> ## Documentation Index
> Fetch the complete documentation index at: https://docs.backline.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Exploit Signals

> Understand how Backline calculates exploitability scores to help you prioritize vulnerabilities

## Overview

Not all vulnerabilities are equally dangerous. Some are theoretical—no one has figured out how to exploit them yet—while others are being actively used by attackers right now. The Exploit Signals system helps you answer one critical question:

<Note>
  **"How likely is this vulnerability to be exploited in the real world?"**
</Note>

Backline calculates exploitability scores (0-100) by combining multiple threat intelligence signals from public data sources. This score, alongside severity, helps security teams prioritize which vulnerabilities to fix first.

### Why Exploit Signals Matter

Traditional severity scores (Critical, High, Medium, Low) tell you how bad a vulnerability **could be** if exploited. Exploit signals tell you how likely it **will be** exploited based on:

* Active exploitation in the wild
* Availability of proof-of-concept (PoC) code
* Weaponized exploit tools
* Technical ease of exploitation

<Tip>
  Exploit signals complement severity ratings. A "Critical" severity vulnerability with low exploitability may present different risk than a "High" severity vulnerability with active exploitation.
</Tip>

## How It Works

When vulnerability reports are uploaded to Backline, the system automatically:

1. **Gathers threat intelligence** from multiple public data sources
2. **Calculates scores** using a weighted formula
3. **Classifies exploitability** as YES, UNCERTAIN, NO, or N/A
4. **Displays signals** in your vulnerability dashboard

<Note>
  Calculation happens asynchronously after report upload. Vulnerabilities show "CALCULATING" status initially, then update with final signals within minutes.
</Note>

## Understanding Exploitability Classifications

Backline classifies vulnerabilities into four exploitability categories:

<CardGroup cols={2}>
  <Card title="YES - Exploitable" icon="skull-crossbones" color="#ef4444">
    There's proof-of-concept code or active exploitation happening.

    * Score ≥ 60 with PoC or active exploitation
    * Confirmed exploitable in the wild
  </Card>

  <Card title="UNCERTAIN - Moderate Signals" icon="triangle-exclamation" color="#f59e0b">
    Some indicators exist, but exploitation isn't confirmed.

    * Score 40-59, or edge cases
    * Indicators present but not definitive
  </Card>

  <Card title="NO - Unlikely" icon="shield-check" color="#10b981">
    No evidence of exploitation yet.

    * Score \< 40 without PoC or active exploitation
    * Limited exploitability signals
  </Card>

  <Card title="N/A - Insufficient Data" icon="circle-info" color="#6b7280">
    No vulnerability intelligence available.

    * Very new or obscure vulnerabilities
    * Insufficient data to calculate score
  </Card>
</CardGroup>

## The Score Calculation

Exploitability scores are calculated using a weighted formula that combines multiple threat intelligence signals. Each signal contributes points to the final score (0-100):

### Signal Components

<AccordionGroup>
  <Accordion title="Active Exploitation (30 points)" icon="fire">
    **Weight: 30 points** (highest priority)

    Indicates if the vulnerability is actively being exploited in the wild.

    * **Source**: CISA Known Exploited Vulnerabilities (KEV) catalog
    * **Why it matters**: Active exploitation means attackers are using this vulnerability **right now**

    **Example**: Log4Shell (CVE-2021-44228) appears in KEV → +30 points
  </Accordion>

  <Accordion title="Proof-of-Concept Available (25 points)" icon="code">
    **Weight: 25 points**

    Indicates if working exploit code is publicly available.

    * **Sources**: Public exploit databases and repositories
    * **Why it matters**: Public exploit code dramatically lowers the barrier for attackers

    **Example**: If public exploit code or PoC repository exists → +25 points
  </Accordion>

  <Accordion title="Weaponized Tooling (15 points)" icon="hammer">
    **Weight: 15 points**

    Indicates if easy-to-use exploit tools exist in penetration testing frameworks.

    * **Sources**: Exploitation frameworks and toolkits
    * **Why it matters**: Weaponized tools make exploitation trivial, even for low-skill attackers

    **Example**: If an exploit module exists in a public framework → +15 points
  </Accordion>

  <Accordion title="Security Research Available (15 points)" icon="microscope">
    **Weight: 15 points**

    Indicates if detailed security research or technical analysis exists.

    * **Sources**: Security advisories, technical publications, research papers
    * **Why it matters**: Deep technical analysis confirms exploitability and provides attack paths

    **Example**: If detailed vendor advisories or research papers exist → +15 points
  </Accordion>

  <Accordion title="Ease of Exploitation (15 points)" icon="gauge">
    **Weight: 15 points**

    Measures how technically difficult the vulnerability is to exploit, derived from CVSS vector components.

