WORKFLOW / VULNERABILITY MANAGEMENT
AI vulnerability prioritisation in 2026: EPSS, VPR, and Agent Val
Why CVSS-only prioritisation is dead, what the 2026 AI-driven alternatives actually do, and a zero-cost OSS approach.
Last verified: April 2026 | Affiliate disclosure: Tenable and Rapid7 links may be affiliate links.
Why prioritisation matters in 2026
240k+
CVEs in NVD as of April 2026
~40k
New CVEs published in 2025 alone
~2%
CVEs ever actually exploited in the wild
CVSS-only prioritisation is dead because CVSS measures severity in an ideal attacker scenario, not in your environment. A CVSS 9.8 critical with no public exploit, no active exploitation, and only affecting an isolated dev server is lower priority than a CVSS 6.5 moderate that is actively exploited (in CISA KEV), has EPSS above 0.85, and affects an internet-facing payment processing system.
Teams adopting EPSS-weighted prioritisation with CISA KEV as an authoritative exploited-in-wild list report 60-80% reduction in weekly patch tickets. The 80% of tickets that disappear are CVEs that scored high on CVSS but have never been exploited in production. AI prioritisation layers asset context on top to produce the final actionable list. Unmanaged assets often carry the worst CVE posture without anyone realising it; see shadowitcost.com for the shadow IT exposure angle.
EPSS primer
EPSS (Exploit Prediction Scoring System) is maintained by FIRST.org. Version 3 (current) predicts exploitation probability over the next 30 days using a model trained on NVD metadata, PoC publication signals (Exploit DB, GitHub), threat-intel feeds (scanning activity, underground chatter), and historical exploitation patterns.
Interpretation thresholds (from FIRST.org guidance, adapted to practical use):
| EPSS range | Interpretation | Recommended action |
|---|---|---|
| 0.70 - 1.00 | High probability of exploitation in next 30 days | Patch immediately; treat as P1 regardless of CVSS |
| 0.30 - 0.70 | Moderate probability; active scanning or PoC available | Patch within current patch cycle; escalate if asset is critical |
| 0.10 - 0.30 | Emerging risk; monitor for escalation | Schedule for next patch cycle; re-evaluate if EPSS increases |
| 0.00 - 0.10 | Low exploitation probability | Scheduled patch; deprioritise unless CVSS is 9.5+ or in KEV |
EPSS scores shift as new threat data arrives. A CVE at 0.05 today can move to 0.80 when a PoC is published. Automate EPSS score refresh against your CVE inventory daily via the FIRST.org EPSS API (free, rate-limited).
Tenable Vulnerability Priority Rating (VPR)
Tenable VPR ships in Tenable One and Tenable Vulnerability Management. It combines CVSS with EPSS scores, asset exposure paths (is the vulnerable service reachable from the internet?), business-context weighting (production vs dev environment), and real-time threat-intel feeds from Tenable Research.
AI augmentation in 2026: natural-language remediation guidance (the dashboard explains what to patch and how in plain English, not just a CVSS score), exposure-path reasoning (showing the attack chain from the vulnerability to a critical asset), and business-context weighting that can incorporate asset criticality tags the security team maintains.
Pricing: Tenable One starts at approximately $30k-$60k per year for small to medium teams. Tenable Vulnerability Management (the standalone product, previously Tenable.io) has lower entry pricing for teams not needing the full Tenable One suite. Tenable is available on the Impact affiliate programme; pricing confirmed via Tenable's partner programme (April 2026).
Honest verdict: strong for existing Tenable customers and teams wanting a combined scan-plus-prioritisation platform. Cold-start friction is real if you are not already using Nessus or Tenable scanners. The VPR score is genuinely more actionable than CVSS alone, and the natural-language remediation guidance saves analyst time.
Qualys Agent Val + TruLens (March 2026)
NEW: Announced March 2026
First non-vendor walkthrough of Qualys Agent Val and TruLens as of April 2026.
Qualys Agent Val is an agentic AI that validates exploitability at machine speed using TruLens threat context. The problem it solves: traditional vulnerability scanners detect all CVEs in the environment. Agent Val narrows that list to CVEs that are both (1) actually present and exploitable in your specific configuration and (2) actively weaponised based on current threat intelligence.
How it works: TruRisk score (Qualys' combined risk metric: CVSS, EPSS, CISA KEV, asset criticality) layers with TruLens (Qualys' threat-intel layer, incorporating exploitation signals from threat feeds) to produce a highly filtered remediation priority list. Agent Val then validates exploitability at machine speed against the asset's actual configuration, eliminating false positives from the scanner output before they reach the analyst.
Pricing: included in Qualys Total CyberRisk Management contract, which is custom-priced. Agent Val and TruLens are not available as standalone add-ons as of April 2026. Qualys' Total CyberRisk Management targets enterprise security teams with existing Qualys VMDR deployments.
Honest verdict: the most ambitious AI vulnerability-prioritisation product announced in Q1 2026. Early production in April 2026; enterprise deployments are limited. The approach of combining TruRisk scoring with agentic exploitability validation is sound. Watch for independent benchmarks on false-negative rates (CVEs Agent Val marks as low-priority that prove exploitable in practice) before committing a large contract.
