Skip to main content
FrameworksSIEMXDR

What is CVSS?

The Common Vulnerability Scoring System (CVSS) is an open standard for rating the severity of a software vulnerability on a 0.0 to 10.0 scale, based on measurable technical characteristics like how the vulnerability is reached, how complex it is to exploit, and what impact successful exploitation has on confidentiality, integrity, and availability.

Definition

CVSS
The Common Vulnerability Scoring System (CVSS) is an open standard for rating the severity of a software vulnerability on a 0.0 to 10.0 scale, based on measurable technical characteristics like how the vulnerability is reached, how complex it is to exploit, and what impact successful exploitation has on confidentiality, integrity, and availability.

How CVSS Works

CVSS scores are built from metric groups, and understanding the Base metrics is what lets an analyst read past the single number to what actually makes a vulnerability dangerous. Attack Vector describes how the attacker reaches the flaw, network, adjacent network, local, or physical, with network-reachable vulnerabilities scoring higher since they need no local access at all. Attack Complexity captures whether exploitation requires specific conditions to align (low complexity means a reliable, repeatable exploit; high means the attacker needs favorable timing or configuration). Privileges Required and User Interaction describe whether the attacker needs an existing account or needs a victim to click something, and Scope captures whether a successful exploit can affect resources beyond the vulnerable component itself, for example a container escape reaching the host. The Impact metrics then score confidentiality, integrity, and availability separately, since a flaw that only lets an attacker crash a service (availability) is fundamentally different from one that lets them read arbitrary files (confidentiality) or modify data undetected (integrity).

Version 3.1, still the most widely deployed, defines severity bands from these Base scores: 0.1 to 3.9 is Low, 4.0 to 6.9 is Medium, 7.0 to 8.9 is High, and 9.0 to 10.0 is Critical. CVSS 4.0, released to address known gaps in 3.1, splits the framework further into Base, Threat (does an exploit actually exist in the wild), Environmental (does this organization's specific configuration change the impact), and Supplemental metrics, explicitly separating theoretical severity from real-world exploitability and organizational context, since a 9.8 Critical CVSS score on a system that's air-gapped and never internet-facing carries very different real risk than the same score on an internet-facing production server.

The practical failure mode security teams run into is patching purely by CVSS number without adjusting for actual exposure and exploitability, which is exactly what the Environmental and Threat metric groups, and separately CISA's Known Exploited Vulnerabilities catalog, exist to correct. A Medium-scored CVE with active in-the-wild exploitation against your specific software version deserves faster remediation than a Critical-scored one with no known exploit code and mitigating network controls already in place.

CVSS in SOC Operations

CVSS scores drive the triage queue for vulnerability management and shape how you prioritize patching across hundreds or thousands of assets, but reading only the top-line number without the underlying vector string is a common mistake worth avoiding. Two vulnerabilities can both score 9.8 Critical for entirely different reasons, one because it's a trivially exploitable, unauthenticated remote code execution flaw, another because of how the Impact metrics combined, and only the vector string (the AV:N/AC:L/PR:N/... string every CVSS score carries) tells you which one is which. Pulling the vector string apart is a fast way to decide whether a critical finding needs an emergency change window tonight or can go through the normal patch cycle next week. During incident response, matching an observed exploitation technique against the CVSS Attack Vector and Privileges Required metrics helps you sanity-check whether what you're seeing in logs is consistent with the vulnerability being claimed, since a supposedly network-exploitable, unauthenticated flaw showing up only after an attacker already had valid credentials on the box is a signal something else is going on, maybe a different technique entirely, or credentials that were already compromised through another path. Analysts also use CVSS environmental scoring, adjusted for their organization's actual network exposure and compensating controls, when writing the risk justification in a vulnerability report, since a raw NVD score without that context tends to either over-alarm leadership on low-exposure findings or under-prioritize genuinely dangerous ones.

Free

Practice CVSS in a Real SOC

SOCSimulator provides hands-on training with realistic SIEM, XDR, and Firewall interfaces. Build real analyst skills investigating cvss scenarios with zero consequences, free.

More Frameworks Terms

Career Path

SOC Manager Career Guide: Salary & Skills

SOC Managers run the operation. You own staffing, playbook development, tool selection, performance metrics, and executi…

Read more
Career Path

Detection Engineer Career Guide: Salary & Skills

Detection Engineers build the rules, analytics, and automated workflows that determine what the SOC can see. You transla…

Read more
Career Path

Security Engineer Career Guide: Salary & Skills

Security Engineers build and maintain the infrastructure that SOC analysts depend on. You deploy SIEMs, configure firewa…

Read more
Comparison

SOCSimulator vs CyberDefenders: Comparison

SOCSimulator trains the operational workflow: alert triage, correlation, and response under pressure. CyberDefenders tra…

Read more
Comparison

SOCSimulator vs Security Blue Team: Comparison

SOCSimulator provides continuous operational training that keeps your skills sharp between shifts. Security Blue Team pr…

Read more
Tool

SIEM Training Console: SOCSimulator

The SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…

Read more
Tool

XDR Training Console: SOCSimulator

The XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…

Read more
Technique

MITRE ATT&CK® Techniques: Detection Training Library

Browse all MITRE ATT&CK® techniques with detection strategies and example alerts.

Read more
Career Path

Cybersecurity Career Paths: 2026 Guide

Explore SOC analyst career paths with salary data, required skills, and certification roadmaps.

Read more
Playbook

SOC Investigation Playbooks: Step-by-Step Guides

Practitioner investigation playbooks with decision trees and real SIEM queries.

Read more
Feature

Shift Mode: Real-Time SOC Simulation

Practice alert triage under realistic time pressure with SLA timers and noise injection.

Read more
Feature

Operations: Guided Training Operations

Structured CTF-style investigation operations covering real-world attack scenarios.

Read more