What it measures, in order of weight
The Senserva CVE Ranking blends the signals below, highest impact first. It is deliberately weighted toward proof of real-world attack over theoretical severity, because a Critical CVSS score that no one is exploiting is a lower priority than a High that ransomware crews are using today.
-
1
Confirmed exploitation (CISA KEV)
The strongest signal by far. A vulnerability in CISA's Known Exploited Vulnerabilities catalog is confirmed in active use by attackers, so it dominates the score.
-
2
Known ransomware use
CISA flags the CVEs tied to ransomware campaigns. These jump the queue, because ransomware operators automate exploitation of exactly these vulnerabilities, and unpatched systems are the entry point in most incidents.
-
3
EPSS exploit probability
FIRST.org EPSS models how likely a CVE is to be exploited in the wild over the next 30 days, updated daily. It separates the genuinely risky from the merely severe before exploitation is confirmed.
-
4
CVSS severity
The base technical severity, used as a tiebreaker once the exploitation signals are in. It answers "how bad if exploited," which matters, but only after "is it being exploited."
-
5
Recency
A trailing boost for what started moving in the last days, so the ranking reflects current heat and cools as an item ages, rather than carrying old news forever.
The Senserva CVE Ranking also incorporates proprietary demand and telemetry signals that sharpen the order beyond the public data above. The exact weightings are proprietary; full methodology details are available upon request. Contact info@senserva.com.
The Senserva CVE Score, 0 to 100
The ranking puts vulnerabilities in order. The Senserva CVE Score turns that into a single number from 0 to 100 so you can read urgency at a glance on any CVE, patch, or card. It is built from the public signals above, confirmed exploitation, ransomware use, EPSS, CVSS, and recency, on a fixed scale, so the same vulnerability scores the same for everyone and the number does not move just because a page is more or less popular. A confirmed-exploited item that ransomware is using and that turned hot in the last two weeks sits in the 90s; an actively exploited but older CVE lands in the 50s to 80s; a severe CVE that no one is exploiting scores well below that. The same score applies to a Microsoft update (KB), built from the CVEs it fixes.
The Score reflects public signal only, so it is fully explainable. The proprietary demand and telemetry signals refine the ranking order, not this number.
Why a ranking beats a severity score alone
Microsoft discloses 1,000 to 2,000 CVEs a year. Most are never exploited; a handful are used in real attacks this week. CVSS alone cannot tell those apart: it rates how bad a vulnerability would be if exploited, not whether anyone is exploiting it. The Senserva CVE Ranking folds the exploitation signals (CISA KEV, ransomware, EPSS) on top of severity, so the list you see is a fix-first order, not a wall of Critical.
Because it refreshes several times a day, the ranking rises and falls with real events: a CVE added to CISA KEV or picked up by a ransomware crew climbs immediately, and quietly cools as attention moves on. That is the difference between a static score and a live measure of what to patch now.
Where you see the Senserva CVE Ranking
Frequently asked
It is a proprietary score that ranks vulnerabilities by how much real-world risk they carry right now, blending confirmed exploitation (CISA KEV), known ransomware use, EPSS exploit probability, CVSS severity, and recency, plus proprietary demand and telemetry signals. It is refreshed several times a day so it reflects current attacker activity, not a static severity number.
CVSS rates how severe a vulnerability would be if exploited. The Senserva CVE Ranking adds whether it is actually being exploited (CISA KEV and ransomware), how likely it is to be (EPSS), and how recently it started moving. CVSS is one input to the ranking, used as a tiebreaker, not the headline.
The signals and their priority order are published above. The exact weightings, and the proprietary demand and telemetry signals, are proprietary; full methodology details are available upon request at info@senserva.com. Every ranked item still shows the public signals behind its position, so the ranking is explainable even where the precise math is not disclosed.
Several times a day. Each refresh pulls Microsoft MSRC, CISA KEV, FIRST.org EPSS, and NVD or CIRCL, re-ranks everything, and republishes the trackers, the feeds and API, and every CVE and KB page.
Yes. The same ranking applies to every vulnerability in the CISA KEV catalog across all vendors, shown on the CISA KEV tracker, and to Microsoft CVEs and the updates that fix them.