By Nagomi Security
Introducing the Nagomi Score
Security teams don’t lack vulnerability data. They lack prioritization context.
Most organizations already ingest CVSS scores, EPSS rankings, CISA KEV data, and scanner findings from multiple tools. Despite this, remediation teams still spend hours manually validating which vulnerabilities represent meaningful operational risk.
The issue is structural. CVSS measures theoretical severity under generalized conditions. It can’t account for whether an asset is internet-facing, business-critical, or protected by compensating controls.
As a result, two organizations can inherit the same CVE but face completely different levels of operational risk.
Treating the same CVE identically across environments with different controls, business criticality, and exposure profiles is a fundamental prioritization mistake.
Without context, remediation teams must resort to manually-driven, potentially misaligned vulnerability severity firefighting.
The Nagomi Score changes this paradigm.
How the Nagomi Vulnerability Score Works: A Context-Aware Scoring Model
The Nagomi Vulnerability Score is a context-aware scoring model that produces a proprietary 0-to-10 score for every vulnerability in our customers’ environments. Rather than replacing CVSS or EPSS, it builds on them, providing the context and the individuality required for proper remediation.
How it works
The Nagomi core combines four components: CVSS base severity, EPSS exploitation probability within 30 days, active exploitation signals (CISA KEV catalog membership, ExploitDB presence, and source-tool flags), and Nagomi-proprietary asset and control multipliers. Those multipliers reflect the user’s specific environment and determine whether:
- The affected asset belongs to a “High Priority” business group
- The asset is internet-facing
- Compensating controls are available
The result is a score calibrated to the user’s environment, not a theoretical average.
The most important aspect of the Nagomi Score
The same vulnerability in different customer environments receives a different score.
Why? Because no two environments are exactly alike. An endpoint without configured EDR coverage carries a fundamentally different level of urgency than an endpoint with fully functioning controls. The Nagomi score reflects that distinction.
What Exposure Context Means for CVE Risk
Effective exposure management depends on accurate exposure assessment. Accurate exposure assessment requires more than a CVE’s conceptual severity rating. It requires knowing:
- Is this asset reachable from the internet?
- Is it covered by deployed security controls?
- Does it belong to a business-critical group?
- Is this CVE being actively exploited?
The answers to these questions determine whether a vulnerability represents a material risk to a specific organization or if it belongs lower in the triage queue.
The following chart demonstrates how a Nagomi Score changes a severity level based on context in the customer’s environment.
| CVE | CVSS | Nagomi Score | What it demonstrates |
|---|---|---|---|
| CVE-2026-40372 | 9.1 (High) | 3.8 (Low) | De-prioritized. CVSS lists it as Critical, but no exploitation, no internet-facing exposure, EDR deployed and working correctly. Nagomi Scores lowers criticality by 5+ points to Low. |
| CVE-2013-3893 / CVE-2020-6418 | 8.8 (High) | 8.5 (High) | Confirmed correct for this context. Actively exploited, but on lower-criticality assets; the threat layer holds them at High, no context elevation. |
CVE-2026-21533 | 7.8 (High) | 10.0 (Critical) | Elevated (all signals). Elevated by Nagomi to Critical because the asset is High priority + internet-facing + missing EDR, + active exploit and KEV. |
For security teams using traditional vulnerability assessment tools, answering those questions (and validating or changing the score) means manually cross-referencing CVSS data, EPSS feeds, CISA KEV, an asset inventory, a control coverage map, and scanner outputs. For every CVE in scope. That’s a lot of work and a lot of time. Which is often precious among SecOps analysts.
Furthermore, it’s now unnecessary. (As seen ↑)
For teams managing tens of thousands of vulnerabilities across complex, distributed environments, this is the difference between a triage process that takes hours and one that takes minutes.
Benefit: How VM Engineers and SecOps Analysts Can Cut Triage Time
For engineers and analysts who live in their companies’ vulnerability inventories, the Nagomi Score appreciably improves workflows.
Triage no longer starts with a (seemingly endless) CVSS-descending sort that is followed by manual validation of applicability to the organization’s individual environment. The platform has already evaluated those conditions and adjusted the output based on:
- Potential impact
- The asset’s business criticality
- Compensating controls and control state (exploitability and reachability)
In other words, the highest Nagomi scores reflect the environment’s real-time risk state as confirmed by assessed data, not an arbitrarily assigned severity label determined outside the infrastructure.
The main benefit: Vulnerability management teams no longer have to cross-reference multiple consoles and data sources to build a defensible prioritization list. Nagomi autonomously does that work and generates a ranked list that reflects real remediation urgency.
Benefit: How Vulnerability Managers Can Track Remediation Progress with Environment-Aware Scoring
One of the more meaningful shifts in Nagomi’s control-first model is how remediation is evaluated.
Vulnerability managers responsible for backlog reduction, SLA performance, MTTR, and remediation reporting often struggle to separate meaningful risk from scanner noise. Nagomi Score provides an environment-aware view of exposure directly inside the platform, helping teams prioritize remediation based on actual business impact rather than static severity.
Traditional CVSS counts show how many vulnerabilities exceed a generic threshold. Nagomi Score highlights which CVEs represent elevated risk in the organization’s actual environment, based on exploit activity, asset criticality, internet exposure, and control coverage.
When remediation workflows are prioritized by Nagomi Score, vulnerability management teams can focus effort on the fixes most likely to reduce operational risk and improve measurable program outcomes, including:
- Improved prioritization: Teams spend less time addressing low-risk findings and more time remediating exposures that materially affect the environment.
- Better operational alignment: Tickets include environmental and business context, helping IT and security teams align on urgency and ownership.
- More meaningful reporting: Remediation progress can be measured against actual risk reduction rather than raw vulnerability counts.
- Stronger program maturity: Context-aware remediation supports more consistent, defensible exposure management over time.
Results: Quantitative Security Metrics You Can Use
The Bottom Line
The difference between vulnerability management and exposure management is context. The Nagomi Vulnerability Score gives security teams that context, automatically, for every vulnerability. The result is a remediation process aligned to actual exposure, business impact, and verified control coverage.
See Nagomi in action at nagomisecurity.com
