Most security teams are still sorting their patch queues by CVSS scores, and according to Cisco Talos researcher Thorsten Rosendahl, that habit is quietly burning through operations capacity on vulnerabilities that may never be weaponized. In a post for the Talos Threat Source newsletter, Rosendahl lays out a more precise approach built around three complementary layers: CVSS, EPSS, and the emerging GCVE framework.

CVSS Answers the Wrong Question Alone

CVSS has served as the default severity benchmark for over a decade, but Rosendahl is clear about its limitation: it measures theoretical impact, not real-world likelihood. A CVSS 9.8 on a vulnerability with no active exploitation is a fundamentally different operational problem from a CVSS 7.2 that threat actors are actively leveraging. Sorting purely by CVSS means finite remediation resources flow toward hypotheticals.

Where EPSS Fits In

The Exploit Prediction Scoring System (EPSS) provides the probability dimension that CVSS omits. Updated daily and expressed as a value between 0 and 1, EPSS estimates the likelihood that a given CVE will be exploited within the next 30 days, drawing on real-world signals rather than theoretical impact analysis.

Used together, the two metrics create actionable triage tiers:

  • High CVSS, high EPSS: Immediate priority, act now.
  • High CVSS, low EPSS: Can be scheduled behind a medium-severity vulnerability with an EPSS score of 0.7 or higher.

Rosendahl argues this single change in triage logic can meaningfully shrink the active patch backlog without degrading overall security posture.

Expanding Exploitation Signal Beyond KEV

For exploitation evidence, most teams default to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Rosendahl acknowledges KEV’s value but notes its structural characteristics: it is centralized, conservative in its admission criteria, and primarily shaped by U.S. federal visibility. For practitioners outside the United States, that scope introduces blind spots.

The Global CVE (GCVE) initiative offers a decentralized alternative worth watching. Two properties make it relevant for the anticipated surge in vulnerability volume:

  • Speed of enrichment: Because GCVE is decentralized, affected-product data and exploit indicators do not have to clear a single processing queue. Rosendahl notes the traditional NVD pipeline has struggled with visible backlog over the past two years.
  • Broader exploitation signal: GCVE allows multiple sources of exploitation evidence to surface against the same identifier, giving defenders a more complete picture than any single authoritative list can provide.

EvidenceForge: Synthetic Logs for Detection Validation

On the tooling side, Cisco Talos released EvidenceForge, an open-source utility designed to generate realistic, causally consistent synthetic security logs across more than 20 log formats. The tool addresses a persistent shortage of high-quality labeled datasets for training threat hunters and validating detection pipelines.

Unlike generators that produce independent, context-free events, EvidenceForge uses a canonical event model and AI-assisted scenario authoring to maintain temporal and causal consistency, including realistic background noise and red herrings. Security teams can use the generated datasets to build SOC training programs, stress-test new SIEM deployments, and validate detection logic before it reaches production. The repository is available on GitHub.

Taken together, the CVSS-plus-EPSS-plus-GCVE triage stack and synthetic dataset tooling represent a shift from reactive, volume-driven patching toward precision-based vulnerability management, a posture Rosendahl considers worth establishing before the next wave of disclosure volume arrives.