What is CVSS?
The Common Vulnerability Scoring System (CVSS) is an open standard for rating the severity of a software vulnerability on a 0.0 to 10.0 scale, based on measurable technical characteristics like how the vulnerability is reached, how complex it is to exploit, and what impact successful exploitation has on confidentiality, integrity, and availability.
Definition
- CVSS
- The Common Vulnerability Scoring System (CVSS) is an open standard for rating the severity of a software vulnerability on a 0.0 to 10.0 scale, based on measurable technical characteristics like how the vulnerability is reached, how complex it is to exploit, and what impact successful exploitation has on confidentiality, integrity, and availability.
How CVSS Works
CVSS scores are built from metric groups, and understanding the Base metrics is what lets an analyst read past the single number to what actually makes a vulnerability dangerous. Attack Vector describes how the attacker reaches the flaw, network, adjacent network, local, or physical, with network-reachable vulnerabilities scoring higher since they need no local access at all. Attack Complexity captures whether exploitation requires specific conditions to align (low complexity means a reliable, repeatable exploit; high means the attacker needs favorable timing or configuration). Privileges Required and User Interaction describe whether the attacker needs an existing account or needs a victim to click something, and Scope captures whether a successful exploit can affect resources beyond the vulnerable component itself, for example a container escape reaching the host. The Impact metrics then score confidentiality, integrity, and availability separately, since a flaw that only lets an attacker crash a service (availability) is fundamentally different from one that lets them read arbitrary files (confidentiality) or modify data undetected (integrity).
Version 3.1, still the most widely deployed, defines severity bands from these Base scores: 0.1 to 3.9 is Low, 4.0 to 6.9 is Medium, 7.0 to 8.9 is High, and 9.0 to 10.0 is Critical. CVSS 4.0, released to address known gaps in 3.1, splits the framework further into Base, Threat (does an exploit actually exist in the wild), Environmental (does this organization's specific configuration change the impact), and Supplemental metrics, explicitly separating theoretical severity from real-world exploitability and organizational context, since a 9.8 Critical CVSS score on a system that's air-gapped and never internet-facing carries very different real risk than the same score on an internet-facing production server.
The practical failure mode security teams run into is patching purely by CVSS number without adjusting for actual exposure and exploitability, which is exactly what the Environmental and Threat metric groups, and separately CISA's Known Exploited Vulnerabilities catalog, exist to correct. A Medium-scored CVE with active in-the-wild exploitation against your specific software version deserves faster remediation than a Critical-scored one with no known exploit code and mitigating network controls already in place.
CVSS in SOC Operations
CVSS scores drive the triage queue for vulnerability management and shape how you prioritize patching across hundreds or thousands of assets, but reading only the top-line number without the underlying vector string is a common mistake worth avoiding. Two vulnerabilities can both score 9.8 Critical for entirely different reasons, one because it's a trivially exploitable, unauthenticated remote code execution flaw, another because of how the Impact metrics combined, and only the vector string (the AV:N/AC:L/PR:N/... string every CVSS score carries) tells you which one is which. Pulling the vector string apart is a fast way to decide whether a critical finding needs an emergency change window tonight or can go through the normal patch cycle next week. During incident response, matching an observed exploitation technique against the CVSS Attack Vector and Privileges Required metrics helps you sanity-check whether what you're seeing in logs is consistent with the vulnerability being claimed, since a supposedly network-exploitable, unauthenticated flaw showing up only after an attacker already had valid credentials on the box is a signal something else is going on, maybe a different technique entirely, or credentials that were already compromised through another path. Analysts also use CVSS environmental scoring, adjusted for their organization's actual network exposure and compensating controls, when writing the risk justification in a vulnerability report, since a raw NVD score without that context tends to either over-alarm leadership on low-exposure findings or under-prioritize genuinely dangerous ones.
Practice CVSS in a Real SOC
SOCSimulator provides hands-on training with realistic SIEM, XDR, and Firewall interfaces. Build real analyst skills investigating cvss scenarios with zero consequences, free.
Related Terms
A CVE (Common Vulnerabilities and Exposures) is a unique identifier assigned to a publicly disclosed...
A zero-day is a software vulnerability that is unknown to the vendor at the time attackers begin exp...
Vulnerability management is the continuous process of discovering, assessing, prioritizing, remediat...
Patch management is the systematic process of acquiring, testing, approving, and deploying software ...
More Frameworks Terms
Related SOC Training Resources
SOC Manager Career Guide: Salary & Skills
SOC Managers run the operation. You own staffing, playbook development, tool selection, performance metrics, and executi…
Read more Career PathDetection Engineer Career Guide: Salary & Skills
Detection Engineers build the rules, analytics, and automated workflows that determine what the SOC can see. You transla…
Read more Career PathSecurity Engineer Career Guide: Salary & Skills
Security Engineers build and maintain the infrastructure that SOC analysts depend on. You deploy SIEMs, configure firewa…
Read more ComparisonSOCSimulator vs CyberDefenders: Comparison
SOCSimulator trains the operational workflow: alert triage, correlation, and response under pressure. CyberDefenders tra…
Read more ComparisonSOCSimulator vs Security Blue Team: Comparison
SOCSimulator provides continuous operational training that keeps your skills sharp between shifts. Security Blue Team pr…
Read more ToolSIEM Training Console: SOCSimulator
The SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ToolXDR Training Console: SOCSimulator
The XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more TechniqueMITRE ATT&CK® Techniques: Detection Training Library
Browse all MITRE ATT&CK® techniques with detection strategies and example alerts.
Read more Career PathCybersecurity Career Paths: 2026 Guide
Explore SOC analyst career paths with salary data, required skills, and certification roadmaps.
Read more PlaybookSOC Investigation Playbooks: Step-by-Step Guides
Practitioner investigation playbooks with decision trees and real SIEM queries.
Read more FeatureShift Mode: Real-Time SOC Simulation
Practice alert triage under realistic time pressure with SLA timers and noise injection.
Read more FeatureOperations: Guided Training Operations
Structured CTF-style investigation operations covering real-world attack scenarios.
Read more