diff --git a/docs/howto/using_epss/epss_percentiles.md b/docs/howto/using_epss/epss_percentiles.md index b85a0cd1..525a35b4 100644 --- a/docs/howto/using_epss/epss_percentiles.md +++ b/docs/howto/using_epss/epss_percentiles.md @@ -20,8 +20,10 @@ probability scores as one of a few different inputs to inform the SSVC [Exploitation](../../reference/decision_points/exploitation.md) decision point. This approach can be a useful approach to refine or augment the *input* to an existing SSVC decision model. -In this how-to, we'll explore a different approach that uses EPSS percentiles -as an amplifier to adjust the *output* of an existing SSVC decision model. +!!! question "What's in this How-To?" + + In this how-to, we'll explore a different approach that uses EPSS percentiles + as an amplifier to adjust the *output* of an existing SSVC decision model. ## Starting Out with the SSVC Deployer Decision Model @@ -147,6 +149,18 @@ And here is a JSON object representation of the decision table for programmatic Now you can use this decision table in your SSVC implementation to adjust the prioritization of vulnerabilities based on their EPSS percentiles. +!!! question "How can I sort work items within a given SSVC outcome category?" + + While we don't usually recommend sorting within a given SSVC outcome category, + we recognize that some organizations may want to do this. + + If you want to sort vulnerabilities within a given SSVC outcome (e.g., all vulnerabilities + that are classified as "Immediate"), you can use the raw EPSS probability score + as a secondary sorting key. + This way, even if multiple vulnerabilities fall into the same SSVC category, + you can still prioritize them based on their predicted likelihood of exploitation. + + ## Conclusion In this how-to, we've demonstrated how to use EPSS percentiles as an amplifier diff --git a/docs/howto/using_epss/epss_probability.md b/docs/howto/using_epss/epss_probability.md index 38935d4b..c14c1630 100644 --- a/docs/howto/using_epss/epss_probability.md +++ b/docs/howto/using_epss/epss_probability.md @@ -4,6 +4,12 @@ SSVC users might want to combine exploitation-related information from multiple sources into a single decision point for use downstream in a decision table such as the SSVC [Deployer Decision Model](../deployer_tree.md). +!!! question "What's in this How-To?" + + This How-To explores how to combine information from multiple sources + via SSVC Decision Points and Decision Tables to create a more nuanced view + of exploitation risk. + One such source is the [Exploit Prediction Scoring System](https://www.first.org/epss/) ([EPSS](https://www.first.org/epss)) probability score.