📊 PART 1: EXPLOITABILITY ASSESSMENT

Determine the likelihood of attack and target accessibility

Expert Guidance for Smarter Remediation

Based on work by Johnathan "Jono" Spring (DHS/CISA)

STEP 1: THREAT PROFILE

Adversary Capability Assessment

Is the attack Automatable?
(e.g., wormable, scriptable without human interaction)

Is there active exploitation?
(e.g., listed in CISA KEV or reputable intel)

Q1	Q2	THREAT SCORE
NO	NO	LOW Manual + Theoretical
YES	NO	MEDIUM Automatable + Theoretical
NO	YES	HIGH Manual + Active
YES	YES	CRITICAL Automatable + Active

STEP 2: EXPOSURE PROFILE

Target Accessibility Assessment

Is the Value Density concentrated?
(e.g., "Crown Jewel," critical infrastructure, heavily relied upon)

Is the attack vector Network/Remote?
(i.e., No physical or local access required)

Q3	Q4	EXPOSURE SCORE
NO	NO	LOW Diffuse Value + Local Access
YES	NO	MEDIUM High Value + Local Access
NO	YES	HIGH Diffuse Value + Remote Access
YES	YES	CRITICAL High Value + Remote Access

🔄 STEP 3: CALCULATE FINAL EXPLOITABILITY

Map your Threat Score (Step 1) and Exposure Score (Step 2) below

EXPOSURE ↓ THREAT →	LOW	MEDIUM	HIGH	CRITICAL
EXPOSURE ↓ THREAT →	LOW	LOW	LOW	MEDIUM	MEDIUM
MEDIUM	MEDIUM	MEDIUM	HIGH	HIGH
HIGH	HIGH	HIGH	HIGH	HIGH
CRITICAL	VERY HIGH	VERY HIGH	VERY HIGH	VERY HIGH

EXPLOITABILITY SCORE (Step 3 Result)

Complete Steps 1 & 2 to calculate exploitability

🎯 PART 2: IMPACT ASSESSMENT

Determine technical impact if exploit is successful

CVSS ASSOCIATES

Expert Guidance for Smarter Remediation

Based on work by Johnathan "Jono" Spring (DHS/CISA)

STEP 4: IMPACT SEVERITY

Consequences Assessment

Does the attack result in Total Control?
(Total loss of Confidentiality, Integrity, or Availability)

Does impact extend to subsequent systems?
(Can the attacker pivot/move laterally?)

Q5	Q6	IMPACT SCORE
NO	NO	LOW Partial Control, Contained
YES	NO	MEDIUM Total Control, Contained
NO	YES	HIGH Partial Control, Scope Expansion
YES	YES	CATASTROPHIC Total Control, Scope Expansion

✅ STEP 5: FINAL SEVERITY DETERMINATION

Combine Exploitability (from Step 3) with Impact Score (Step 4)

IMPACT ↓ EXPLOITABILITY →	LOW	MEDIUM	HIGH	VERY HIGH
IMPACT ↓ EXPLOITABILITY →	LOW	OBSERVE CVSS 0.1-3.9	OBSERVE CVSS 0.1-3.9	SCHEDULE CVSS 4.0-6.9	SCHEDULE CVSS 4.0-6.9
MEDIUM	SCHEDULE CVSS 4.0-6.9	SCHEDULE CVSS 4.0-6.9	EXPEDITE CVSS 7.0-8.9	EXPEDITE CVSS 7.0-8.9
HIGH	EXPEDITE CVSS 7.0-8.9	EXPEDITE CVSS 7.0-8.9	IMMEDIATE CVSS 9.0-10.0	IMMEDIATE CVSS 9.0-10.0
CATASTROPHIC	IMMEDIATE CVSS 9.0-10.0	IMMEDIATE CVSS 9.0-10.0	IMMEDIATE CVSS 9.0-10.0	IMMEDIATE CVSS 9.0-10.0

FINAL ACTION LEVEL (Step 5 Result)

Complete all steps to determine final severity

📊 Action Level Guide

OBSERVE

Low Priority • Monitor but no immediate action required

SCHEDULE

Standard Patch Cycle • Address in next regular maintenance

EXPEDITE

Next Maintenance Window • Prioritize for upcoming window

IMMEDIATE

Emergency Patch • Deploy fix immediately

📖 Methodology & Score Ranges

Action Levels: The four action levels (OBSERVE, SCHEDULE, EXPEDITE, IMMEDIATE) represent practical remediation timeframes based on the combination of exploitability and impact. This approach simplifies decision-making by focusing on when to act rather than debating numerical scores.

CVSS Score Ranges: The score ranges shown (0.1-3.9, 4.0-6.9, 7.0-8.9, 9.0-10.0) are approximate mappings to CVSS v3.x/v4.0 severity ratings and are provided for reference:

Low (0.1-3.9): Corresponds to CVSS "Low" severity
Medium (4.0-6.9): Corresponds to CVSS "Medium" severity
High (7.0-8.9): Corresponds to CVSS "High" severity
Critical (9.0-10.0): Corresponds to CVSS "Critical" severity

Binary Assessment Approach: This tool uses simple YES/NO questions about key vulnerability characteristics (Automatability, Active Exploitation, Value Density, Attack Vector, Total Control, and Scope) to prevent "score gaming" and focus assessors on objective facts rather than numerical manipulation.

Framework Origin: This binary assessment framework is based on research and practical guidance from CISA's Stakeholder-Specific Vulnerability Categorization (SSVC) framework, which emphasizes decision trees over numerical scoring. The work card format was inspired by Binary Risk Analysis by Ben Sapiro, which pioneered the use of simple binary decision cards for security risk assessment.

For more information about CVSS and vulnerability assessment best practices, visit cvss-associates.com

💡 About This Tool

Interactive Assessment: Click YES/NO/TBD buttons to answer each question
Real-time Feedback: Tables and matrices highlight matching rows and cells as you answer
Auto-calculation: Results update automatically based on your selections
Expert Design: Based on CISA SSVC research and CVSS expertise
Binary Card Format: Inspired by Binary Risk Analysis by Ben Sapiro
Reset Function: Use the "Reset All Answers" button to start over