Understanding Risk Level vs. Exploitability in CYRISMA
When reviewing vulnerability data in CYRISMA, two important indicators often raise questions: Risk Level and Exploitability. While both contribute to prioritizing remediation, they serve distinct purposes in evaluating exposure.
Written by Liam Downward
Updated at May 21st, 2025
- User Manual
- Self Onboarding Guide
- Agents
- The Cyber Risk Assessment Process
- PSA Integrations
- General Questions and Troubleshooting
- The Cyber Risk Assessment Process (Video Tutorials)
- Sales and Prospecting Articles
- CYRISMA Partner Portal Access
- Glossary
- API Documents
- CYRISMA Change Log
- Support Ticket SLA
- Billing Questions
Table of Contents
📊 What is Risk Level?
Risk Level refers to the severity of a vulnerability, often influenced by metrics such as CVSS scores, vendor assessments, and system impact. These are categorized as:
Critical
High
Medium
Low
A Critical or High risk level means the vulnerability could cause significant harm if exploited—but does not necessarily mean it’s being actively exploited in the wild.
🧨 What is Exploitability?
Exploitability describes how likely it is that a vulnerability can actually be exploited in the real world. This is based on active threat intelligence data, known exploit code availability, and how easily an attacker could take advantage of the flaw.
Low Exploitability: Difficult or rare to exploit
Medium: Some level of active exploitation observed
High: Widespread and actively exploited in the wild
🔍 Tip: A Critical vulnerability with Low Exploitability means it's dangerous in theory—but unlikely to be exploited today.
🎯 How to Prioritize
While the Risk Level helps you understand potential impact, the Exploitability rating helps you decide how urgent the remediation is.
| Example | Risk Level | Exploitability | Priority |
|---|---|---|---|
| Vulnerability A | High | High | 🚨 Immediate action |
| Vulnerability B | Critical | Low | ⚠️ Monitor and schedule patching |
| Vulnerability C | Medium | Medium | 🔧 Patch in normal cycle |
📉 Why Your Grade Might Not Be an A
Your CYRISMA grade is a dynamic metric that reflects:
- The number of vulnerabilities found
- The severity of those vulnerabilities
- How many have been remediated
- New threats discovered
Due to the constant evolution of threats and scanning cycles, maintaining an A grade is extremely rare. Instead, use the grade as a barometer—focus on:
- Ensuring all agents check in and scan regularly
- Prioritizing vulnerabilities with high exploitability
- Iterating scans after patching to improve visibility
✅ Final Thoughts
Don’t rely solely on the letter grade. Instead:
- Regularly review scan history
- Filter vulnerabilities by Risk Level + Exploitability
- Tackle the most exploit-ready risks first
This balanced approach will help your team stay ahead of emerging threats without getting overwhelmed by less urgent noise.