business impact). It is customized for each company.

By combining these three layers, the CVSS model becomes a more flexible tool for refining remediation priorities based on real-world conditions.

A CWE (Common Weakness Enumeration) is a standardized classification of weaknesses that can lead to vulnerabilities in software, firmware, or systems. Unlike CVEs, which refer to specific and documented vulnerabilities in a given product, CWEs describe types of design or programming flaws that can compromise a system’s security.

For example, a CWE might describe poor memory management, command injection, or insufficient input validation. These weaknesses can be found in multiple software products and may be linked to individual CVEs when exploited in real scenarios.

Yes, more and more organizations use EPSS as a priority criterion to decide which vulnerabilities to fix first, especially when dealing with a large volume of issues. Fixing all CVEs with a high CVSS score can be costly and inefficient, especially if some are never exploited. EPSS helps focus resources on truly dangerous vulnerabilities.

Some security policies now include EPSS-based thresholds, such as: “fix any vulnerability with an EPSS score > 0.7 within 48 hours.” This pragmatic approach accelerates remediation where it is most useful, while limiting unnecessary interruptions.

The CWE classification helps standardize the understanding of security weaknesses in information systems. It helps developers, testers, and analysts identify common design or coding errors so they can be more easily avoided or corrected. Thanks to this taxonomy, security tools can produce coherent and actionable reports.

It is also very useful for training technical teams, evaluating detection tools, prioritizing risks, and complying with standards like ISO/IEC 27001. By integrating CWE into development processes, security can be significantly improved from the design phase onward.

Yes, there is an official CVSS score calculator provided by the FIRST standards forum, which maintains the CVSS standard. It is available online at: https://www.first.org/cvss/calculator.

This calculator allows users to build a vector by selecting the relevant metrics, then automatically calculates the scores (base, temporal, environmental).

CWEs are integrated into many source code analysis tools, security audits, or vulnerability management systems to automatically identify potential weaknesses in software. By understanding which CWEs are present in a system, teams can assess the attack surface, anticipate future threats, and prioritize fixes before a weakness becomes an exploitable CVE.

They also help define risk profiles for projects or products based on the nature and number of identified weaknesses. This facilitates decision-making for CISOs, IT managers, or compliance officers, especially in DevSecOps approaches or evaluations aligned with frameworks like NIST or ISO 27002.

EPSS stands for Exploit Prediction Scoring System. It is a probabilistic model that assigns each vulnerability (typically identified by a CVE) a likelihood of being exploited within 30 days of observation.

The purpose of EPSS is to complement other evaluation systems (such as CVSS) by adding a dynamic and contextual layer based on real-world exploitation data. This helps organizations better prioritize their remediation efforts according to actual risk.

CVE identifiers are assigned by a U.S. non-profit organization called the MITRE Corporation, which manages the CVE program on behalf of the Cybersecurity and Infrastructure Security Agency (CISA). MITRE does not assign all identifiers itself: it relies on a network of partners known as CNAs (CVE Numbering Authorities).

A CNA can be a software vendor, a security provider, a CERT, or an organization specializing in vulnerabilities. Each CNA is authorized to assign CVE identifiers for vulnerabilities discovered in its own products or scope. This system speeds up the disclosure process while maintaining a centralized structure via MITRE.

CISA plays a central role in managing vulnerabilities on a large scale. It identifies, evaluates, and actively communicates about security flaws that could impact critical infrastructure, including government services, essential service operators, and large enterprises. It often collaborates with MITRE, software vendors, security researchers, and other international agencies.

Among its responsibilities, it publishes security bulletins, coordinates responses to major vulnerabilities, and sometimes mandates remediation deadlines for certain flaws in public entities through federal directives (BODs). Its goal is to reduce the time between the discovery of a vulnerability and its effective mitigation in the field.

No, EPSS does not replace CVSS: the two systems are complementary. CVSS provides a structural measurement of severity, useful for understanding the potential impact of a vulnerability. EPSS, on the other hand, provides a behavioral and predictive measurement, focused on the actual likelihood of exploitation.

Together, these two scores allow for a more accurate risk assessment, both theoretical and operational. Many companies adopt a hybrid approach, for example by only addressing vulnerabilities that have both a CVSS ≥ 7 and an EPSS ≥ 0.5, or by using risk matrices enriched with both indicators.

EPSS scores are updated daily, reflecting the dynamic nature of threats and vulnerability exploitation. At any time, changes in the threat landscape (exploit releases, forum discussions, honeypot detections) can alter the likelihood of a CVE being targeted.

This frequent updating makes EPSS a more responsive tool than CVSS, whose scores rarely change once published. To fully benefit from EPSS, it is recommended to integrate automated feeds or APIs to continuously track scores.

The CVSS (Common Vulnerability Scoring System) measures the severity of a vulnerability by assigning it a score from 0 to 10, where 10 represents an extremely critical flaw. It is designed to provide a standardized and objective evaluation of vulnerabilities so that organizations can compare and prioritize them accordingly.

This score takes into account several aspects: ease of exploitation, potential effects on confidentiality, integrity and availability, as well as the conditions required to carry out the attack. In summary, CVSS helps quantify the inherent danger level of a security flaw.

The KEV (Known Exploited Vulnerabilities) list published by CISA identifies vulnerabilities that are actively exploited in the wild, meaning they are already being used in real-world cyberattacks. The purpose of this list is to help organizations prioritize their remediation efforts by focusing on the flaws that present an immediate threat.

By publishing this list, CISA provides a very practical risk management tool: it highlights not only known flaws, but also the most critical and urgent ones. For U.S. federal agencies, remediation of these flaws is mandatory within strict deadlines. Beyond the U.S., the KEV list is widely consulted by cybersecurity professionals worldwide to guide their patch management strategies.

A CVE is simply a public declaration that a flaw exists in a given product, whereas an exploited vulnerability means that an attacker is actively using that flaw to compromise systems. In other words, not all CVEs are exploited in real-world conditions—some may remain theoretical or technical.

Conversely, a vulnerability can be exploited without yet having received a CVE—this is known as a zero-day. To assess the real danger of a CVE, one should consult additional information such as CISA’s KEV data or the EPSS score, which indicate whether the flaw is actively used in cyberattacks. This information is available directly on our CVEFind website.