Vulnerability Management · Risk-based prioritization

Stop patching by CVSS. Fix what actually moves risk.

A CVSS 9.8 on a segmented lab box is not the same as 7.4 on your internet-facing web server. Koopic recalculates every CVE against the signals already in your asset inventory — exposure, criticality, EDR coverage, KEV, EPSS — and surfaces the work that actually reduces risk.

Start Free Trial See how it scores

11+

environment signals factored per CVE

87%

fewer “critical” findings on first pass

<5m

from CVE publish to scored verdict

Prioritization Engine · Live
CVE-2026-20182
Apache HTTPD · unauthenticated remote code execution
9.8
CVSS · base
1Matched to asset
srv-web-0117.prod.koopic.io
Web tier · internet-facing · public IP · 4 sources
2Environment signals from inventory
EPSS 0.94 +18 CISA KEV listed Internet-facing +12 Crown-jewel +15 No WAF rule +6 Public exploit +4
3Risk recalculation
Base CVSS 9.8
+ Exploitability (EPSS + KEV) +22
+ Exposure (internet-facing) +12
+ Asset criticality +15
− Compensating controls −0
Effective score 98
1Matched to asset
laptop-3471 · J. Smith
User device · macOS 15.2 · EDR active · 3 sources
2Environment signals from inventory
EPSS 0.94 +18 CISA KEV listed Behind VPN −8 EDR active −10 Std user device +4 No public exploit on macOS build −6
3Risk recalculation
Base CVSS 9.8
+ Exploitability (EPSS + KEV) +22
+ Exposure (behind VPN) +2
+ Asset criticality +4
− Compensating controls −24
Effective score 64
1Matched to asset
srv-lab-0042.dev.koopic.io
Lab tier · segmented VLAN · no inbound · 2 sources
2Environment signals from inventory
EPSS 0.94 +18 CISA KEV listed Segmented VLAN −16 No inbound 80/443 −10 Non-prod tier −12 Auto-rebuild nightly −4
3Risk recalculation
Base CVSS 9.8
+ Exploitability (EPSS + KEV) +22
+ Exposure (isolated) −10
+ Asset criticality −12
− Compensating controls −20
Effective score 26
4Effective Priority Same CVE · different risk
P0
Fix now · pager / emergency change
90–100
P1
This sprint · 7-day SLA
70–89
P2
Scheduled · 30-day window
40–69
P3
Backlog · review quarterly
0–39

Same CVE · 3 assets · 3 verdicts

Koopic includes Unified Vulnerability Management on every plan. As a CAASM platform it merges vulnerability findings onto your golden-record assets, deduplicated per asset and CVE, then ranks each one by real risk using a prioritization engine - exploit activity (EPSS, CISA KEV), CVSS, asset exposure and criticality, custom priority rules, and compensating controls - so your team fixes what actually matters first instead of triaging by raw CVSS.

On the Golden Record

Every finding, on the right asset, once

Vulnerability findings from your scanners and EDR are merged onto the same unified golden record that Koopic builds for every device. Findings are deduplicated per asset and CVE, so one bug on one machine is one finding - not five conflicting copies across five tools.

  • Findings joined to the unified asset, not stranded per tool
  • Deduplicated per asset and CVE
  • Asset context (exposure, criticality, controls) travels with the finding

SRV-WEB-0117

Golden Record · Internet-facing

P0

CVE-2026-20182

Reported by 3 sources

P0

CVE-2026-0300

Reported by 2 sources

P1

CVE-2026-31431

Reported by 1 source

P3

3 findings · deduplicated from 6 raw source records

Priority breakdown · CVE-2026-20182

Base CVSS 9.8
EPSS exploit probability high
CISA KEV listed
Asset exposure internet-facing
Asset criticality high
Compensating controls -12
Effective priority P0
Risk-Based Scoring

Severity is not risk

CVSS tells you how bad a vulnerability could be in theory. It does not tell you whether it is being exploited, whether the affected asset is exposed, or how much it matters to your business. Koopic combines base CVSS with exploit signals, asset exposure, criticality, and liveness to produce a priority that reflects your environment.

  • Exploit signals: EPSS probability, CISA KEV, exploit evidence
  • Environmental factors: exposure, criticality, liveness
  • One ranked queue across every asset and source
Controls & Rules

Your defenses count too

A finding behind a WAF, on a segmented network, or on an encrypted, EDR-covered endpoint is genuinely lower risk. Koopic auto-detects controls from merged asset data and lets you declare your own. Controls apply as additive risk reductions, bounded per finding and per organization so a long control list can never zero out a real risk. Custom priority rules let you encode your own policy on top.

