Vulnerability Scoring

Security teams are often overwhelmed by vulnerability lists filled with raw scores that don’t clearly indicate what action to take. Manifest simplifies this by providing a human-readable action—a clear "so what"—for each vulnerability. Our approach considers multiple factors beyond just a CVSS score, ensuring that risk assessment is practical, actionable, and aligned with real-world threats.

Based on CISA’s SSVC Framework

Our methodology aligns with the Stakeholder-Specific Vulnerability Categorization (SSVC) framework developed by CISA. SSVC goes beyond traditional severity scores by incorporating exploitability, impact, and urgency, making it a more effective way to prioritize vulnerabilities.

Manifest’s Three-Tier Vulnerability Scoring

Manifest classifies vulnerabilities into three categories to help users quickly understand the necessary response:

Mitigate 🔴 – Take action immediately. The vulnerability is either actively exploited or poses a significant risk to your environment. These should be prioritized for patching or remediation as soon as possible.

Monitor 🟠 – Keep an eye on it. The vulnerability may be serious, but there is currently no active exploitation, or mitigating factors reduce its urgency. Regularly reassess it as new intelligence emerges.

Accept 🟢 – No immediate action required. The vulnerability has a low likelihood of exploitation or minimal impact in your environment. Document the risk and revisit it if circumstances change.

These scores/actions are determined by factors including:

• whether the vulnerability is on CISA's Known Exploited Vulnerability (KEV) catalog
• the vulnerability's EPSS score
• the CVSS score

Coming Soon: Customize Your Own Scoring

We are tracking feature requests to allow our customers to customize their own Vulnerability Scoring, including by ingesting other scores and data from internal sources. Stay tuned for updates, or message our support team to let us know if you're interested.