Beyond CVSS: Context-Aware Vulnerability Prioritization in Large Enterprises | IJCT Volume 13 – Issue 1 | IJCT-V13I1P11
International Journal of Computer Techniques
ISSN 2394-2231
Author
Ruban Prabhu Selvaraj
Abstract
The Common Vulnerability Scoring System (CVSS) is still a big part of traditional vulnerability management in big companies. It focuses on technical severity but mostly ignores deployment context and business impact. Because of this, companies often put too much emphasis on low-impact problems and miss high-risk exposures that have moderate CVSS scores. This misalignment causes remediation fatigue, waste of resources, and longer exposure windows for really important weaknesses.
This paper introduces a context-aware vulnerability prior- itization framework that surpasses CVSS by amalgamating environmental and business indicators into a cohesive risk score. The framework has five main parts for each vulnerability: CVSS severity, deployment exposure, business criticality, exploit signal, and blast radius. Scanner outputs, asset and CMDB data, software bills of materials (SBOMs), and unstructured documentation are all used to calculate these parts. Large language model (LLM) extraction is also used to improve the results. A weighted scoring function combines the signals into one priority score, which is then divided into four operational tiers (P1–P4) with automatic natural language explanations.
In a large corporate setting, we test the framework with real- world enterprise datasets and simulated remediation scenarios. The results show that incident data is better aligned, remediation is faster, and the time it takes to fix really important vulnera- bilities has gone down compared to CVSS-only and simple risk- based baselines. We also talk about things to think about when deploying, limitations, and future research directions for context- aware scoring in big businesses.
Keywords
vulnerability prioritization, CVSS, risk-based vulnerability management, business context, SBOM, LLM, en- terprise security
Conclusion
This paper presented a context-aware vulnerability priori- tization framework that extends CVSS with four additional dimensions—deployment exposure, business criticality, exploit signal, and blast radius—to generate a single, tunable priority score for each vulnerability in large enterprises. By lever- aging structured enterprise data and LLM-based extraction from unstructured artifacts, the framework aligns remediation work more closely with actual business risk while preserving transparency through simple weighting and natural language explanations.
Experimental evaluation in a large-enterprise setting indi- cates improved alignment with incident data, reduced time-to- fix for critical vulnerabilities, and higher analyst satisfaction compared to CVSS-only and simple risk-based baselines. At the same time, the work underscores the importance of high-quality asset data and careful governance of AI-driven components.
References
[1]P. Mell, K. Scarfone, and S. Romanosky, “A complete guide to the common vulnerability scoring system version 2.0,” Forum of Incident Response and Security Teams (FIRST), 2007.
[2]M. Bozorgi, L. K. Saul, S. Savage, and G. M. Voelker, “Beyond heuristics: Learning to classify vulnerabilities and predict exploits,” Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, 2010.
[3]L. Allodi and F. Massacci, “Comparing vulnerability severity and exploits using case-control studies,” ACM Transactions on Information and System Security, vol. 17, no. 1, 2014.
[4]C. Sabottke, O. Chowdhury, and E. Kirda, “Vulnerability disclosure in the age of social media: Exploiting twitter for predicting real-world exploits,” in USENIX Security Symposium, 2015.
[5]Wiz, “Vulnerability management: The complete guide,” https://www.wiz.io/academy/vulnerability-management/
what-is-vulnerability-management, 2025.
[6]CrowdStrike, “What is risk based vulnerability management?” https:
//www.crowdstrike.com/en-us/cybersecurity-101/exposure-management/ risk-based-vulnerability-management/, 2025.
[7]T. Zoppi, A. Ceccarelli, and A. Bondavalli, “Unsupervised algorithms to detect zero-day attacks: Strategy and application,” in IEEE Access, 2021.
[8]Y. Hou, S. G. Teo, Z. Chen, M. Wu, C.-K. Kwoh, and T. Truong- Huu, “Handling labeled data insufficiency: Semi-supervised learning with self-training mixup decision tree for classification of network attacking traffic,” IEEE Transactions on Dependable and Secure Computing, 2022.
[9]Scribe Security, “Using sbom and feeds analytics to secure software supply chain,” https://scribesecurity.com/blog/ using-sbom-and-feeds-analytics/, 2023.
How to Cite This Paper
Ruban Prabhu Selvaraj (2025). Beyond CVSS: Context-Aware Vulnerability Prioritization in Large Enterprises. International Journal of Computer Techniques, 12(6). ISSN: 2394-2231.
