Every score carries the factors that produced it - exposed, segmented, control present, in KEV. When leadership or an auditor asks why, you have an answer.
Stop patching by CVSS. Fix what actually moves risk.
Koopic includes Unified Vulnerability Management on every plan. As a CAASM platform it merges vulnerability findings onto your golden-record assets, deduplicated per asset and CVE, then ranks each one by real risk using a prioritization engine - exploit activity (EPSS, CISA KEV), CVSS, asset exposure and criticality, custom priority rules, and compensating controls - so your team fixes what actually matters first instead of triaging by raw CVSS.
Every finding, on the right asset, once
Vulnerability findings from your scanners and EDR are merged onto the same unified golden record that Koopic builds for every device. Findings are deduplicated per asset and CVE, so one bug on one machine is one finding - not five conflicting copies across five tools.
- Findings joined to the unified asset, not stranded per tool
- Deduplicated per asset and CVE
- Asset context (exposure, criticality, controls) travels with the finding
SRV-WEB-0117
Golden Record · Internet-facing
CVE-2026-20182
Reported by 3 sources
CVE-2026-0300
Reported by 2 sources
CVE-2026-31431
Reported by 1 source
3 findings · deduplicated from 6 raw source records
Priority breakdown · CVE-2026-20182
Severity is not risk
CVSS tells you how bad a vulnerability could be in theory. It does not tell you whether it is being exploited, whether the affected asset is exposed, or how much it matters to your business. Koopic combines base CVSS with exploit signals, asset exposure, criticality, and liveness to produce a priority that reflects your environment.
- Exploit signals: EPSS probability, CISA KEV, exploit evidence
- Environmental factors: exposure, criticality, liveness
- One ranked queue across every asset and source
When Koopic disagrees with the CVSS score
Two findings, same scanner, opposite verdicts. The score moves because Koopic knows the asset, its exposure, and its controls - and it shows you exactly why on the row. Illustrative example.
CVE-2026-3120
srv-lab-0042 · segmented VLAN · non-prod
A 9.8 you'd patch first by CVSS. It's segmented, non-production, and the exploit path is already blocked - so it waits.
CVE-2026-0481
srv-web-0117 · internet-facing · prod
A "high", not a "critical", by CVSS. It's internet-facing, known-exploited, and nothing covers it - so it jumps the queue.
Raw CVSS would tell you to patch the 9.8 before the 7.4. On your network, the order is reversed - and every score carries the per-factor breakdown that proves it.
Your defenses count too
A finding behind a WAF, on a segmented network, or on an encrypted, EDR-covered endpoint is genuinely lower risk. Koopic auto-detects controls from merged asset data and lets you declare your own. Controls apply as additive risk reductions, bounded per finding and per organization so a long control list can never zero out a real risk. Custom priority rules let you encode your own policy on top.
- Auto-detected controls (EDR, AV, MDM, encryption) plus declared controls
- Additive reductions, bounded per finding and per organization
- Drag-to-reorder custom priority rule editor
Declared Controls
Network segmentation
Applied to: DMZ asset group
WAF in front of service
Applied to: public web tier
Custom Priority Rule
If asset group is "Payment systems" and KEV listed
Org Weight Tuning
No black-box scores
Every priority comes with a per-factor breakdown showing exactly how it was reached, so an analyst can defend the patch order to an auditor or an executive. Weights are tunable per organization, and formal risk exceptions cap accepted-risk findings instead of hiding them.
- Per-factor waterfall breakdown on every finding
- Org-tunable weights for each scoring factor
- Formal risk-exception caps for accepted risk
One queue, four bands
Findings collapse into clear priority bands so the team always knows what to pick up next.
Fix now
Known-exploited, exposed, business-critical
This sprint
High exploit likelihood or high exposure
Scheduled
Real but mitigated or lower exposure
Backlog
Low likelihood, isolated, or accepted risk
Fresh intelligence behind every score
Koopic maintains a CVE catalog continuously enriched from NVD, MITRE, EPSS, and the CISA KEV catalog. As exploit probabilities move and CVEs are added to KEV, the priorities on your assets move with them - no manual feed wrangling.
- NVD severity and MITRE state
- EPSS exploit probability, refreshed continuously
- CISA KEV known-exploited status
CVE-2026-20182
KEVNVD severity
Critical 9.8
EPSS
High
MITRE state
Published
CISA KEV
Listed
Enriched from NVD · MITRE · EPSS · CISA KEV
Frequently Asked Questions
Is vulnerability management included on every plan?
How does Koopic decide which vulnerability to fix first?
What is a compensating control in Koopic?
Where does the vulnerability data come from?
Does this replace my vulnerability scanner?
Not a black box that tells you to "trust the number." Every verdict shows its work.
5 reasonsA compensating control that already neutralizes a finding lowers its priority - and shows the exact, bounded adjustment it made. Nothing happens silently.
We fold in exploit-prediction and known-exploited data.
No rip-and-replace. We score on top.
The list that actually moves risk.
See your real patch order on your own data
Bring your scanner output and asset data - we'll show you which findings actually matter on your network, with the reason on every row.