From 3,000 Vulnerability Alerts to Focused Action: Three Sources To Get You Started

Last week, our CPO shared a reddit post from a security professional 'losing their mind' over 3,000+ scanner alerts. They had no idea where to start."

This isn’t rare. Many security teams feel buried by endless findings, and it’s one of the main reasons burnout and turnover are so high.

In fact, 67% of security professionals wouldn’t recommend this career, and 50% of security leaders want to leave their job.

Alert fatigue and burnout are real. No one gets into cybersecurity to spend their days staring at endless lists, of which they have little control over.

What can you do about it?

First, let’s be clear: No two security teams are the same, and that's before you factor in environments, resources and processes. Some teams are far ahead in operationalising intelligence, while others are just starting their journey of risk-based vulnerability management.

In this post, I'll provide a quick overview of some of the early starting points I've seen teams implement, how they can help you prioritise your backlog, and some limitations to keep in mind.

It won't be perfect, but depending on your situation this might shine a light and help create some breathing space.

A Scaling Problem Needs a Scalable Solution (and why CVSS isn't it)

Traditional patch prioritization by CVSS severity ratings made sense when vulnerability volumes were manageable. While this approach can still work for some organizations, it often breaks down at enterprise scale.

With over 135,000 "High" and "Critical" CVEs in existence today, large companies face an impossible task - potentially millions of individual risks that demand immediate attention according to conventional wisdom, but simply can't all be addressed with finite resources.

In chats with security leaders, I keep hearing that prioritising by CVSS alone often leads to 55–70% of all their vulnerabilities being pushed into SLA queues. Tickets pile up, backlogs grow, and real threats get buried.

Interestingly, looking at vulnerability intelligence from Cytidel, the data showed nearly 25% of Threat Actor targeted CVEs are Low or Medium CVSS. So while teams focus on “high priority” tickets, real threats can slip by unnoticed.

In other words, a CVSS 9.8 might never get touched in the wild, while a CVSS 3.9 might be actively used by Threat Actors or Ransomware groups.

The Mindset Shift That Works

With teams breaking under the strain and real risks slipping through the cracks, I've seen successful teams adopt a more tactical approach. But more than that, it's a mindset shift. Instead of trying to fix everything, they focus on active, real-world risk. In other words, they "shoot the nearest crocodile."

The shift from "fix everything" to "fix what matters now" keeps coming up in conversations with security leaders. It's one change that really helps fight burnout while actually improving security outcomes.

Don't try to boil the ocean on day one. Build small wins and improve step by step.

Three Industry Tools Helping Teams Cut Through Their Backlog

CISA KEV

CISA KEV, or Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities, lists CVEs known to be actively exploited—providing one of the strongest "must patch" signals available.

It's where I find most teams start, and after countless conversations with security leaders drowning in vulnerability backlogs, this consistently emerges as the resource that actually moves the needle.

A CVE is listed only when:

• It has a CVE ID
• There’s proof it’s actively exploited ‘in the wild’
• A remedy (patch or workaround) exists 

The list is available as CSV or JSON feeds, helping you import it directly into security tools or workflow.

What makes it so effective is the balance it strikes. With nearly 1,400 CVEs representing just 0.5% of all vulnerabilities, you get high-impact intelligence in an incredibly manageable format.

It's backed by government research and approval, and from a change management perspective, it's hard to argue against patching vulnerabilities that federal agencies have confirmed are being exploited in the wild. The credibility alone makes resource conversations significantly easier.

Worth noting:"despite its name, CISA KEV isn't a complete catalog of all known exploited vulnerabilities. Whether it's the US-centric focus as part of the Department of Homeland Security, the emphasis on enterprise technology, or other factors, there are gaps.

Looking at our intelligence at Cytidel, nearly half of all threat actor-associated CVEs don't appear on the CISA KEV list.

I'm not discouraging anyone from using it. It remains an excellent starting point. But as your program matures, you'll likely need to incorporate additional intelligence sources to fill those gaps.

