Dynamic risk scoring

Cyber risk is not a static calculation. Yet many organizations still assess it as if it were: point-in-time audits, annual reports, or quarterly risk reviews that quickly become outdated. In practice, the threat landscape, asset exposure, and defensive posture change continuously. A CVE ignored today may become critical tomorrow once it enters CISA’s Known Exploited Vulnerabilities catalog or appears in a widely available exploit kit.

Traditional risk scoring methods, such as CVSS, are limited in this regard. They provide a severity score detached from adversary behavior, business context, or live exploit activity. As a result, defenders face a paradox: an overwhelming volume of “critical” vulnerabilities without clarity on which ones actually matter most at any given moment.

Attestor.ai addresses this challenge by calculating weighted, dynamic risk scores for both vulnerabilities (CVEs) and adversary techniques (MITRE ATT&CK). The GPT integrates multiple factors:

  • Threat activity: Is the CVE actively exploited in the wild, listed in KEV, or used in current campaigns?
  • Technique relevance: Which ATT&CK techniques does it enable, and how frequently are those techniques leveraged by real adversaries?
  • Asset criticality: Is the vulnerable system part of a production OT network, a public-facing application, or a lower-value test environment?
  • Control coverage: Are relevant NIST SP 800-53 or D3FEND controls implemented, or do gaps remain?

Together, these dimensions create a living score — one that changes as threats evolve, assets shift, and defenses improve.

Consider the case of a financial services firm:

  • CVE-2021-26855 (Exchange Server) may at first appear as just another critical vulnerability.
  • Attestor.ai highlights that it maps to T1190 (Exploit Public-Facing Application), is actively exploited by multiple threat groups, and directly impacts the firm’s customer-facing email infrastructure.
  • The dynamic risk score spikes accordingly, signaling an urgent need for remediation.
  • Months later, once patched and compensating controls are verified, the residual risk score drops — and leadership gains confidence that the exposure is truly under control.

This capability delivers distinct value:

  • For analysts and blue teams: a prioritized, evolving view of where to allocate scarce time and resources.
  • For CISOs: a defensible, data-driven way to communicate residual risk to executives and regulators.
  • For the business: assurance that cyber risk is not only monitored but continuously recalculated as conditions change.

Dynamic risk scoring transforms risk management from a static compliance exercise into an operational discipline. By continuously weighting vulnerabilities and adversary techniques against real-world conditions, Attestor.ai provides defenders with the clarity and accountability they need to stay ahead of threats — and to prove it.

© 2025 Digibator Oy. All rights reserved
Terms Of UsePrivacy Policy