TIRESIS/Methodology

SMB Attack Probability Score™

How we score every CVE for small business risk — and why CVSS alone is not enough.

Why not CVSS?

CVSS measures theoretical severity in a controlled lab environment. It does not know whether WordPress is running on 40% of SMB web servers, or that the average small business takes 60+ days to patch a firewall. Our score weights each CVE against the actual software stack of small businesses — not enterprise infrastructure — and factors in real exploitation activity, not just attack vector taxonomy.

Score Components

Each CVE receives a composite score from 0 to 100. Components are additive with caps to prevent single-factor dominance.

EPSS Score (30d)max 35 pts

FIRST.org exploit prediction score. Best real-world proxy for exploitation likelihood. Log-scaled to handle the heavy tail.

035%100

CISA KEV Membershipmax 25 pts

Active exploitation confirmed by CISA. Binary bonus — KEV status is the single strongest signal of imminent SMB risk.

025%100

SMB Exposure Scoremax 20 pts

Prevalence of affected product in SMB environments × patch lag × internet-facing flag. Proprietary dataset of 27 tracked products.

020%100

Exploit Maturitymax 10 pts

Public PoC or functional exploit available. Sources: ExploitDB, GitHub, NVD references. HIGH=10pts, FUNCTIONAL=8, PoC=5.

010%100

Attack Vector + Complexitymax 10 pts

NETWORK vector +6pts, LOW complexity +3pts, NO privileges required +1pt. Rewards wormable and automated exploitation patterns.

010%100

Ransomware Bonus

If the CVE appears in confirmed ransomware incidents in our database, +10 points are added to the final score (capped at 100). Ransomware correlation is the single strongest predictor of financial impact for SMBs.

Risk Thresholds

CRITICAL70–100

Active exploitation highly probable within 14 days. Immediate patch or mitigation required.

HIGH45–69

Significant risk to unpatched SMB environments. Patch within current cycle.

MEDIUM20–44

Monitor closely. Relevant if product is in your stack.

LOW0–19

No immediate action required. Patch in regular maintenance window.

SMB Software Stack Coverage

27 products across 8 categories. Prevalence % represents estimated share of SMBs running each product. Patch lag is the observed median days to apply updates in SMB environments.

Operating Systems

Windows 10 (85%)

Windows 11 (45%)

Windows Server (40%)

Remote Access

RDP (70%)

TeamViewer (45%)

FortiClient VPN (20%)

Network & Firewall

FortiGate (30%)

SonicWall (25%)

Email & Collab

Outlook (80%)

Microsoft 365 (65%)

Exchange Server (25%)

Web & CMS

WordPress (40%)

Apache HTTP (35%)

Database

SQL Server (40%)

Backup & Recovery

Veeam Backup (30%)

ERP & Accounting

SAP Business One (15%)

Data Sources

NIST NVD API 2.0

CVE metadata, CVSS scores, affected CPEs. Fetched daily.

FIRST EPSS API

Exploit Prediction Scoring System. 30-day exploitation probability per CVE.

CISA KEV Catalog

1,500+ known exploited vulnerabilities. Updated daily. Binary KEV flag.

TIRESIS Incident DB

SMB breach incidents with CVE correlation, ransomware group, financial impact.

Update frequency: CVE scores are recomputed daily. EPSS scores update every 24h from FIRST.org. CISA KEV membership is checked at each pipeline run. SMB Stack prevalence data is reviewed quarterly. SMB Attack Probability Score™ is proprietary to TIRESIS.