Prioritising vulnerabilities for the board
You have a thousand findings and a board on Friday. A severity score is not a defensible answer. Here is how to make AI rank by the real attack paths in your estate, not by the number you already had.
A security leader prioritising vulnerabilities for the board does not need AI to re-sort a CVSS list. They need a top-ten that reflects what an attacker could actually reach, and that survives a director asking why this one and not that one. The Havruta Methodology (formerly the Think Partner Methodology) installs the discipline that makes AI take the attacker's seat and request your real environment before it concludes: what is internet-facing, what holds regulated data, what you already compensate for. This is not a scanner. It is how the leader reasons with AI on the call they have to defend.
The situation
Twelve hundred open findings. A quarterly risk committee on Friday. A scanner that rates the meeting-room printer the same critical as the payments gateway, because it grades theoretical severity, not what matters in your estate. The CVSS list in front of you is the number you already had. What the board is paying you for is a ranking you can defend, and that is a different task entirely.
The meeting-room printer
CVSS 9.8 · critical
The payments gateway
CVSS 9.8 · critical
What commodity AI does with it
Ask an assistant to "prioritise these CVEs" and it re-sorts them by CVSS, then writes the result in confident prose. It cannot see which asset is reachable from the internet, which holds regulated data, or what controls already sit in front of the high-severity items. So it hands back a ranking that is fluent, generic, and indefensible the moment someone asks the obvious question. You are back where you started, with better grammar.
The Flip: put the machine in the attacker's seat
The move that changes the task is to stop asking the machine to grade severity and start making it think like the adversary. An attacker does not read your scanner output top to bottom. They look for the path: which of these, on which assets, could be chained to reach something that matters. When the machine takes that seat, the question shifts from "score the list" to "find the path", which is the question the board actually asked.
What the machine must ask before it ranks
This is the part that proves it is reasoning about your estate and not a plausible average. Before it ranks anything, it has to request what the scanner cannot know:
-
Which of these assets are internet-facing, and which sit behind segmentation?
-
Which hold regulated or revenue-critical data, and which are isolated or low-value?
-
What compensating controls already sit on the high-severity items: a WAF rule, EDR, MFA, network isolation?
-
Is any of these on the CISA Known Exploited Vulnerabilities catalogue, or carrying a high EPSS exploit-probability score?
-
What is your remediation SLA and your stated risk appetite, and what did the board flag last quarter?
Without those answers, a ranking is a guess. With them, the same CVE lands in a different place on a different asset, which is the whole point. That request is Ground Truth, the methodology's discipline of anchoring AI in your verified environment rather than its generic knowledge.
The working assumption
The list as the scanner ranks it: severity in order, the real exposure unexamined.
The Flip takes the attacker's seat
The machine stops grading the list and hunts the path: which items, on which assets, chain to something that matters.
The blind spot, surfaced
The unmitigated, internet-facing item the severity sort buried, found in private, before the adversary.
A hardened decision
A ranking that has already survived the question "why this and not that".
Here are 1,200 findings from this week's scan. Prioritise them for Friday's board.
Before I rank anything, I need exposure, not just severity. Which of these are reachable from the internet, and which are segmented?
About forty are external. The rest internal, and the cardholder environment is isolated.
Of the forty, any on the CISA KEV catalogue or a high EPSS score? And do any already have a compensating control, a WAF rule or virtual patch?
Two are on KEV. One of those is already behind a WAF rule we shipped last month.
Then the unmitigated KEV item on an internet-facing asset is your number one, and I can show the path that justifies it. The WAF-covered one drops to watch-and-verify, with the control noted so the board sees why. Let me build the ten with the reasoning attached.
What you walk away with
A top-ten where every item carries the reasoning that put it there: exposure, exploitability, business value, and the compensating control or its absence. It survives the CFO asking "why this and not that", and it gives the auditor the risk-based rationale that a raw CVSS sort no longer satisfies. Faster to a decision you can defend, which is the only speed that counts here.
- Number one
The KEV item on an internet-facing asset
Internet-facing On CISA KEV No compensating control - Scheduled
The regulated data store, internal
Regulated data Segmented - Watch and verify
The critical score behind the WAF rule
Internet-facing On CISA KEV Control noted
The 4-Lines you can run yourself
-
Act as an adversary planning an intrusion against my estate, then as my remediation lead. Hold both seats.
-
Goal: a board-defensible top-ten remediation list that reflects the real attack paths in my environment, not raw CVSS severity.
-
Ask me detailed questions and for supporting data before you rank anything: exposure, asset value, compensating controls, KEV/EPSS status, my SLA and risk appetite. Do not conclude until you have what you need.
-
Ask one question at a time, step by step.
Frequently asked questions
How should a CISO prioritise vulnerabilities with AI?
Not by asking it to re-sort by CVSS. The value is a machine that takes the attacker's seat and, before it ranks anything, requests your real environment: what is internet-facing, what holds regulated data, what compensating controls exist, what is on the CISA KEV catalogue. The output is a board-defensible top-ten where each item carries its reasoning, not a re-ordered severity score.
Is this a vulnerability scanner or exposure-management tool?
No. It does not scan, patch, or sit in your stack. It changes how you, the leader, reason with AI on the prioritisation decision you have to defend to the board and the auditor.
Why isn't CVSS enough to prioritise?
CVSS rates theoretical severity, not whether a vulnerability is reachable in your estate, exploited in the wild, or already mitigated by a control you have. Most findings rated high or critical are never exploited; some that are actively exploited score modestly. A defensible ranking fuses exposure, exploitability, and business context, which is judgement the score alone cannot encode.
Can AI be trusted to rank vulnerabilities?
Only if it is made to reason from your verified environment rather than guess. An assistant that ranks from generic knowledge is worse than the scanner. One made to request your asset criticality, exposure, and controls before concluding, and to show its reasoning, can be a genuine aid to a decision you still own.
Where do we start?
With the Eye-Opener Workshop, a half-day where your security leadership sees the shift on its own real work. A Strategic Briefing maps the right entry point.