Threat intelligence integration
How does Invicti AppSec calculate the risk rating?
When CISA KEV + EPSS integration is enabled, Invicti AppSec can automatically adjust the severity of vulnerabilities based on the risk rating that's calculated by looking at the EPSS probability and the percentile. This configuration is made when activating the CISA KEV + EPSS integration in the first place.
EPSS probability and percentile are updated daily based on the latest EPSS model available.
When computing the risk rating, EPSS percentile supersedes EPSS probability and if the EPSS percentile is above 70th, risk rating is calculated instantly by Invicti AppSec without looking at EPSS probability.
Risk rating calculation based on EPSS percentile
| EPSS Percentile | Risk Rating | Severity |
|---|---|---|
| Below 70th | Calculated based on EPSS probability | Depends on EPSS probability |
| Between 70th and 90th | 3 | High |
| Above 90th | 4 | Critical |
Risk rating calculation when EPSS percentile is below 70th
If the EPSS percentile is below 70th, then the following logic is applied based on EPSS probability:
| EPSS Probability | Risk Rating | Severity |
|---|---|---|
| between 0% and 10% | 0 | Low |
| between 10% and 30% | 1 | Low |
| between 30% and 70% | 2 | Medium |
| between 70% and 90% | 3 | High |
| between 90% and 100% | 4 | Critical |
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center