Risk-based vulnerability prioritization

Stop patching by
CVSS score.

Your scanner flags thousands of "critical" vulnerabilities. Most aren't reachable on your network - or they're already neutralized by a control you run. Koopic scores every finding against real exposure and the controls you already have, so your team fixes the handful that matter.

See it on your data How the scoring works

Works with CrowdStrike · Defender · Tenable · Qualys · Rapid7 · and more

koopic · prioritization
illustrative
Scanner output
4,900
"critical" findings
Koopic priority 150 actionable
P0
CVE-2026-0481
Internet-exposed · in CISA KEV · no control
P0
CVE-2026-1937
Public-facing · active exploitation
-
CVE-2026-3120
Segmented · EDR blocks the exploit path
-
CVE-2026-2774
Needs local access · not internet-reachable
-
CVE-2026-4002
Compensating control present · contained
escalated contained

A CVSS 9.8 your controls already neutralize is not your top priority.

THE TRIAGE QUEUE

Your scanner flags thousands of "criticals."
Most of them aren’t your problem.

CVSS scores a vulnerability in a vacuum - it can’t see that the host is segmented, the exploit isn’t reachable, or a control already neutralizes it. So teams burn sprints on findings that don’t move risk. Koopic was built to take each of these off the board.

Triage queue / the pattern every vuln-management team hits
6 ways CVSS misleads 6 resolved by koopic
03:42 PT PAIN-001 VULN MGMT
P0 · Volume

The scanner says everything is critical.

4,900 findings tagged "Critical" by CVSS ≥ 9.0. The team can patch ~80 / week. At that rate the backlog never shrinks.

Koopic resolves re-rank · live

Koopic rescores every finding against real exposure and the controls you already run. The list that actually moves risk this week collapses to ~150.

09:17 PT PAIN-002 SECOPS
P0 · Exposure

A 9.8 on a box no attacker can reach.

CVSS scores the vulnerability in isolation. It doesn’t know the host is segmented, not internet-facing, or that the exploit needs local access nobody has.

Koopic resolves exposure-aware

We factor in reachability and network exposure per asset. A critical with no path to it gets down-ranked, not patched in a panic.

11:08 PT PAIN-003 SECOPS
P0 · Controls

We already neutralized half of these.

EDR blocks the exploit path. A WAF rule covers the rest. But the scanner re-flags the same CVE every week as if no control existed - so the team re-triages it every week.

Koopic resolves control-aware

Koopic knows which assets already have a compensating control and down-ranks accordingly. Contained findings stop stealing attention from the exposed ones.

14:31 PT PAIN-004 VULN MGMT
P0 · Exploitable

Which of these is actually being exploited?

A "medium" with active exploitation in the wild is a bigger problem than a quiet 9.8. CVSS severity says nothing about whether attackers are using it today.

Koopic resolves EPSS · KEV

We fold in exploit-prediction (EPSS) and CISA KEV. A "medium" that’s internet-exposed, uncontrolled, and in KEV gets escalated to P0 - where it belongs.

16:54 PT PAIN-005 CISO
P1 · Defensible

Why did we patch this and not that?

When leadership or an auditor asks why a finding was deprioritized, "the scanner ranked it lower" isn’t an answer anyone can defend.

Koopic resolves explainable

Every score carries its reason on the row - exposed, segmented, control present, in KEV. The priority list is defensible, not a black box.

10:20 PT PAIN-006 IT DIR
P1 · Effort

We’re burning sprints on the wrong CVEs.

Every hour spent on a contained 9.8 is an hour not spent on the exposed, exploitable finding that actually lets someone in. Effort goes where the number is loudest, not where the risk is.

Koopic resolves focus

Patch the handful that genuinely matter. Effort follows real risk, so the same team closes more exposure with the capacity it already has.

Scores on
3signals · not just CVSS
Every verdict
explainablereason on the row
Works with
yourexisting scanners
The result
focuson what's truly exposed
HOW THE PRIORITY GETS PRODUCED

From a wall of "criticals" to
one explainable, ranked list.

Koopic doesn’t add another scanner. It connects the ones you have, scores every finding against real exposure and the controls you already run, and emits a short queue you can defend - line by line.

Scoring pipeline / re-ranks as exposure & controls change
3 stages 3 signals scored
01
STAGE_01 · UNIFY continuous

Unify what you already have.

Pull from your scanners, EDR, MDM, cloud, and CMDB into one golden record per asset - so a finding is tied to a real machine with a known exposure and a known set of controls, not just a CVE ID.

  • Native connectors for Tenable, Qualys, Rapid7, Defender
  • Deduped to one record per asset, with full lineage
  • Each asset carries its exposure and its controls
sources.connected 5 / 5 active
Tenable Scanner connected
Microsoft Defender EDR connected
CrowdStrike EDR syncing…
Azure / Cloud Cloud connected
On-Prem Agent Agent ready
02
STAGE_02 · SCORE on every change

Score against exposure, controls, and exploit signal.

