← Cybersecurity Alphabet Soup

SSVC

Stakeholder-Specific Vulnerability Categorization

operationshard

SSVC is a decision-tree framework, developed by Carnegie Mellon's SEI with CISA, that helps organizations decide what to do about a vulnerability rather than just scoring its severity. It walks through questions like whether exploitation is active, how automatable an attack is, and what the impact would be, ending in a concrete action such as track, attend, or act now. It matters because a raw CVSS number does not tell a specific organization whether to patch tonight or next quarter.

Sources

More in operations