Learn
Plain-English guides to vulnerability scoring and the CVE ecosystem — CVSS, EPSS, the CISA KEV catalog, CVEs, CNAs, CWEs, CAPEC, MITRE ATT&CK, and the weakness types attackers exploit. Each guide answers the question up front, then links to the tools and directories that put it to work.
71 guides across 8 topics
Browse by topic
- Security fundamentals9Core concepts: what a vulnerability, exploit, and zero-day are, and how threat and risk differ.
- CVSS & severity scoring8How vulnerability severity is measured: CVSS versions, metrics, vectors, and score ranges.
- Exploitation & prioritization8EPSS, the CISA KEV catalog, and how to decide which vulnerabilities to fix first.
- The CVE ecosystem13CVEs, CNAs, the NVD, and how a vulnerability gets identified and published.
- Weaknesses & attack patterns7CWE weakness types, CAPEC attack patterns, and how they relate to CVEs.
- Vulnerability types17Plain-English deep dives on common weakness types — SQL injection, XSS, buffer overflows, and more.
- Threat frameworks3MITRE ATT&CK, the cyber kill chain, and how they compare to CAPEC for modeling adversary behavior.
- Security tools & databases6SBOMs, GHSA, OSV, Exploit-DB, Metasploit, and SAST vs DAST — the tools and data sources behind vulnerability work.
71 guides
Security fundamentals9
Core concepts: what a vulnerability, exploit, and zero-day are, and how threat and risk differ.
- What is a vulnerability in cybersecurity?A vulnerability is a weakness in software, hardware, or a process that an attacker can exploit to compromise a system. Learn what that means.
- What is an exploit in cybersecurity?An exploit is code or a technique that takes advantage of a vulnerability to make a system behave in a way the attacker wants. Learn how exploits work.
- What is a zero-day vulnerability?A zero-day is a vulnerability that is exploited or known before the vendor has a patch, leaving zero days to fix it before attacks. Learn what that means.
- What is a proof-of-concept (PoC) exploit?A proof-of-concept exploit is harmless code that demonstrates a vulnerability is real and exploitable, without causing damage. Learn what a PoC is.
- What is the attack surface?The attack surface is the sum of all points where an attacker could try to enter or extract data from a system. Learn how to find and reduce it.
- Vulnerability vs threat vs risk: what is the difference?Vulnerability is a weakness, a threat is who or what could exploit it, and risk is the likelihood and impact of that happening. See the difference.
- What is responsible disclosure?Responsible disclosure is reporting a vulnerability privately to the vendor and giving them time to patch before going public. Learn how it works.
- What is vulnerability management?Vulnerability management is the continuous cycle of discovering, assessing, prioritizing, remediating, and verifying security flaws across your systems.
- Zero-day vs N-day: what is the difference?A zero-day has no patch when exploited; an N-day is a known, patched flaw still attacking unpatched systems. Learn the risk, timeline, and defenses.
CVSS & severity scoring8
How vulnerability severity is measured: CVSS versions, metrics, vectors, and score ranges.
- What is CVSS? The Common Vulnerability Scoring System explainedCVSS (Common Vulnerability Scoring System) is the open standard for rating software vulnerability severity on a 0 to 10 scale. Learn how it works.
- CVSS severity levels: None, Low, Medium, High, and CriticalCVSS score ranges map numbers to ratings: None 0.0, Low 0.1-3.9, Medium 4.0-6.9, High 7.0-8.9, Critical 9.0-10.0. See what each level means.
- How to read a CVSS vector stringA CVSS vector string encodes every metric behind a score. Learn to decode CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H step by step.
- CVSS metric groups: Base, Temporal, and EnvironmentalCVSS scores come from three metric groups: Base (intrinsic), Temporal/Threat (over time), and Environmental (your deployment). Learn what each does.
- CVSS 4.0 vs 3.1: what changed and whyCVSS 4.0 vs 3.1 compared: new Attack Requirements metric, split impact (VC/VI/VA + SC/SI/SA), expanded User Interaction, and a new scoring model.
- CVSS versions explained: 2.0, 3.0, 3.1, and 4.0A history of CVSS versions: v2.0, v3.0 (2015), v3.1 (2019, most published), and v4.0 (2023). See what each release changed and why it matters.
- CVSS 3.0 vs 3.1: what actually changedCVSS 3.0 vs 3.1: v3.1 (2019) is a clarification of v3.0 (2015), not a new formula. The metrics, scale, and severity bands are identical.
- How is a CVSS score calculated?A CVSS v3.x Base score combines an Exploitability sub-score and an Impact sub-score, adjusted by Scope, then rounded up to one decimal on a 0 to 10 scale.
Exploitation & prioritization8
EPSS, the CISA KEV catalog, and how to decide which vulnerabilities to fix first.
- What is EPSS?EPSS (Exploit Prediction Scoring System) is a data-driven model from FIRST.org that estimates the probability a CVE will be exploited within 30 days.