For every finding, Koopic weighs real reachability, whether a compensating control already neutralizes it, and live exploit signal (EPSS + CISA KEV) - not CVSS in a vacuum.

  • Exposure: internet-facing vs segmented, reachable vs not
  • Controls: EDR / WAF / segmentation already in place
  • Exploit signal: EPSS probability + KEV membership
score-inputs CVE-2026-1937
Internet-exposed yes
Compensating control EDR + segmentation
EPSS probability 0.91
In CISA KEV yes
raw CVSS 8.1 scored P0 · escalated
03
STAGE_03 · RANK live

Get an explainable, ranked list.

The output is a short, ordered queue with the reason on every row. Truly-exposed findings rise; ones your controls already contain drop - and you can defend every call.

  • Ranked queue, not thousands of equal "criticals"
  • Every score shows why it landed where it did
  • Re-ranks the moment exposure or controls change
priority.queue explainable
P0 CVE-2026-1937 Public-facing · in KEV · no control
P0 CVE-2026-0481 Internet-exposed · EPSS 0.91
- CVE-2026-3120 Segmented · EDR blocks exploit path
- CVE-2026-4002 Compensating control · contained
Sources
unifiedone record per asset
Signals scored
3exposure · controls · exploit
Every verdict
explainablereason on the row
Cadence
livere-ranks on change
WHY THE SCORE IS TRUSTWORTHY

Not a black box that tells you to "trust the number." Every verdict shows its work.

5 reasons
M_01 · EXPLAINABLE reason on every row
Explainable
Scoring you can defend, line by line

Every score carries the factors that produced it - exposed, segmented, control present, in KEV. When leadership or an auditor asks why, you have an answer.

internet-exposed+ escalate
in CISA KEV+ escalate
EDR blocks path− contain
M_02 · CONTROLS transparent deltas
Control‑aware
Adjustments you can see and tune

A compensating control that already neutralizes a finding lowers its priority - and shows the exact, bounded adjustment it made. Nothing happens silently.

segmentation−15
EDR exploit-block−10
net adjustment−25
M_03 · EXPLOIT
EPSS + KEV
Real exploit signal, not just CVSS

We fold in exploit-prediction and known-exploited data.

EEPSS0.91
KCISA KEVlisted ✓
M_04 · COMPATIBLE
Your stack
Works with the scanners you already run

No rip-and-replace. We score on top.

Tenable Qualys Rapid7 Defender + more
M_05 · FOCUS illustrative
~150
Actionable, out of thousands flagged

The list that actually moves risk.

4,900 "critical" ~150 actionable
METHOD · explainable / CONTROLS · transparent / SETUP · your existing scanners
See it on your data

Frequently Asked Questions

How is this different from prioritizing by CVSS?
Raw CVSS describes a vulnerability in the abstract - it doesn't know whether the affected asset is reachable, internet-exposed, or already protected by a control you run. Koopic scores each finding in the context of your environment: exposure, asset criticality, exploit signal (EPSS, CISA KEV), and the compensating controls actually present. The result is a short, ranked list of what's genuinely reachable and uncontrolled - not a wall of undifferentiated 9.8s.
How does Koopic know which vulnerabilities are actually reachable?
Koopic builds a unified inventory from the tools you already run, so it knows what each asset is, how exposed it is (internet-facing vs. segmented), and which controls protect it. That context feeds the score: a critical CVE on a segmented box behind an EDR that blocks its exploit path is down-ranked; a lower-CVSS flaw on an internet-facing asset with no control and active exploitation is escalated.
Do I have to replace my scanner?
No. Koopic sits on top of the scanners and security tools you already use - Tenable, Qualys, Rapid7, Microsoft Defender, and others. It ingests their findings and re-scores them with environmental and control context. You keep your existing stack; Koopic turns its output into a prioritized work list.
How do compensating controls affect the score?
Controls apply as transparent, bounded adjustments to a finding's score - and the reasoning is shown on every row. If an EDR neutralizes an exploit path, or network segmentation removes reachability, that finding drops in priority with the rationale attached. Nothing is a black box: you can see exactly why each vulnerability ranks where it does.
Does it work for on-premises environments?
Yes. A lightweight on-prem agent collects from internal tools and sources and pushes data to Koopic over end-to-end encryption, so segmented and on-prem assets are scored with the same exposure-and-control context as everything else.
How do we get started?
We connect a sample of your data, score it against your real exposure and controls, and show you the priority list it produces - so you can judge the model on your own findings before committing to anything.

See it on your data.

Bring your scanner output and asset data - we'll show you which findings actually matter on your network, with the reason on every row.

See it on your data Talk to us