What is SSVC (Stakeholder-Specific Vulnerability Categorization)?
Last reviewed June 2, 2026
SSVC (Stakeholder-Specific Vulnerability Categorization) is a decision-tree framework, developed by Carnegie Mellon's SEI with CISA, for deciding how urgently to act on a vulnerability. Instead of a single number, it asks a small set of questions, such as is it being exploited and what is the technical and mission impact, and routes each vulnerability into one of four outcomes: Track, Track*, Attend, or Act. It turns prioritization into a repeatable, explainable decision.
SSVC in one sentence
SSVC, Stakeholder-Specific Vulnerability Categorization, is a methodology for prioritizing vulnerability remediation using a decision tree rather than a numeric score. It was created by the Software Engineering Institute (SEI) at Carnegie Mellon University in collaboration with CISA, which has published its own SSVC decision guide for the vulnerabilities it tracks.
The core idea is that prioritization is a decision, and decisions should be transparent and repeatable. SSVC makes the inputs explicit, so two analysts asking the same questions about the same vulnerability should reach the same outcome.
The decision points
CISA's SSVC decision tree evaluates a handful of decision points and combines them to produce an outcome. The exact questions vary by stakeholder, but the CISA coordinator tree centers on these.
- Exploitation: is there no evidence, a public proof of concept, or active exploitation? This maps neatly onto EPSS signals and the CISA KEV catalog.
- Automatable: can an attacker reliably automate exploitation across many targets?
- Technical Impact: how much control does a successful exploit grant, partial or total?
- Mission and well-being impact: how badly would exploitation affect the mission and public well-being?
The four outcomes: Track, Track*, Attend, Act
The decision points combine into one of four prioritization bands. They describe how much attention and how fast a response a vulnerability warrants, not a severity rating.
| Outcome | Meaning | Typical response |
|---|---|---|
| Track | No immediate action needed | Monitor; remediate within standard update timelines |
| Track* | Monitor closely; specific conditions could change priority | Watch for change; act within standard timelines for now |
| Attend | Higher priority than routine | Involve supervisors; remediate sooner than standard |
| Act | Highest priority | Act quickly; involve leadership and remediate as soon as possible |
How SSVC differs from CVSS
CVSS produces a severity number; SSVC produces an action. The difference matters because a CVSS 9.8 that nobody is exploiting may not warrant the same urgency as a CVSS 7.0 under active attack. SSVC bakes exploitation status and mission impact directly into the decision, so it reflects real-world urgency rather than intrinsic severity alone.
SSVC also makes stakeholder context first-class. A supplier, a deployer, and a coordinator each weigh the decision points differently, which is why it is called stakeholder-specific. In practice many teams feed CVSS, EPSS, and KEV signals into the SSVC decision points rather than treating the frameworks as competitors.
Keep exploring
- How to prioritize vulnerabilitiesWhere SSVC fits in a full prioritization workflow.
- Risk-based vulnerability managementThe broader approach SSVC operationalizes.
- What is the CISA KEV?The confirmed-exploitation signal SSVC consumes.
- What is EPSS?The likelihood signal that feeds SSVC exploitation inputs.
- What is Vulnrichment?CISA's program that adds SSVC data to CVE records.
Frequently asked questions
- What does SSVC stand for?
- SSVC stands for Stakeholder-Specific Vulnerability Categorization, a decision-tree framework for prioritizing vulnerability remediation developed by the SEI at Carnegie Mellon with CISA.
- What are the four SSVC outcomes?
- In CISA's coordinator decision tree the outcomes are Track, Track*, Attend, and Act, ranging from no immediate action to highest-priority, act-quickly response.
- Is SSVC a replacement for CVSS?
- Not exactly. CVSS measures severity while SSVC produces a prioritization decision. SSVC often consumes CVSS, EPSS, and KEV signals as inputs to its decision points, so they are complementary.
- Who uses SSVC?
- CISA uses SSVC to triage the vulnerabilities it coordinates, and many organizations adopt or adapt the decision tree to make their own remediation prioritization explicit and repeatable.