- CVSS vs EPSSCVSS vs EPSS: CVSS measures how severe a vulnerability is, while EPSS estimates how likely it is to be exploited. Compare the two and learn when to use each.
- What is the CISA KEV catalog?The CISA KEV is the Known Exploited Vulnerabilities catalog: CVEs with reliable evidence of active exploitation that US federal agencies must remediate by a deadline.
- EPSS vs KEVEPSS vs KEV: EPSS predicts the probability a CVE will be exploited, while the CISA KEV lists CVEs with confirmed active exploitation. Compare and combine them.
- How to prioritize vulnerabilitiesLearn how to prioritize vulnerabilities by combining CVSS severity, EPSS likelihood, and the CISA KEV catalog into a repeatable, risk-based workflow.
- What is SSVC (Stakeholder-Specific Vulnerability Categorization)?SSVC is a decision-tree framework from CISA and Carnegie Mellon SEI that sorts vulnerabilities into Track, Track*, Attend, or Act outcomes.
- What is risk-based vulnerability management (RBVM)?Risk-based vulnerability management prioritizes remediation by real-world risk, combining exploitation, likelihood, severity, and asset exposure.
- What is Vulnrichment?Vulnrichment is CISA's Authorized Data Publisher program that enriches CVE records with SSVC decision points, CVSS scores, CWE mappings, and CPE data.
The CVE ecosystem13
CVEs, CNAs, the NVD, and how a vulnerability gets identified and published.
- What is a CVE (Common Vulnerabilities and Exposures)?A CVE is a unique public identifier for a known security vulnerability, run by the CVE Program operated by MITRE and sponsored by CISA.
- CVE ID Format: What CVE-YYYY-NNNN MeansA CVE ID looks like CVE-2021-44228: the CVE prefix, a four-digit year, and a sequence number of four or more digits with no fixed length.
- What is a CNA (CVE Numbering Authority)?A CNA is an organization authorized by the CVE Program to assign CVE IDs and publish CVE records for vulnerabilities within its defined scope.
- CNA vs Root vs ADP: CVE Program Roles ComparedCNAs assign CVE IDs, Roots manage groups of CNAs and allocate ID blocks, and ADPs enrich existing CVE records without assigning new IDs.
- What is the NVD (National Vulnerability Database)?The NVD is the U.S. National Vulnerability Database, run by NIST. It consumes CVEs and enriches them with CVSS scores, CWE mappings, and CPE data.
- The CVE Lifecycle: Reserved, Published, ModifiedA CVE moves through states: Reserved when an ID is allocated, Published when details are disclosed, and Modified as the record is updated.
- What is a CPE (Common Platform Enumeration)?A CPE is a structured naming scheme for products and platforms, written as cpe:2.3:..., used to express exactly which products a CVE affects.
- What is MITRE?MITRE is a US non-profit that operates the CVE Program and maintains the CWE, CAPEC, and ATT&CK knowledge bases used across vulnerability management.
- What is a security advisory?A security advisory is an official notice from a vendor or coordinator describing a vulnerability, its affected products, severity, and remediation steps.
- What is coordinated vulnerability disclosure (CVD)?Coordinated vulnerability disclosure (CVD) is the process where a finder reports a flaw privately and the vendor fixes it before public disclosure.
- What is VEX (Vulnerability Exploitability eXchange)?VEX (Vulnerability Exploitability eXchange) is a machine-readable statement that says whether a specific product is actually affected by a given CVE.
- CVE vs CVSS: what is the difference?CVE is the unique identifier for a specific vulnerability; CVSS is the 0.0 to 10.0 system that scores its severity. Learn how they differ and connect.
- NVD vs CVE: what is the difference?The CVE List names vulnerabilities; the NVD enriches those records with CVSS scores, CWE, and CPE data. Learn how the two sources differ and relate.
Weaknesses & attack patterns7
CWE weakness types, CAPEC attack patterns, and how they relate to CVEs.
- What is a CWE (Common Weakness Enumeration)?A CWE (Common Weakness Enumeration) is a MITRE catalog of software and hardware weakness types, like CWE-79 XSS or CWE-89 SQL Injection.
- What is CAPEC (Common Attack Pattern Enumeration and Classification)?CAPEC is a MITRE catalog of attack patterns: the methods adversaries use to exploit weaknesses, like CAPEC-66 SQL Injection. Each maps to CWEs.
- CVE vs CWE: What is the Difference?CVE vs CWE: a CVE is a specific vulnerability instance in a product; a CWE is the weakness type behind it. A CVE is usually mapped to a primary CWE.
- CVE vs CWE vs CAPEC: What is the Difference?CVE vs CWE vs CAPEC: a CVE is a vulnerability instance, a CWE is the weakness type behind it, and a CAPEC is the attack pattern that exploits it.
- What is the CWE Top 25 Most Dangerous Software Weaknesses?The CWE Top 25 is MITRE's annual, data-driven list of the 25 most dangerous and common software weaknesses, derived from CVE, NVD, and KEV data.
- What is the OWASP Top 10?The OWASP Top 10 is a periodically updated list of the most critical web application security risks, such as Broken Access Control and Injection.
