Beyond CVSS: Context-Aware Vulnerability Prioritization in Large Enterprises

The Common Vulnerability Scoring System (CVSS) is still a big part of traditional vulnerability management in big companies. It focuses on technical severity but mostly ignores deployment context and business impact. Because of this, companies often put too much emphasis on low-impact problems and miss high-risk exposures that have moderate CVSS scores. This misalignment causes remediation fatigue, waste of resources, and longer exposure windows for really important weaknesses. This paper introduces a context-aware vulnerability prior- itization framework that surpasses CVSS by amalgamating environmental and business indicators into a cohesive risk score. The framework has five main parts for each vulnerability: CVSS severity, deployment exposure, business criticality, exploit signal, and blast radius. Scanner outputs, asset and CMDB data, software bills of materials (SBOMs), and unstructured documentation are all used to calculate these parts. Large language model (LLM) extraction is also used to improve the results. A weighted scoring function combines the signals into one priority score, which is then divided into four operational tiers (P1–P4) with automatic natural language explanations. In a large corporate setting, we test the framework with real- world enterprise datasets and simulated remediation scenarios. The results show that incident data is better aligned, remediation is faster, and the time it takes to fix really important vulnera- bilities has gone down compared to CVSS-only and simple risk- based baselines. We also talk about things to think about when deploying, limitations, and future research directions for context- aware scoring in big businesses.

vulnerability prioritization, CVSS, risk-based vulnerability management, business context, SBOM, LLM, en- terprise security