Does priorIQ.ai replace my scanner?

No. It supercharges it. We integrate with Tenable, Qualys, Rapid7, Snyk, AWS Inspector and Wiz to reconcile everything into a single view.

Is it available on-premise?

Yes. We offer multi-tenant SaaS and self-hosted deployments, including air-gapped.

How long does it take to go live?

Typical time-to-value is under 2 weeks from connecting the first scanner.

How is prioritization calculated?

We combine CVSS, EPSS, CISA KEV presence, verified public exploits, exploit-in-kit and the asset's business exposure.

Does it support air-gapped environments?

Yes, with a local NVD catalog mirror and an offline update channel.

Which compliance frameworks are supported?

CIS Benchmarks per OS, NIS2, DORA, SOC 2 and ISO/IEC 27001:2022, all with continuous evaluation.

How is sensitive data handled?

AES-256 encryption at rest, credentials never exposed in API responses or logs, immutable audit log.

Do you integrate with ticketing?

Yes, natively with Jira, ServiceNow and Freshservice. Create, update and close tickets from priorIQ.ai.

CVSS Explained: Versions, Calculators and What the Score Really Tells You

CVSS is the number everyone quotes when they talk about how "bad" a vulnerability is — the 9.8 on the security advisory, the "Critical" tag in your scanner. But what is it actually measuring, how do the calculators work, and which version should you be using? Here's a practical explainer, plus our honest opinion on where CVSS helps and where it leads teams astray.

What is CVSS?

The Common Vulnerability Scoring System (CVSS) is an open, vendor-neutral framework — maintained by FIRST (the Forum of Incident Response and Security Teams) — for rating the severity of a vulnerability on a scale from 0.0 to 10.0. Its value is standardization: a CVSS vector means the same thing whether it comes from a vendor advisory, the NVD or your own analysis.

The three metric groups

CVSS scores are built from up to three groups of metrics:

Base — the intrinsic, unchanging characteristics of the flaw: how it is reached (attack vector), how hard it is to exploit, what privileges and user interaction are needed, and the impact on confidentiality, integrity and availability. This is the score almost everyone quotes.
Temporal (v3.1) / Threat (v4.0) — factors that change over time, such as whether mature exploit code exists.
Environmental — adjustments for your specific environment, including how critical the affected asset is to you.

The catch: most organizations only ever use the Base score and ignore the other two — which is exactly what CVSS's own documentation warns against.

Severity ratings

The 0–10 score maps to qualitative bands: None (0.0), Low (0.1–3.9), Medium (4.0–6.9), High (7.0–8.9) and Critical (9.0–10.0).

Current versions: v3.1 and v4.0

CVSS v3.1 (2019) is still the most widely used in practice. It is what the NVD and most scanners report today.
CVSS v4.0 (released by FIRST in November 2023) is the latest version. It adds meaningful granularity: it splits impact into the Vulnerable System and Subsequent System, adds an Attack Requirements metric, replaces "Temporal" with Threat metrics, and introduces Supplemental metrics (Safety, Automatable, Recovery and more). It also formalizes nomenclature like CVSS-B, CVSS-BT and CVSS-BTE depending on which groups you score. The goal is to reduce the v3.x tendency to rate almost everything "Critical."

Adoption of v4.0 is gradual, so you will see both versions side by side for a while.

The calculators

The reference tool is the official FIRST calculator (at first.org, with separate pages for v3.1 and v4.0). You select each metric and it produces two things: a numeric score and a vector string.

That vector string — for example CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — encodes every choice you made. Anyone can paste it back into the calculator to reproduce the exact score, which makes scores reproducible and auditable. The NVD attaches CVSS scores to published CVEs, and most vendors publish their own vectors in advisories.

How to read a CVSS vector quickly

Each pair is metric:value. In the example above: AV:N = network-reachable, AC:L = low complexity, PR:N = no privileges needed, UI:N = no user interaction, and C/I/A:H = high impact across the board. That combination is what produces a near-maximum score.

Our opinion: useful, but routinely misused

Here's our honest take. CVSS is essential as a common language for severity, and v4.0 is a genuine improvement — more nuance, less score inflation. But CVSS is also the single most misused metric in vulnerability management:

Base severity is not risk. A CVSS measures how bad exploitation would be, not how likely it is. Most teams rank their backlog purely by Base score, which is precisely what FIRST tells you not to do.
"Fix all the criticals" doesn't scale. Because so many CVEs land at High/Critical, severity-only prioritization produces an impossible backlog while the genuinely dangerous, actively exploited issues wait in the same pile.
The Threat and Environmental groups are the cure CVSS ships with — and almost nobody uses them. In practice, EPSS (likelihood) and the CISA KEV catalog (confirmed exploitation) often do that job better and with less manual effort.

Our recommendation: use CVSS for what it is good at — describing impact — and combine it with exploitability, active exploitation and business context. That combination is the basis of risk-based vulnerability management, and the practical recipe is in our prioritization framework.

How priorIQ.ai uses CVSS

priorIQ.ai treats CVSS as the impact dimension and combines it automatically with EPSS, CISA KEV, business exposure and toxic-combination analysis — so a high CVSS never floats to the top on severity alone. Request a demo.

Frequently asked questions

Should I use CVSS v3.1 or v4.0? Use whatever your sources provide, and prefer v4.0 where available — but do not change how you prioritize: severity is one input, not the ranking.

Is a CVSS 9.8 always urgent? No. A 9.8 that is not being exploited and sits on an isolated asset can be less urgent than a 6.5 that is in CISA KEV.

Where do I calculate a CVSS score? The official FIRST calculator (v3.1 and v4.0) generates the score and the reproducible vector string.