RiskBridge: Turning CVEs into Business-Aligned Patch Priorities
Yelena Mujibur Sheikh, Awez Akhtar Khatik, Luoxi Tang, Yuqiao Meng, Zhaohan Xi
TL;DR
RiskBridge addresses the gap between static vulnerability scoring and practical enterprise remediation by unifying multi-source threat intelligence (CVSS v4, EPSS, KEV) within an explainable, policy-aware pipeline. The framework combines a Zero-Day Exposure Simulation (ZDES) to forecast near-term exploit likelihood, a Policy-as-Code engine to automate regulatory SLA generation, and an ROI-driven optimization to minimize patch effort while maximizing risk reduction. Experimental results on live CVE datasets report substantial improvements in risk reduction, SLA compliance, and remediation efficiency over static CVSS, EPSS-only, KEV, and commercial baselines, with ablation studies confirming the value of BII and ZDES. The work demonstrates practical, auditable decision intelligence for enterprise vulnerability management, offering a path toward automated, compliant, and business-centric risk reduction in complex environments.
Abstract
Enterprises are confronted with an unprece- dented escalation in cybersecurity vulnerabil- ities, with thousands of new CVEs disclosed each month. Conventional prioritization frame- works such as CVSS offer static severity met- rics that fail to account for exploit probabil- ity, compliance urgency, and operational im- pact, resulting in inefficient and delayed re- mediation. This paper introduces RiskBridge, an explainable and compliance-aware vulner- ability management framework that integrates multi-source intelligence from CVSS v4, EPSS, and CISA KEV to produce dynamic, business- aligned patch priorities. RiskBridge employs a probabilistic Zero-Day Exposure Simulation (ZDES) model to fore- cast near-term exploit likelihood, a Policy-as- Code Engine to translate regulatory mandates (e.g., PCI DSS, NIST SP 800-53) into auto- mated SLA logic, and an ROI-driven Opti- mizer to maximize cumulative risk reduction per remediation effort. Experimental evalua- tions using live CVE datasets demonstrate an 88% reduction in residual risk, an 18-day improvement in SLA compliance, and a 35% increase in remediation efficiency compared to state-of-the-art commercial baselines. These findings validate RiskBridge as a prac- tical and auditable decision-intelligence sys- tem that unifies probabilistic modeling, com- pliance reasoning, and optimization analytics. The framework represents a step toward auto- mated, explainable, and business-centric vul- nerability management in modern enterprise environments
