From a number nobody trusts to a tool that changes how you work. Base scores → Threat enrichment → Environmental context → Prioritized action.
Guide Contents
Every chapter is built around a real operational decision — not theory, not vendor marketing.
Why Base scores are wrong 95% of the time — and what CVSS v4.0 does to fix it.
Same CVEs, side-by-side. Log4Shell, PrintNightmare, local privesc — see exactly where scores differ and why.
Full anatomy of the CVSS v4.0 vector string. Every metric explained with practical decision rules.
CVSS-B → CVSS-BT → CVSS-BTE. How scores mature from vendor publication to your environment.
KEV, EPSS, Metasploit, ExploitDB. Set E:U vs E:A vs E:P with confidence. Override Base with your reality.
Log4Shell, Erlang/OTP CVE-2025-32433, 18-Critical firmware report, CitrixBleed, MOVEit, FortiOS.
Healthcare (HIPAA), Finance (PCI-DSS), OT/ICS (ISA/IEC 62443). Environmental profiles per sector.
When CVSS is the right tool and when SSVC gives a better answer. Decision framework for VM programs.
End-to-end: scanner output → CVSS-B → CVSS-BT → CVSS-BTE → SLA assignment → ticket.
Python CLI that pulls KEV, EPSS, NVD, Metasploit, and ExploitDB to auto-enrich CVSS scores.
5-Phase CVSS Maturity Model. Using CVSS-BTE as auditable evidence for NIS2, PCI-DSS, HIPAA, NERC CIP — not CVSS as a framework.
The 8 most common CVSS errors — and 6 interview questions that separate practitioners from readers.
Quick-reference cards, SLA tiers, all metric values, FIRST.org calculator, KEV API, EPSS API.
The complete CVSS v4.0 workflow — from scanner CSV to enriched, actionable findings.