18 quick insights to reduce remediation workflows with Predictive Prioritization

Key takeaways

• Drastically reduce your remediation workload by identifying the 1.6% of vulnerabilities threat actors are most likely to target.
• A vulnerability priority rating (VPR) can generate a vulnerability score for new CVEs before the NVD publishes the official CVSS score, a process that typically takes about 45 days after vulnerability publication.
• VPR supplements your existing processes with a dynamic, data-driven layer of threat intelligence on top of the CVSS framework.

What is Predictive Prioritization?

Tenable Predictive Prioritization is the process of re-prioritizing vulnerabilities based on the probability they will be leveraged in an attack.

Predictive Prioritization addresses a fundamental problem in cybersecurity: traditional scoring systems create an overwhelming and misleading picture of risk. 

That’s because static vulnerability scores mark most vulnerabilities as critical or high. Without threat intelligence and other key data, your security teams have no idea which vulnerability might pose a real risk to your organization.

This is why you need Predictive Prioritization. It goes beyond a static score by using a machine learning-powered threat score that draws from more than 150 distinct features across multiple types of data sources, like exploit availability, dark web chatter, and active exploitation evidence. 

Predictive Prioritization helps your security teams prioritize vulnerabilities based on the probability a threat actor may leverage them in an attack. 

This vulnerability prioritization strategy helps your team focus on the 1.6% of vulnerabilities that pose the greatest risk to your business, so you can focus your limited resources on remediating the vulnerabilities that matter most. 

With Predictive Prioritization, your teams can shift away from traditional vulnerability management approaches — like relying only on the Common Vulnerability Scoring System (CVSS) — that treat every vulnerability as equally critical.

• Still have questions about Predictive Prioritization? Download this FAQ for more insight.

How Predictive Prioritization works

Tenable Predictive Prioritization enhances traditional scoring with contextual vulnerability and exploit data for a more accurate, actionable view of cyber risk. 

It’s a critical evolution that makes your vulnerability data more useful, so your organization can focus on the 1.6% of vulnerabilities attackers are the most likely to exploit.

Predictive Prioritization uses CVSS framework scope and impact metrics, but it replaces the static CVSS exploitability components with a dynamic threat score.

By combining this dynamic threat score with the vulnerability's impact, the process generates a Vulnerability Priority Rating (VPR).

A VPR is a vulnerability score from 0.1 to 10 that indicates remediation priority. It’s integrated into Tenable products like Tenable Vulnerability Management and the Tenable One Exposure Management platform to streamline your vulnerability management workflows.

Together, Predictive Prioritization and VPR help you identify vulnerabilities threat actors are most likely to exploit and could cause significant business impact. They supplement, not replace, your existing CVSS-based prioritization.

Tenable recalculates the VPR score daily for every CVE. The VPR may or may not change, depending on the threat landscape.

The power behind the VPR

A VPR is dynamic and predictive because a threat score powers it. This score is the output of an algorithm that analyzes more than 150 features drawn from two main categories:

• Vulnerability data, for example, CVSS metrics, vulnerability age, and the specific vendor/software impacted.
• Threat intelligence, for example, exploit availability, National Vulnerability Database (NVD) disclosures, and active chatter from security forums and the dark web.

The algorithm analyzes these inputs to generate the threat score (the likelihood of an exploit). Predictive Prioritization combines this score with the vulnerability's impact to produce the final VPR.

Ultimately, Predictive Prioritization is the process that translates complex, real-time threat intelligence into clear, actionable priorities. It empowers your team to move beyond theoretical severity, cut through endless vulnerability lists, and focus remediation on the vulnerabilities that pose the greatest real-world risk.

• Have more questions about VPR and CVSS? Get all the answers in this guide.

Frequently asked questions

Find answers to common questions about Predictive Prioritization. This information can help you understand the key details.

What’s the difference between Predictive Prioritization and a VPR?

Predictive Prioritization evaluates vulnerabilities based on the probability a threat actor may exploit them in an attack. The Vulnerability Priority Rating (VPR) is the output of that process. It’s a score that indicates remediation priority.

How do VPR scores compare to CVSS?

While the cutoff scores for critical, high, medium, and low are the same, the distribution is different. VPR categorizes only about 1.6% of vulnerabilities as critical or high, compared to about 60% for CVSS.

Can a VPR score change?

Yes. Tenable recalculates VPRs for every CVE daily. The score may change depending on new threat intelligence, exploit availability, or chatter in the threat landscape.

What does a critical VPR score mean?

A critical VPR means the vulnerability has a high probability of exploitation, and if an attacker successfully exploits it, its impact would be significant. These are the vulnerabilities you should fix first.

• Download the Predictive Prioritization guide now for more answers to all your Predictive Prioritization questions.