Prioritizing the 1%: How to Focus on the Vulnerabilities That Actually Get Exploited

Senior Solutions Engineer, ThreatConnect

Most CVEs won’t hurt you, but the few that do, can be devastating. This talk focuses on how to identify and act on the vulnerabilities that actually get exploited, with examples pulled from recent ransomware and APT campaigns. Learn how to prioritize based on threat actor behavior, not just CVSS.

With over 20,000 CVEs published annually, most organizations struggle to separate signal from noise. Yet only a tiny fraction—less than 2%, are ever exploited in the wild. Today we'll cut through the volume to show how federal and enterprise teams can prioritize vulnerabilities based on adversary behavior, exploit availability, and real-world threat intelligence. We’ll explore how public and commercial data sources can be operationalized to focus on high impact threats and walk through recent examples of CVEs leveraged by ransomware groups and APTs.

The goal: fewer false positives, better resource allocation, and stronger defenses where they matter most.

Key Takeaways:

  • Understand why most CVEs are never exploited and how to spot the ones that will be
  • Learn how to use CISA KEV, Exploit Prediction Scoring System (EPSS), and threat intel feeds for prioritization
  • Get a practical framework for integrating exploitability risk into your vulnerability management process
  • See case studies of recent high-impact CVEs that bypassed traditional prioritization models