SSCV Framework
Contextual Vulnerability Risk Scoring

Transform CVSS scores into contextual risk assessments that reflect the actual threat to your specific systems

Launch Calculator Download Spec (PDF)

Example SSCV Vector

SSCV:1.0/OS:C/NE:E/AC:F/EP:A/DL:M/PS:C

The Problem with CVSS Alone

A CVSS 10.0 vulnerability might pose minimal risk to an air-gapped system, while a CVSS 6.0 could be critical on an internet-facing server with sensitive data.

Without Context

  • × All CVSS 9.0+ treated as equally critical
  • × Patch everything immediately or risk non-compliance
  • × Security teams overwhelmed by false priorities

With SSCV

  • Risk scores reflect your actual environment
  • Prioritize patches based on real risk
  • Defensible, documented risk decisions

Key Features

🎯

Contextual Scoring

Combines CVSS base scores with system-specific security context to calculate real-world risk

🛡️

Minimum Risk Threshold

Enforces 20% minimum risk, acknowledging that no system is ever completely secure from zero-days and supply chain attacks

📊

6 Security Components

Evaluates core security controls and exposure factors that every organization can assess immediately

6 Core Security Components

SSCV v1.0 focuses on essential security factors that every organization can assess, providing immediate value for vulnerability prioritization

Security Context

  • OS: Operating System Currency
  • AC: Access Controls
  • EP: Endpoint Protection
  • PS: Patch Status

Core security controls that reduce vulnerability risk

Exposure Factors

  • NE: Network Exposure
  • DL: Data Sensitivity Level

Amplify risk based on accessibility and data value

Simple & Practical:

SSCV v1.0 focuses on six components every security team can assess. Future versions will add specialized components for advanced use cases like industrial systems and critical infrastructure.

How SSCV Works

1

Start with CVSS Base Score

Use the standard CVSS score as your foundation

2

Assess System Context

Evaluate 6 essential security factors specific to your system

OS:C  - Current operating system
NE:I  - Internal network only
AC:F  - Full MFA + RBAC
EP:A  - Advanced EDR
DL:M  - Mixed (contains PII)
PS:C  - Current patches
3

Calculate Contextual Risk

SSCV formula adjusts risk based on your security posture

CRS = CVSS × Security_Avg × Exposure_Factor × Operational_Avg

With 20% minimum threshold to ensure no vulnerability is ignored

Real-World Examples

Internet-Facing Web Server

CVSS Score: 10.0

SSCV Vector:

SSCV:1.0/OS:C/NE:E/AC:F/EP:A/DL:C/PS:C

SSCV Result: 8.5 (High)

⚠ External exposure + critical data = high priority despite good controls

Legacy Manufacturing System

CVSS Score: 8.5

SSCV Vector:

SSCV:1.0/OS:L/NE:A/AC:N/EP:N/DL:I/PS:U

SSCV Result: 3.2 (Low)

✓ Air gap + physical security compensate for poor software security

Real-World Use Cases

See how organizations are using SSCV to transform their security operations, risk management, and business decisions

Enterprise Security Metrics

Track organizational security posture with aggregated SSCV scores. Create department scorecards, visualize risk heat maps, and measure improvement over time.

Org Average: 2.4 → 1.8 (25% improvement)

Cyber Insurance Applications

Calculate risk-adjusted premiums based on SSCV scores. Demonstrate due diligence, meet policy requirements, and qualify for better rates.

Premium Discount: up to 30% for SSCV < 1.5

Regulatory Compliance

Map SSCV components directly to compliance requirements. Automate evidence collection for PCI DSS, NIST CSF, SOC 2, and other frameworks.

PCI DSS 6.2 → PS:C (Patch Status: Current)

Smart Prioritization

Focus on what matters: a CVSS 6.0 on your payment server can be more critical than a CVSS 10.0 on an isolated dev system.

Priority = CVSS × SSCV × Exploit Weight

M&A Security Assessment

Standardize security due diligence. Quickly assess acquisition targets and estimate remediation costs based on SSCV profiles.

40% Legacy Systems: Est. $2.5M to remediate

Technical Integrations

Integrate SSCV with vulnerability scanners, SIEM platforms, and asset management systems via standardized APIs and data formats.

GET /api/v1/assets/{id}/sscv

Implementation Patterns

Gradual

Assess all 6 v1.0 components immediately. Future versions will add specialized components for advanced use cases.

Risk-First

Focus on highest CVSS vulnerabilities first. Calculate SSCV for critical systems.

Automated

Integrate with existing tools. Auto-detect components where possible.

Want to explore more implementation ideas and technical details?

Download Complete Implementation Guide

Ready to Get Started?

Calculate contextual risk scores for your vulnerabilities in seconds

Try the Calculator View on GitHub

Need Help Understanding SSCV?

Our AI assistant can help you understand the framework, calculate risk scores, and answer your security assessment questions.

Ask About:

  • How to calculate SSCV scores
  • Understanding security dimensions
  • Interpreting risk assessments

Get Help With:

  • Your specific vulnerabilities
  • Prioritization strategies
  • Implementation guidance
Chat with SSCV Assistant

Powered by ChatGPT • Available 24/7

Ask AI Assistant