not_exploitableFalse positive or unreachable. De-prioritized.
Severity alone never told you what to fix. CybeDefend scores every finding and ranks every project by real, exploitable risk, so your team spends its time where it counts.
A transparent 0 to 100 number that blends four honest signals, so a low-severity bug on an exposed, actively-exploited path outranks a critical one buried in dead code.
CVSS 4.0 environmental score, EPSS exploitation probability, exploitability and business context, weighted into a single number.
Every finding gets a verdict on whether it is realistically reachable, from static analysis, AI review or a manual call. That is what stops your team drowning in noise.
not_exploitableFalse positive or unreachable. De-prioritized.
theoreticalPossible, not yet confirmed reachable.
provenConfirmed exploitable in your real data flow.
actively_exploitedKnown exploitation in the wild. Drop everything.
Priority scoring tells you what to fix inside a project. The CybeRisk score answers a bigger question across your whole portfolio: which of your hundred projects to look at first. One number per project, summed from every active finding.
CVSS-weighted and unbounded, so a genuinely risky project scores in the hundreds and the worst offenders stand out.
Both scores start from CVSS 4.0. The same CVE scores higher on an internet-facing, mission-critical service than on an isolated internal tool.
The intrinsic severity of the vulnerability, stored for full auditability.
Reshaped by your Security Context, and recomputed automatically when it changes.
The priority score ranks individual findings inside a project so you know what to fix first. The CybeRisk score ranks whole projects across your portfolio so you know which project to look at first. One is finding-level, the other project-level.
It blends four normalized signals: CVSS 4.0 environmental score, EPSS exploitation probability, exploitability and business context. The weighted result is a transparent 0 to 100, and every finding can be decomposed into its exact contributions.
It is a verdict on whether a finding is realistically reachable, from not_exploitable to actively_exploited, sourced from static analysis, AI assessment or a manual override. It is the single biggest driver of false-positive suppression.
Because it sums point contributions from every active finding rather than a percentage. A project with many critical vulnerabilities can legitimately score in the hundreds, which keeps the worst offenders clearly separated.
Yes. Authorized users can pin a priority, which freezes recalculation until it is cleared. Overridden findings are flagged so it is always clear a human set the score.
One command wires every coding agent on your machine to CybeDefend: your business rules, your compliance frameworks, and guards that block destructive calls before they fire.
npx -y @cybedefend/vibedefend@latest install