    * **Source**: CVSS vector from scanner reports
    * **Components considered**:
      * **Attack Vector**: Network, Adjacent, Local, or Physical
      * **Attack Complexity**: Low or High
      * **Privileges Required**: None, Low, or High
      * **User Interaction**: None or Required

    **Example**: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N` (network, low complexity, no privileges, no interaction) → +15 points

    **Example**: `CVSS:3.1/AV:L/AC:H/PR:H/UI:R` (local, high complexity, high privileges, interaction required) → +3.75 points
  </Accordion>
</AccordionGroup>

### EPSS Fallback

When no threat intelligence signals are found but EPSS data is available, Backline uses the EPSS probability as a fallback score.

**EPSS (Exploit Prediction Scoring System)** is a machine learning-based probability (0-100%) that predicts the likelihood of exploitation in the next 30 days.

**Example**: EPSS probability of 0.42 (42%) becomes a score of 42

<Warning>
  EPSS is used only as a fallback when no concrete evidence exists. Actual evidence (KEV listings, public exploits, weaponized tools) always takes precedence.
</Warning>

### Classification Logic

After computing the score, Backline applies classification rules:

<AccordionGroup>
  <Accordion title="YES - Exploitable" icon="skull-crossbones">
    Score ≥ 60 **AND** (Proof-of-Concept exists **OR** Active exploitation detected)
  </Accordion>

  <Accordion title="UNCERTAIN - Moderate Signals" icon="triangle-exclamation">
    Score between 40-59, or edge cases where indicators are mixed
  </Accordion>

  <Accordion title="NO - Unlikely" icon="shield-check">
    Score \< 40 **AND** No PoC **AND** No active exploitation
  </Accordion>

  <Accordion title="N/A - Insufficient Data" icon="circle-info">
    No data available from any threat intelligence source
  </Accordion>
</AccordionGroup>

## Real-World Examples

### Example 1: Log4Shell (CVE-2021-44228) 🔥

**Context**: One of the most critical vulnerabilities in recent history

**Threat Intelligence Signals**:

* ✅ Active Exploitation: Listed in CISA KEV catalog
* ✅ Proof-of-Concept: Multiple PoCs available publicly
* ✅ Weaponized Tools: Exploit modules exist in public frameworks
* ✅ Research: Extensive security research and writeups
* CVSS Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N`

**Score Calculation**:

```
Active Exploitation: +30 points (in KEV)
PoC Available: +25 points
Weaponized Tools: +15 points
Security Research: +15 points
Ease of Exploitation: +15 points (network accessible, low complexity)

Total Score: 100

Classification: YES (score ≥ 60 AND PoC exists)
```

***

### Example 2: Local Privilege Escalation with PoC ⚠️

**Context**: A privilege escalation vulnerability with public exploit code but limited scope

**Threat Intelligence Signals**:

* ❌ Active Exploitation: Not in KEV
* ✅ Proof-of-Concept: Public PoC code available
* ❌ Weaponized Tools: No exploit modules yet
* ✅ Research: Technical blog post with analysis
* CVSS Vector: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N`

**Score Calculation**:

```
Active Exploitation: 0 points (not in KEV)
PoC Available: +25 points
Weaponized Tools: 0 points
Security Research: +15 points
Ease of Exploitation: +9 points (local access required, low privileges)

Total Score: 49

Classification: UNCERTAIN (score 40-59)
```

***

### Example 3: EPSS Fallback - No Evidence Yet 📈

**Context**: Recently disclosed, no exploits, but EPSS suggests rising risk

**Threat Intelligence Signals**:

* ❌ Active Exploitation: Not in KEV
* ❌ Proof-of-Concept: No PoCs found
* ❌ Weaponized Tools: No exploit modules
* ❌ Research: Only basic disclosure
* EPSS: 0.78 (78% probability)
* CVSS Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N`

**Score Calculation**:

```
Active Exploitation: 0 points (not in KEV)
PoC Available: 0 points
Weaponized Tools: 0 points
Security Research: 0 points
Ease of Exploitation: +15 points (network accessible, low complexity)

Regular Score: 15

EPSS Fallback applies (no concrete evidence):
Score: 78 (from EPSS probability 0.78)

Classification: UNCERTAIN (high score but no PoC or active exploitation)
```

## Related Documentation

<CardGroup cols={2}>
  <Card title="Vulnerabilities" icon="bug" href="/get-started/vulnerabilities">
    Learn about the vulnerability dashboard and filtering
  </Card>

  <Card title="Remediations" icon="wrench" href="/get-started/remediations">
    Understand how remediations work in Backline
  </Card>

  <Card title="SLA Settings" icon="clock" href="/settings/sla">
    Configure SLA policies for your organization
  </Card>

  <Card title="Dashboard" icon="chart-bar" href="/get-started/dashboard">
    View metrics and trends across your organization
  </Card>
</CardGroup>