- OWASP Top 10 vs CWE Top 25: what is the difference?OWASP Top 10 vs CWE Top 25: OWASP lists consensus web-app risk categories; the CWE Top 25 is a data-driven ranking of weakness types across all software.
Vulnerability types17
Plain-English deep dives on common weakness types — SQL injection, XSS, buffer overflows, and more.
- What is SQL injection? The database attack explainedSQL injection (SQLi) lets attackers tamper with database queries by injecting malicious input. Learn how it works and how parameterized queries stop it.
- What is cross-site scripting (XSS)?Cross-site scripting (XSS) injects malicious scripts into web pages that run in victims' browsers. Learn the types, impact, and how output encoding and CSP stop it.
- What is CSRF (cross-site request forgery)?CSRF tricks a logged-in user's browser into sending a forged request to a trusted site. Learn how it works and how anti-CSRF tokens and SameSite cookies stop it.
- What is SSRF (server-side request forgery)?SSRF tricks a server into making requests to attacker-chosen targets, often internal services or cloud metadata. Learn how it works and how to prevent it.
- What is remote code execution (RCE)?Remote code execution (RCE) lets an attacker run arbitrary code on a target system over a network. Learn the common causes, impact, and how to prevent it.
- What is a buffer overflow?A buffer overflow writes more data than a buffer can hold, corrupting adjacent memory. Learn how the classic stack overflow works and how to prevent it.
- What is an out-of-bounds write?An out-of-bounds write stores data past the end (or before the start) of a buffer, corrupting memory. Learn how it works, its impact, and how to prevent it.
- What is use after free?Use after free occurs when a program keeps using memory it already freed, leading to crashes or code execution. Learn how it works and how to prevent it.
- What is path traversal (directory traversal)?Path traversal lets attackers use sequences like ../ to read or write files outside the intended directory. Learn how it works and how to prevent it.
- What is insecure deserialization?Insecure deserialization processes untrusted serialized data, which can lead to remote code execution. Learn how it works and how to prevent it.
- What is privilege escalation?Privilege escalation lets an attacker gain higher permissions than they were granted. Learn the vertical and horizontal types and how to prevent it.
- What is an IDOR (insecure direct object reference)?An IDOR lets a user access objects they should not by changing an identifier in a request. Learn how it works and how proper authorization checks prevent it.
- What is command injection (OS command injection)?Command injection (CWE-78) lets attackers run OS commands through unsanitized input. Learn how it works, its impact, and how to prevent it.
- What is XXE (XML External Entity injection)?XXE (CWE-611) abuses XML external entities to read files, reach internal systems, and cause denial of service. Learn how it works and how to prevent it.
- What is broken access control?Broken access control (OWASP A01:2021) lets users act outside their permissions. Learn horizontal and vertical escalation and how to prevent it.
- What is clickjacking?Clickjacking (CWE-1021) tricks users into clicking hidden UI through an invisible iframe. Learn how it works and how to prevent it with framing controls.
- What is an open redirect?An open redirect (CWE-601) lets attackers send users to arbitrary sites via an unvalidated parameter. Learn the phishing risk and how to prevent it.
Threat frameworks3
MITRE ATT&CK, the cyber kill chain, and how they compare to CAPEC for modeling adversary behavior.
- What is MITRE ATT&CK?MITRE ATT&CK is a curated knowledge base of real-world adversary tactics, techniques, and procedures used for detection and threat modeling.
- MITRE ATT&CK vs CAPEC: what is the difference?MITRE ATT&CK catalogs real-world adversary behavior while CAPEC catalogs abstract attack patterns mapped to CWE weaknesses. Compare both.
- What is the cyber kill chain?The cyber kill chain is a Lockheed Martin model describing the seven stages of a targeted intrusion, from reconnaissance to actions on objectives.
Security tools & databases6
SBOMs, GHSA, OSV, Exploit-DB, Metasploit, and SAST vs DAST — the tools and data sources behind vulnerability work.
- What is an SBOM (Software Bill of Materials)?An SBOM is a formal, machine-readable inventory of every component and dependency in a piece of software, used to track supply-chain risk.
- What is a GHSA (GitHub Security Advisory)?A GHSA is a GitHub Security Advisory and its identifier, used in the GitHub Advisory Database to power Dependabot and dependency alerts.
- What is OSV (Open Source Vulnerabilities)?OSV is an open, distributed vulnerability database and schema for open-source software, hosted at osv.dev and aggregating sources like GHSA and PyPA.
- What is Exploit-DB (the Exploit Database)?Exploit-DB is the Offensive Security archive of public exploits and proof-of-concept code, cross-referenced to CVE IDs for defenders and researchers.
- What is Metasploit?Metasploit is the Rapid7 penetration-testing framework of exploit, payload, and auxiliary modules used for authorized security testing and defense.
- SAST vs DAST: what is the difference?SAST analyzes source or binary code without running it, while DAST tests a running application from the outside. Learn how the two approaches compare.
