Key capabilities
CISA KEV
Flag findings tied to known-exploited vulnerabilities.
EPSS scoring
Exploit-probability percentage on every CVE.
Risk-ranked queue
Prioritized worklist across all clients.
Daily feed sync
1,600+ KEV CVEs kept current.
Every finding is enriched with CISA KEV listing status and EPSS exploit probability, so your techs fix what attackers are actually using first.
Flag findings tied to known-exploited vulnerabilities.
Exploit-probability percentage on every CVE.
Prioritized worklist across all clients.
1,600+ KEV CVEs kept current.
CVSS tells you how severe a flaw is in theory. KEV and EPSS tell you whether it’s being exploited right now — and SBCMSP lets real-world exploitation override the paper score. The worklist reorders itself around what actually gets clients breached.
The moment a matched CVE appears in CISA’s Known Exploited Vulnerabilities catalog, the finding is forced to critical — regardless of its CVSS score. Confirmed active exploitation always jumps to the front of the queue.
When a CVE’s EPSS exploit-probability crosses 50%, the finding is escalated to at least high — even if its base CVSS would have parked it lower. Techs fix what’s most likely to be hit next, not just what’s theoretically bad.
The same KEV / EPSS signal feeds score-severity weighting and the ranking of attack-path entry points — so a client’s security score and their most exploitable paths both reflect real-world exploitation, not just paper severity.
KEV listing status and EPSS probability ride on every CVE the platform finds — including the ones matched against the software actually installed on your clients’ machines.
Internet-facing vulnerabilities from every scheduled external scan, ranked the moment they map to a CVE.
Version-detected vulnerabilities from active EASM Deep Scans, sorted by whether they’re being exploited in the wild.
The apps actually installed on client machines — matched against live CVE data, so an outdated app on one endpoint surfaces before it’s ever exposed to the internet. This is the differentiator: risk ranked on what’s running, not just what’s reachable.
Exposed services on client public IPs, carrying the same KEV and EPSS signal as everything else in the queue.
Every entry in CISA’s Known Exploited Vulnerabilities catalog ships with a federal remediation deadline. SBCMSP stores that due date on the finding, so a KEV-listed vulnerability arrives with a fix-by date already attached — not just a severity label. Your techs and your client reports both see the clock CISA is running.
KEV / EPSS Intelligence is one piece of SBCMSP’s unified loop — every finding is prioritized by real-world risk, paired with AI remediation guidance, mapped to your frameworks and re-verified on the next scan.
A color-coded score trend plus a projection that says “fix these 5 findings and this score goes from…
Learn moreEach finding pairs with AI-written, step-by-step remediation guidance — implementation steps, verifi…
Learn moreSeverity-driven SLAs (critical 24h, high 72h, medium 14d, low 30d) start the clock the moment a find…
Learn moreSee a client’s real posture in minutes — then unlock all 1,658 checks.