Skip to main content

Overview

Not all vulnerabilities are equally dangerous. Some are theoretical—no one has figured out how to exploit them yet—while others are being actively used by attackers right now. The Exploit Signals system helps you answer one critical question:
“How likely is this vulnerability to be exploited in the real world?”
Backline calculates exploitability scores (0-100) by combining multiple threat intelligence signals from public data sources. This score, alongside severity, helps security teams prioritize which vulnerabilities to fix first.

Why Exploit Signals Matter

Traditional severity scores (Critical, High, Medium, Low) tell you how bad a vulnerability could be if exploited. Exploit signals tell you how likely it will be exploited based on:
  • Active exploitation in the wild
  • Availability of proof-of-concept (PoC) code
  • Weaponized exploit tools
  • Technical ease of exploitation
Exploit signals complement severity ratings. A “Critical” severity vulnerability with low exploitability may present different risk than a “High” severity vulnerability with active exploitation.

How It Works

When vulnerability reports are uploaded to Backline, the system automatically:
  1. Gathers threat intelligence from multiple public data sources
  2. Calculates scores using a weighted formula
  3. Classifies exploitability as YES, UNCERTAIN, NO, or N/A
  4. Displays signals in your vulnerability dashboard
Calculation happens asynchronously after report upload. Vulnerabilities show “CALCULATING” status initially, then update with final signals within minutes.

Understanding Exploitability Classifications

Backline classifies vulnerabilities into four exploitability categories:

YES - Exploitable

There’s proof-of-concept code or active exploitation happening.
  • Score ≥ 60 with PoC or active exploitation
  • Confirmed exploitable in the wild

UNCERTAIN - