Phase 4: Policy & Risk Context Configuration

Shift focus from static severity scoring, such as the Common Vulnerability Scoring System (CVSS), to Tenable's dynamic, data science-driven risk scores: Vulnerability Priority Rating (VPR) and—with Advanced tier of Tenable One—Asset Criticality Rating (ACR).

Expected Outcomes

During this phase, you transition from traditional severity scoring to dynamic, business-context-driven risk prioritization. This includes:

• Tuning default scan policies to prioritize remediation efforts using VPR. For more information, see Vulnerability Priority Rating (VPR).

• Creating custom filters or saved searches to quickly identify high-priority vulnerabilities (Critical Risk, VPR 9.0+). For more information, see Saved Searches and Tenable Queries.

• Using Vulnerability Intelligence to identify trending Common Vulnerabilities and Exposures (CVEs) that attackers actively exploit.

• (Tenable One Advanced tier only) Editing Asset Criticality Ratings (ACRs) on business-critical systems to add business context to risk. For more information, see Asset Criticality Rating (ACR).

Why This Is Important

Traditional CVSS is static. VPR evolves daily based on the threat landscape, helping your team focus on the small percentage of vulnerabilities that pose the greatest risk. If you use Tenable Vulnerability Management within Tenable One, integrating ACR ensures that you prioritize risk based on the threat and the business importance of the affected asset.

Verification

Verify the success of this phase by confirming the following:

• Ensure your remediation lists sort by VPR, rather than solely by severity.

What to do next:

Integrate this prioritized data into your IT ticketing systems in Phase 5: Workflow & Integration Enablement.