Vulnerability Management · Risk-based prioritization

Stop patching by CVSS. Fix what actually moves risk.

A CVSS 9.8 on a segmented lab box is not the same as 7.4 on your internet-facing web server. Koopic recalculates every CVE against the signals already in your asset inventory - exposure, criticality, EDR coverage, KEV, EPSS - and surfaces the work that actually reduces risk.

EPSS + KEV

live exploit signal on every CVE

exposure

reachability & asset criticality

controls

down-rank what you already neutralize

Prioritization Engine · Live
CVE-2026-20182
Apache HTTPD · unauthenticated remote code execution
9.8
CVSS · base
1Matched to asset
srv-web-0117.prod.koopic.io
Web tier · internet-facing · public IP · 4 sources
2Environment signals from inventory
EPSS 0.94 +18 CISA KEV listed Internet-facing +12 Crown-jewel +15 No WAF rule +6 Public exploit +4
3Risk recalculation
Base CVSS 9.8
+ Exploitability (EPSS + KEV) +22
+ Exposure (internet-facing) +12
+ Asset criticality +15
− Compensating controls −0
Effective score 98
1Matched to asset
laptop-3471 · J. Smith
User device · macOS 15.2 · EDR active · 3 sources
2Environment signals from inventory
EPSS 0.94 +18 CISA KEV listed Behind VPN −8 EDR active −10 Std user device +4 No public exploit on macOS build −6
3Risk recalculation
Base CVSS 9.8
+ Exploitability (EPSS + KEV) +22
+ Exposure (behind VPN) +2
+ Asset criticality +4
− Compensating controls −24
Effective score 64
1Matched to asset
srv-lab-0042.dev.koopic.io
Lab tier · segmented VLAN · no inbound · 2 sources
2Environment signals from inventory
EPSS 0.94 +18 CISA KEV listed Segmented VLAN −16 No inbound 80/443 −10 Non-prod tier −12 Auto-rebuild nightly −4
3Risk recalculation
Base CVSS 9.8
+ Exploitability (EPSS + KEV) +22
+ Exposure (isolated) −10
+ Asset criticality −12
− Compensating controls −20
Effective score 26
4Effective Priority Same CVE · different risk
P0
Fix now · pager / emergency change
90-100
P1
This sprint · 7-day SLA
70-89
P2
Scheduled · 30-day window
40-69
P3
Backlog · review quarterly
0-39

Same CVE · 3 assets · 3 verdicts

Koopic includes Unified Vulnerability Management on every plan. As a CAASM platform it merges vulnerability findings onto your golden-record assets, deduplicated per asset and CVE, then ranks each one by real risk using a prioritization engine - exploit activity (EPSS, CISA KEV), CVSS, asset exposure and criticality, custom priority rules, and compensating controls - so your team fixes what actually matters first instead of triaging by raw CVSS.

On the Golden Record

Every finding, on the right asset, once

Vulnerability findings from your scanners and EDR are merged onto the same unified golden record that Koopic builds for every device. Findings are deduplicated per asset and CVE, so one bug on one machine is one finding - not five conflicting copies across five tools.

  • Findings joined to the unified asset, not stranded per tool
  • Deduplicated per asset and CVE
  • Asset context (exposure, criticality, controls) travels with the finding

SRV-WEB-0117

Golden Record · Internet-facing

P0

CVE-2026-20182

Reported by 3 sources

P0

CVE-2026-0300

Reported by 2 sources

P1

CVE-2026-31431

Reported by 1 source

P3

3 findings · deduplicated from 6 raw source records

Priority breakdown · CVE-2026-20182

Base CVSS 9.8
EPSS exploit probability high
CISA KEV listed
Asset exposure internet-facing
Asset criticality high
Compensating controls -12
Effective priority P0
Risk-Based Scoring

Severity is not risk

CVSS tells you how bad a vulnerability could be in theory. It does not tell you whether it is being exploited, whether the affected asset is exposed, or how much it matters to your business. Koopic combines base CVSS with exploit signals, asset exposure, criticality, and liveness to produce a priority that reflects your environment.

  • Exploit signals: EPSS probability, CISA KEV, exploit evidence
  • Environmental factors: exposure, criticality, liveness
  • One ranked queue across every asset and source
Proof of logic

When Koopic disagrees with the CVSS score

Two findings, same scanner, opposite verdicts. The score moves because Koopic knows the asset, its exposure, and its controls - and it shows you exactly why on the row. Illustrative example.

koopic · breakdown
down-ranked

CVE-2026-3120

srv-lab-0042 · segmented VLAN · non-prod

9.8
CVSS base
Exploit signal (EPSS · KEV)elevated
Asset exposuresegmented · no inbound
Asset criticalitynon-prod lab
Compensating controlEDR blocks exploit path
Effective priority P3 · backlog

A 9.8 you'd patch first by CVSS. It's segmented, non-production, and the exploit path is already blocked - so it waits.

koopic · breakdown
escalated

CVE-2026-0481

srv-web-0117 · internet-facing · prod

7.4
CVSS base
Exploit signal (EPSS · KEV)in CISA KEV · active
Asset exposurepublic IP · reachable
Asset criticalitycrown-jewel
Compensating controlnone on this path
Effective priority P0 · fix now

A "high", not a "critical", by CVSS. It's internet-facing, known-exploited, and nothing covers it - so it jumps the queue.