  • Auto-detected controls (EDR, AV, MDM, encryption) plus declared controls
  • Additive reductions, bounded per finding and per organization
  • Drag-to-reorder custom priority rule editor

Declared Controls

Network segmentation

Applied to: DMZ asset group

-10

WAF in front of service

Applied to: public web tier

-8

Custom Priority Rule

Crown-jewel boost +15

If asset group is "Payment systems" and KEV listed

Org Weight Tuning

Exploit activity1.4x
Asset exposure1.2x
Asset criticality1.1x
Risk-exception cap P2 max
Explainable & Tunable

No black-box scores

Every priority comes with a per-factor breakdown showing exactly how it was reached, so an analyst can defend the patch order to an auditor or an executive. Weights are tunable per organization, and formal risk exceptions cap accepted-risk findings instead of hiding them.

  • Per-factor waterfall breakdown on every finding
  • Org-tunable weights for each scoring factor
  • Formal risk-exception caps for accepted risk

One queue, four bands

Findings collapse into clear priority bands so the team always knows what to pick up next.

P0

Fix now

Known-exploited, exposed, business-critical

P1

This sprint

High exploit likelihood or high exposure

P2

Scheduled

Real but mitigated or lower exposure

P3

Backlog

Low likelihood, isolated, or accepted risk

Always-current CVE Catalog

Fresh intelligence behind every score

Koopic maintains a CVE catalog continuously enriched from NVD, MITRE, EPSS, and the CISA KEV catalog. As exploit probabilities move and CVEs are added to KEV, the priorities on your assets move with them - no manual feed wrangling.

  • NVD severity and MITRE state
  • EPSS exploit probability, refreshed continuously
  • CISA KEV known-exploited status
See the full platform

CVE-2026-20182

KEV

NVD severity

Critical 9.8

EPSS

High

MITRE state

Published

CISA KEV

Listed

Enriched from NVD · MITRE · EPSS · CISA KEV

Frequently Asked Questions

Is vulnerability management included on every plan?
Yes. Koopic includes Unified Vulnerability Management on every paid plan and during the free trial. It is not a separate add-on, an upsell, or an Enterprise-only feature, and it is never priced per vulnerability. The only thing that differs between plans is the number of unified assets.
How does Koopic decide which vulnerability to fix first?
Koopic ranks each finding by real risk, not raw CVSS. The prioritization engine combines base CVSS with exploit signals (EPSS probability, CISA KEV, exploit evidence), asset exposure, asset criticality, and liveness, then applies your compensating controls, custom priority rules, and risk-exception caps. Every score has a per-factor breakdown so the order is explainable.
What is a compensating control in Koopic?
A compensating control is a safeguard that reduces a finding's effective risk without patching it - a WAF, network segmentation, EDR coverage, or disk encryption. Koopic auto-detects some from merged asset data and lets you declare others. Controls apply as additive risk reductions to the score, bounded per finding and per organization, so a long control list cannot zero out a real risk.
Where does the vulnerability data come from?
Koopic maintains a CVE catalog continuously enriched from NVD, MITRE, EPSS, and the CISA KEV catalog. Findings from your connected tools are merged onto the matching golden-record asset and deduplicated per asset and CVE, so one vulnerability on one device is one finding, not five copies across five tools.
Does this replace my vulnerability scanner?
No. Koopic complements your scanners. It ingests their findings, merges them onto unified golden-record assets from across your stack, and adds the asset context (exposure, criticality, controls) and exploit intelligence (EPSS, CISA KEV) needed to rank what to fix first. Koopic is the prioritization layer on top of the tools you already run.
WHY TEAMS CHOOSE KOOPIC

Five things you get on day one. No procurement gauntlet, no sales call.

5 proof points
P_01 · INVENTORY 1 record per device
Unified
Asset inventory across every source

Defender, Intune, Azure, CMDB, CSVs, and on-prem agents, all collapsed into one golden record per device with full lineage retained.

defender intune azure on-prem 1 golden record
P_02 · POLICY your rules · your fields
Custom
Compliance rules written your way

Don't bend your policy to fit ours. Define rules on any field, run them continuously, score every asset against the rules you actually own.

$ rule os_patched ≤ 30drequired
$ rule edr.active = truerequired
$ rule dept ∈ {fin, eng}scoped
P_03 · LINEAGE
Full
Merge transparency

See which source won every field, why, and when.

Ahostnamedefender ✓
Bos_verdefender ✓
Cenrolledintune ✓
P_04 · ACCESS
Self‑serve
No sales calls. No demos to sit through.

Sign up, connect, go.

step 1
"book demo"
step 2
discovery
step 1
sign up · go
P_05 · TRIAL live
30 days
Free trial, no card required

Use everything. Decide later.

DAY 00 10 20 DAY 30
SETUP · 1 afternoon / BILLING · no card up front / EXIT · cancel anytime
Start your trial

See your real patch order in minutes

Start a free 30-day trial. Full platform, including Unified Vulnerability Management. No credit card.

Start Free Trial See the Platform