Vulnerability vs threat vs risk: what is the difference?
Last reviewed June 2, 2026
These three terms describe different things. A vulnerability is a weakness in a system. A threat is the actor or event that could exploit that weakness. Risk is the combination of likelihood and impact: the chance that a threat exploits a vulnerability multiplied by the damage it would cause. Risk only exists when a threat and an exploitable vulnerability meet.
Three distinct concepts
People often use vulnerability, threat, and risk interchangeably, but they mean different things and confusing them leads to poor decisions. The clearest way to separate them is to ask: what is wrong, who could abuse it, and how much should we worry?
- Vulnerability: a weakness or flaw that could be exploited.
- Threat: a person, group, or event with the potential to exploit a vulnerability.
- Risk: the likelihood that a threat exploits a vulnerability, combined with the resulting impact.
Side-by-side comparison
| Concept | What it is | Example |
|---|---|---|
| Vulnerability | A weakness in a system | An unpatched flaw in a web server |
| Threat | The actor or event that could exploit it | An attacker scanning for that flaw |
| Risk | Likelihood x impact of exploitation | High chance of breach exposing customer data |
The risk relationship
A common way to express the relationship is that risk is a function of threat, vulnerability, and impact. If any one of those is effectively zero, the risk drops sharply. A severe vulnerability with no threat targeting it, or no meaningful impact if exploited, carries low risk. Conversely, a modest vulnerability under active attack on a critical asset can be very high risk.
This is why severity alone is not risk. CVSS measures the intrinsic severity of a vulnerability, but real risk also depends on whether a threat is active (signals like EPSS and the CISA KEV) and how much the affected asset matters to you.
Why the distinction matters
Treating every vulnerability as equal risk wastes effort. By separating the weakness from the threat and the potential impact, teams can focus on the flaws that a real adversary is likely to exploit on assets that matter. That is the foundation of risk-based vulnerability management and effective prioritization.
Keep exploring
Frequently asked questions
- What is the difference between a threat and a vulnerability?
- A vulnerability is a weakness in a system. A threat is the actor or event that could exploit that weakness. The vulnerability is internal to your system; the threat usually comes from outside it.
- How is risk calculated?
- Risk combines likelihood and impact. Conceptually, risk rises when a credible threat can exploit a real vulnerability on a valuable asset. If threat, vulnerability, or impact is near zero, risk is low.
- Can you have a vulnerability with no risk?
- Effectively yes. A vulnerability that no threat can reach or that would cause no meaningful impact carries very little risk, even if its severity score looks high.
- Is CVSS a measure of risk?
- No. CVSS measures the intrinsic severity of a vulnerability. Risk also depends on active threats and the value of the affected asset, which is why teams add exploitation signals like EPSS and the KEV catalog.
