arXiv: Compute-Budgeted Exploitability Evidence Graphs for Prospective Vulnerability Triage

This publication introduces a novel framework called Compute-Budgeted Exploitability Evidence Graphs, designed to improve how organizations prioritize software vulnerabilities based on their real-world exploitability. The authors propose a method that uses limited computational resources to generate evidence graphs, which map out the steps an attacker would need to take to exploit a given vulnerability. This approach aims to move beyond traditional severity scores like CVSS by factoring in the actual cost and likelihood of exploitation, enabling more efficient triage of security flaws.

The primary audience for this work includes cybersecurity teams, vulnerability management professionals, and compliance officers in sectors that handle critical infrastructure, financial services, healthcare, and large-scale software development. Organizations that rely on automated vulnerability scanning and risk-based prioritization will be most affected, as the framework offers a way to reduce false positives and focus remediation efforts on vulnerabilities that are most likely to be weaponized.

Compliance teams should review their current vulnerability management processes to assess whether they incorporate exploitability evidence beyond static severity scores. They should consider piloting this graph-based approach within their security operations to validate its effectiveness for their specific threat landscape. Additionally, teams should monitor for any future regulatory guidance that may reference this methodology, as it could influence upcoming standards for proactive vulnerability triage under frameworks like AI_SAFETY.