Tools

SSVC Calculator

Stakeholder-Specific Vulnerability Categorization (SSVC) is a methodology developed by Carnegie Mellon SEI and CISA. Instead of a CVSS number, it delivers a concrete operational decision.

Kalkulator SSVC

Dane przetwarzane lokalnie - nic nie jest wysyłane na serwer

Krok 1 z 4

Status eksploatacji podatności

Czy istnieją dowody na aktywne wykorzystywanie tej podatności?

How to use

1. Exploitation status

Is the vulnerability being actively exploited? Check the CISA KEV catalogue and threat intelligence reports.

2. System exposure

How accessible is the vulnerable system? An isolated OT network has a different exposure level than a web server in the DMZ.

3. Automatability

Can an attacker automate exploitation and launch a mass attack? Unauthenticated protocols (e.g. Modbus TCP) are automatable.

4. Mission impact

What are the consequences of a successful attack? Compromising a Safety Instrumented System (SIS) protecting people is a "very high" impact.

Context

SSVC was created as a response to the limitations of CVSS Base Score - a system that gives a number (0.0-10.0) but does not answer the question "Do I need to patch, and when?"

Learn more about the differences between CVSS and SSVC, Threat and Environmental metrics, and the recommended prioritisation workflow in our article:

CVSS and SSVC - how to really prioritise vulnerabilities

Want to implement SSVC as a process in your organisation?

Book a consultation

Free consultation, no strings attached.

All data is processed locally in the browser. Nothing is sent to the server.