Predicting CVE Threats Beyond Conventional Scores

runZero's Tod Beardsley Outlines Flaws in Conventional Vulnerability Scoring Systems Mathew J. Schwartz (euroinfosec) • June 13, 2025

In 2024, the cybersecurity industry tracked over 40,000 CVEs - a deluge of disclosed flaws that forces defenders to make hard choices. Patching all of them is difficult, making the ability to identify which vulnerabilities are most likely to be exploited a top priority. Tod Beardsley, vice president of security research at runZero, said not all CVEs are created equal and blindly relying on volume charts or basic scores leads to misprioritization.

See Also: Hackers Are Testing Out Agentic AI Too - and Getting Faster (eBook)

The critical task is deciding which vulnerabilities deserve attention. Beardsley said conventional scoring systems, such as the Common Vulnerability Scoring System, don't help defenders prioritize in real time. Instead, he suggests building a predictive model that incorporates evolving signals and behaviors, not just raw numbers.

"The ...