Rapid7, Bitsight, Nucleus: the alternatives
Rapid7 InsightVM + Active Risk Score
InsightVM's Active Risk Score incorporates EPSS, exploit availability, asset criticality, and exposure scoring. The AI layer adds automated remediation suggestions. Rapid7 is available via Impact affiliate programme. Pricing: InsightVM typically $15k-$50k/yr for mid-market. Verdict: solid alternative to Tenable for teams preferring Rapid7's UX and integration ecosystem.
Bitsight Vulnerability Management
External-facing vulnerability scoring with internal-scan integration. Strong for board-level risk reporting and external-exposure benchmarking against industry peers. Less strong on deep internal-scan prioritisation depth. Pricing: custom enterprise.
Nucleus Security
API-first vulnerability aggregation and prioritisation platform. Pulls from multiple scanners (Tenable, Qualys, Rapid7, Burp, others) and applies unified prioritisation. Strong for teams running multiple scan tools who need consolidated risk view. Pricing: SMB to mid-market, more accessible entry point than Tenable One or Qualys TotalCyberRisk.
Zero-cost OSS pattern
Documented and working in April 2026 (source: Penligent April 2026 blog):
# Zero-cost AI vulnerability prioritisation 1. Scan: OpenVAS (free) or Nessus Essentials (free, 16 IPs) -> produces CVE list per asset 2. Enrich per CVE (free APIs): - NVD API: CVSS score, CPE, description - EPSS API (first.org): exploitation probability - CISA KEV JSON: known-exploited flag 3. LLM agent (Claude API or local Llama 4): Input: CVE data + asset context (criticality tag, network exposure) Output: prioritised remediation list with rationale Prompt pattern: "Given this CVE list with CVSS, EPSS, KEV status, and asset criticality, produce a prioritised remediation list. For each CVE, state: priority (P1/P2/P3), one-sentence rationale, recommended action." 4. Output: structured list, human team reviews P1s daily Cost: LLM API ~$20-$50/mo at typical SMB scan volumes
Limitation: no commercial threat-intel integration, no asset-graph exposure-path analysis, and no automated exploitability validation (unlike Qualys Agent Val). The OSS pattern works for teams with under 500 assets and no dedicated vulnerability engineer. Above that scale, commercial tooling's automation pays for itself. See open-source tools for the broader OSS security stack.
FAQ
What is EPSS and should I use it for patching?
EPSS (Exploit Prediction Scoring System) by FIRST.org predicts the probability that a given CVE will be exploited in the wild in the next 30 days. It is trained on exploitation history, PoC publication signals, dark-web chatter, and threat-intel feeds. Use EPSS as a filter on top of CVSS, not as a replacement: a CVE with CVSS 9.8 and EPSS 0.02 is mathematically dangerous but practically unlikely to be exploited against you today. A CVE with CVSS 5.5 and EPSS 0.85 needs immediate attention. Teams that adopt EPSS-weighted prioritisation report 60-80% reduction in patching workload with no significant increase in breach risk.
What is Qualys Agent Val and TruLens?
Qualys Agent Val (announced March 2026) is an agentic AI that validates exploitability at machine speed using TruLens threat context. Unlike traditional vulnerability scanners that report all detected CVEs, Agent Val uses TruRisk scores (Qualys' risk weighting combining CVSS, EPSS, CISA KEV, and asset context) layered with TruLens threat intelligence to narrow focus to CVEs that are both vulnerable in your environment and actively weaponised. The output is a significantly smaller, higher-confidence remediation list. TruLens is Qualys' threat-intelligence layer that feeds TruRisk scoring with real-time exploitation signals.
Should I use EPSS or CVSS for vulnerability prioritisation?
Neither alone. The correct approach in 2026 is a combined model: CVSS for severity magnitude, EPSS for exploitation probability, CISA KEV for known-exploited confirmation, and asset context (what does this asset connect to? what data does it process?) for business-risk weighting. The Tenable VPR and Qualys TruRisk scores implement versions of this combined model. A CVE that scores high on all four dimensions needs immediate attention regardless of analyst bandwidth. A CVE that scores high on CVSS but low on EPSS, is not in KEV, and is on an isolated development server can be scheduled for the next patch cycle.
What is the difference between Tenable VPR and CVSS?
CVSS (Common Vulnerability Scoring System) is a universal severity score published by the vulnerability's discoverer and NVD. It measures intrinsic severity: how bad the vulnerability is in ideal conditions. It does not account for exploitation probability, asset context, or your specific environment. Tenable VPR (Vulnerability Priority Rating) combines CVSS with EPSS prediction scores, asset exposure paths (is the vulnerable service internet-facing?), business-context weighting (is this a production system?), and real-time threat-intel feeds. VPR produces a risk-weighted priority score specific to your environment. Teams migrating from CVSS-only to VPR-weighted typically eliminate 40-60% of their patch backlog on the first run.
How do I build a zero-cost AI vulnerability prioritisation stack?
The OSS approach: OpenVAS or Nessus Essentials (free) for scanning, NVD API (free) for CVE metadata, EPSS API from FIRST.org (free) for exploitation probability scores, CISA KEV JSON feed (free) as the known-exploited watchlist, and an LLM agent (Claude API or local Llama 4) that reads all three and produces a prioritised remediation list. The LLM reasons over the triage: EPSS above 0.70 plus in KEV equals patch this week; CVSS above 8.0 but EPSS below 0.10 and not in KEV equals schedule for patch cycle. This pattern is documented in the Penligent blog (April 2026) and works in production for teams without a dedicated vulnerability-management tool.