Table of Contents
Fetching ...

RiskBridge: Turning CVEs into Business-Aligned Patch Priorities

Yelena Mujibur Sheikh, Awez Akhtar Khatik, Luoxi Tang, Yuqiao Meng, Zhaohan Xi

TL;DR

RiskBridge addresses the gap between static vulnerability scoring and practical enterprise remediation by unifying multi-source threat intelligence (CVSS v4, EPSS, KEV) within an explainable, policy-aware pipeline. The framework combines a Zero-Day Exposure Simulation (ZDES) to forecast near-term exploit likelihood, a Policy-as-Code engine to automate regulatory SLA generation, and an ROI-driven optimization to minimize patch effort while maximizing risk reduction. Experimental results on live CVE datasets report substantial improvements in risk reduction, SLA compliance, and remediation efficiency over static CVSS, EPSS-only, KEV, and commercial baselines, with ablation studies confirming the value of BII and ZDES. The work demonstrates practical, auditable decision intelligence for enterprise vulnerability management, offering a path toward automated, compliant, and business-centric risk reduction in complex environments.

Abstract

Enterprises are confronted with an unprece- dented escalation in cybersecurity vulnerabil- ities, with thousands of new CVEs disclosed each month. Conventional prioritization frame- works such as CVSS offer static severity met- rics that fail to account for exploit probabil- ity, compliance urgency, and operational im- pact, resulting in inefficient and delayed re- mediation. This paper introduces RiskBridge, an explainable and compliance-aware vulner- ability management framework that integrates multi-source intelligence from CVSS v4, EPSS, and CISA KEV to produce dynamic, business- aligned patch priorities. RiskBridge employs a probabilistic Zero-Day Exposure Simulation (ZDES) model to fore- cast near-term exploit likelihood, a Policy-as- Code Engine to translate regulatory mandates (e.g., PCI DSS, NIST SP 800-53) into auto- mated SLA logic, and an ROI-driven Opti- mizer to maximize cumulative risk reduction per remediation effort. Experimental evalua- tions using live CVE datasets demonstrate an 88% reduction in residual risk, an 18-day improvement in SLA compliance, and a 35% increase in remediation efficiency compared to state-of-the-art commercial baselines. These findings validate RiskBridge as a prac- tical and auditable decision-intelligence sys- tem that unifies probabilistic modeling, com- pliance reasoning, and optimization analytics. The framework represents a step toward auto- mated, explainable, and business-centric vul- nerability management in modern enterprise environments

RiskBridge: Turning CVEs into Business-Aligned Patch Priorities

TL;DR

RiskBridge addresses the gap between static vulnerability scoring and practical enterprise remediation by unifying multi-source threat intelligence (CVSS v4, EPSS, KEV) within an explainable, policy-aware pipeline. The framework combines a Zero-Day Exposure Simulation (ZDES) to forecast near-term exploit likelihood, a Policy-as-Code engine to automate regulatory SLA generation, and an ROI-driven optimization to minimize patch effort while maximizing risk reduction. Experimental results on live CVE datasets report substantial improvements in risk reduction, SLA compliance, and remediation efficiency over static CVSS, EPSS-only, KEV, and commercial baselines, with ablation studies confirming the value of BII and ZDES. The work demonstrates practical, auditable decision intelligence for enterprise vulnerability management, offering a path toward automated, compliant, and business-centric risk reduction in complex environments.

Abstract

Enterprises are confronted with an unprece- dented escalation in cybersecurity vulnerabil- ities, with thousands of new CVEs disclosed each month. Conventional prioritization frame- works such as CVSS offer static severity met- rics that fail to account for exploit probabil- ity, compliance urgency, and operational im- pact, resulting in inefficient and delayed re- mediation. This paper introduces RiskBridge, an explainable and compliance-aware vulner- ability management framework that integrates multi-source intelligence from CVSS v4, EPSS, and CISA KEV to produce dynamic, business- aligned patch priorities. RiskBridge employs a probabilistic Zero-Day Exposure Simulation (ZDES) model to fore- cast near-term exploit likelihood, a Policy-as- Code Engine to translate regulatory mandates (e.g., PCI DSS, NIST SP 800-53) into auto- mated SLA logic, and an ROI-driven Opti- mizer to maximize cumulative risk reduction per remediation effort. Experimental evalua- tions using live CVE datasets demonstrate an 88% reduction in residual risk, an 18-day improvement in SLA compliance, and a 35% increase in remediation efficiency compared to state-of-the-art commercial baselines. These findings validate RiskBridge as a prac- tical and auditable decision-intelligence sys- tem that unifies probabilistic modeling, com- pliance reasoning, and optimization analytics. The framework represents a step toward auto- mated, explainable, and business-centric vul- nerability management in modern enterprise environments
Paper Structure (27 sections, 3 equations, 4 figures, 6 tables)

This paper contains 27 sections, 3 equations, 4 figures, 6 tables.

Figures (4)

  • Figure 1: Architecture of the RiskBridge Framework. The pipeline integrates external intelligence sources (NVD, EPSS, KEV) with four modules: (1) Zero-Day Exposure Simulation (ZDES), (2) Enrichment and Business Impact Index (BII), (3) Policy-as-Code Compliance, and (4) ROI Optimization. Dashed arrows denote feedback from business impact and LLM reasoning for contextual and explainable prioritization.
  • Figure 2: RiskBridge Methodology Overview. The framework integrates multi-source threat intelligence (NVD, EPSS, KEV) through four core components: (1) Business Impact Index (BII) for asset-driven risk quantification, (2) Zero-Day Exposure Simulation (ZDES) for exploit likelihood forecasting, (3) Compliance-Aware Scheduling for policy-aligned prioritization, and (4) ROI Optimization for maximizing remediation efficiency. Outputs provide explainable, auditable, and business-aligned vulnerability rankings.
  • Figure 3: Comparison of RiskBridge and Tenable VPR across key metrics. Curves indicate multi-dimensional performance improvement.
  • Figure 4: ROI vs Compliance Gain Across CVEs. CVSS severity is indicated by the color scale.