> sort --key exploitability --reverse findings.csv | head -10<span class="cursor-blink">_</span>_
CVSS scores provide a standardised way to rate vulnerability severity, but they measure theoretical worst-case impact in a generic environment. They don't account for your specific network architecture, compensating controls, or whether an attacker can actually reach the vulnerable system.
A CVSS 9.8 vulnerability on an air-gapped system with no network exposure is far less urgent than a CVSS 6.5 finding on an internet-facing application that handles customer payment data. Experienced testers understand this distinction and prioritise accordingly.
Organisations that remediate purely by CVSS score often exhaust resources on low-risk issues while leaving genuinely dangerous attack paths unaddressed. Context-driven prioritisation is what separates a useful penetration test from a glorified vulnerability scan.
Experienced testers consider multiple factors when assessing real-world exploitability: Is the vulnerability reachable from the attacker's position? Are there compensating controls like WAFs, network segmentation, or monitoring that would detect or prevent exploitation? Is a reliable exploit publicly available, or does exploitation require significant skill and custom tooling?
They also consider chainability — whether a medium-severity finding can be combined with other weaknesses to achieve a critical impact. A single misconfiguration might be harmless alone, but devastating when combined with a default password and a missing access control.
Business context matters too. A vulnerability that exposes personally identifiable information carries different weight than one affecting a development sandbox. Testers who understand your business can prioritise findings in terms of actual organisational risk.
The best penetration test reports rank findings not just by technical severity but by exploitability and business impact. They answer the question every CISO wants answered: 'If I can only fix five things this quarter, which five will reduce our risk the most?'
This requires testers to move beyond automated tool output and apply human judgement. It means understanding your environment, your threat landscape, and your risk appetite — and translating technical findings into business language that drives action.
Organisations that work with testers who prioritise this way see faster remediation, better resource allocation, and measurably reduced risk over time.
Prioritising findings by real-world exploitability rather than theoretical severity ensures that remediation efforts target the vulnerabilities that genuinely threaten your organisation. It's the difference between managing a list and managing actual risk.
Every engagement starts with a free, no-obligation scoping call. We'll listen, advise honestly, and only recommend what you actually need.