EPSS

EPSS (Exploit Prediction Scoring System) predicts the likelihood a vulnerability will be exploited in the next 30 days, scoring them between 0 and 100%. An interesting concept that I'm seeing more teams investigate as they look to move beyond theoretical risk assessments.

The approach has clear practical appeal: a CVSS 9.8 with an EPSS score of 0.2% might not warrant immediate action, while a CVSS 7.5 with 95% EPSS should jump to the top of your priority list.

The dataset is available via API or can be downloaded via CSV, which is updated daily.

The numbers work in your favor too. Just over 1,200 CVEs currently have an EPSS score of 90% or higher. That's roughly 0.4% of all vulnerabilities. For teams wanting to transition toward genuine risk-based prioritization, this creates another focused, high-impact starting point.

Worth noting: EPSS operates without knowledge of your specific environment or controls, but the bigger issue I've observed is timing. The model can lag significantly behind real-world exploitation patterns.

CVE-2023-2868, the Barracuda ESG RCE, is a perfect example. Despite widespread reports of active exploitation and urgent vendor advisories to remove devices immediately, EPSS maintained a low score for 18 months before climbing above 10%.

EPSS has refined their model since then, so hopefully extreme scenarios like this are better accounted for. But delays of days or weeks remain common, which means you're still flying somewhat blind during those critical early exploitation windows.

MSRC

MSRC is Microsoft Security Response Center. For teams with heavy Microsoft footprints, MSRC’s exploitability tags and patch guidance are really helpful.

One big benefit is that it ties closely to Microsoft's patching cycles and provides a clear view of which vulnerabilities will likely be addressed in upcoming updates. This helps teams plan and avoid scrambling last minute.

MSRC offers an “Exploited tag” and "Exploitability Assessment", the latter of which aims to help teams understand how likely it is that a given vulnerability will be used in an attack. This can support smarter decisions around timing and urgency for patching.

You can access MSRC data via API or the update guide, where you can download CSVs or filter by products, severity and exploit status.

Worth noting: Beware of false negatives. It's tempting to see MSRC's exploited status as gospel, but we commonly see greater than 10% false negative exploitation tags when comparing scans and intelligence.

The PrintNightmare vulnerability, for example, (CVE-2021-1675) isn't tagged as exploited in MSRC. This despite being widely abused. To give an idea of how "widely", it was in the top 15 most exploited vulnerabilities of 2021.

Context is King: The Questions That Matter

From my conversations with security leaders, a pattern stands out. Teams who feel more confident and less buried ask better questions:

• Is this being exploited right now?
• Can it be reached from outside?
• Does it hit critical systems or data?

These teams combine intelligence signals with their own context: which systems are critical, where data lives, and who relies on them.

The successful programmes start small. Focus on one high-value environment first, show progress, then expand.

The goal is to build something sustainable, and scalable. Don't kill your programme by taking on too much too soon.

Bonus Challenge: Getting Started This Week

Pick one source and implement it:

• CISA KEV for confirmed active exploitation signals
• EPSS if you want to experiment with predictive scoring
• MSRC if you're Microsoft-heavy and want vendor-specific guidance

Start with your most critical environment:

• Identify 5-10 of your most important systems
• Apply your chosen intelligence source to vulnerabilities in that environment
• Focus on quick wins to build momentum

Ask better questions:

• Stop asking "what's the CVSS score?"
• Start asking "is this being exploited?" and "does this affect our critical systems?"

You don't need to fix every alert. The shift from "fix everything" to "fix what matters now" is the mindset change that helps teams move from paralysis to progress.

What's Next

These three sources are starting points, not the complete answer. As your program matures, you'll want to layer in additional intelligence signals and automate more of the analysis.

But for teams feeling overwhelmed today, picking one of these sources and applying it to your most critical assets can create the breathing room you need to build something better.

Upcoming Threat and Vulnerability Management Workshops

At Cytidel, we're planning a series of workshops to explore the next level: automations, AI-powered prioritization, and incorporating social media and news signals for early threat warnings.

Follow the Cytidel page or myself to get notified when the session details are ready.