Raw CVSS would tell you to patch the 9.8 before the 7.4. On your network, the order is reversed - and every score carries the per-factor breakdown that proves it.

Controls & Rules

Your defenses count too

A finding behind a WAF, on a segmented network, or on an encrypted, EDR-covered endpoint is genuinely lower risk. Koopic auto-detects controls from merged asset data and lets you declare your own. Controls apply as additive risk reductions, bounded per finding and per organization so a long control list can never zero out a real risk. Custom priority rules let you encode your own policy on top.

  • Auto-detected controls (EDR, AV, MDM, encryption) plus declared controls
  • Additive reductions, bounded per finding and per organization
  • Drag-to-reorder custom priority rule editor

Declared Controls

Network segmentation

Applied to: DMZ asset group

-10

WAF in front of service

Applied to: public web tier

-8

Custom Priority Rule

Crown-jewel boost +15

If asset group is "Payment systems" and KEV listed

Org Weight Tuning

Exploit activity1.4x
Asset exposure1.2x
Asset criticality1.1x
Risk-exception cap P2 max
Explainable & Tunable

No black-box scores

Every priority comes with a per-factor breakdown showing exactly how it was reached, so an analyst can defend the patch order to an auditor or an executive. Weights are tunable per organization, and formal risk exceptions cap accepted-risk findings instead of hiding them.

  • Per-factor waterfall breakdown on every finding
  • Org-tunable weights for each scoring factor
  • Formal risk-exception caps for accepted risk

One queue, four bands

Findings collapse into clear priority bands so the team always knows what to pick up next.

P0

Fix now

Known-exploited, exposed, business-critical

P1

This sprint

High exploit likelihood or high exposure

P2

Scheduled

Real but mitigated or lower exposure

P3

Backlog

Low likelihood, isolated, or accepted risk

Always-current CVE Catalog

Fresh intelligence behind every score

Koopic maintains a CVE catalog continuously enriched from NVD, MITRE, EPSS, and the CISA KEV catalog. As exploit probabilities move and CVEs are added to KEV, the priorities on your assets move with them - no manual feed wrangling.

  • NVD severity and MITRE state
  • EPSS exploit probability, refreshed continuously
  • CISA KEV known-exploited status
See the full platform

CVE-2026-20182

KEV

NVD severity

Critical 9.8

EPSS

High

MITRE state

Published

CISA KEV

Listed

Enriched from NVD · MITRE · EPSS · CISA KEV

Frequently Asked Questions

Is vulnerability management included on every plan?
Yes. Unified Vulnerability Management is part of the core platform, not a separate add-on, an upsell, or an Enterprise-only feature, and it is never priced per vulnerability. The only thing that differs between plans is the number of unified assets.
How does Koopic decide which vulnerability to fix first?
Koopic ranks each finding by real risk, not raw CVSS. The prioritization engine combines base CVSS with exploit signals (EPSS probability, CISA KEV, exploit evidence), asset exposure, asset criticality, and liveness, then applies your compensating controls, custom priority rules, and risk-exception caps. Every score has a per-factor breakdown so the order is explainable.
What is a compensating control in Koopic?
A compensating control is a safeguard that reduces a finding's effective risk without patching it - a WAF, network segmentation, EDR coverage, or disk encryption. Koopic auto-detects some from merged asset data and lets you declare others. Controls apply as additive risk reductions to the score, bounded per finding and per organization, so a long control list cannot zero out a real risk.
Where does the vulnerability data come from?
Koopic maintains a CVE catalog continuously enriched from NVD, MITRE, EPSS, and the CISA KEV catalog. Findings from your connected tools are merged onto the matching golden-record asset and deduplicated per asset and CVE, so one vulnerability on one device is one finding, not five copies across five tools.
Does this replace my vulnerability scanner?
No. Koopic complements your scanners. It ingests their findings, merges them onto unified golden-record assets from across your stack, and adds the asset context (exposure, criticality, controls) and exploit intelligence (EPSS, CISA KEV) needed to rank what to fix first. Koopic is the prioritization layer on top of the tools you already run.
WHY THE SCORE IS TRUSTWORTHY

Not a black box that tells you to "trust the number." Every verdict shows its work.

5 reasons
M_01 · EXPLAINABLE reason on every row
Explainable
Scoring you can defend, line by line

Every score carries the factors that produced it - exposed, segmented, control present, in KEV. When leadership or an auditor asks why, you have an answer.

internet-exposed+ escalate
in CISA KEV+ escalate
EDR blocks path− contain
M_02 · CONTROLS transparent deltas
Control‑aware
Adjustments you can see and tune

A compensating control that already neutralizes a finding lowers its priority - and shows the exact, bounded adjustment it made. Nothing happens silently.

segmentation−15
EDR exploit-block−10
net adjustment−25
M_03 · EXPLOIT
EPSS + KEV
Real exploit signal, not just CVSS

We fold in exploit-prediction and known-exploited data.

EEPSS0.91
KCISA KEVlisted ✓
M_04 · COMPATIBLE
Your stack
Works with the scanners you already run

No rip-and-replace. We score on top.

Tenable Qualys Rapid7 Defender + more
M_05 · FOCUS illustrative
~150
Actionable, out of thousands flagged

The list that actually moves risk.

4,900 "critical" ~150 actionable

See your real patch order on your own data

Bring your scanner output and asset data - we'll show you which findings actually matter on your network, with the reason on every row.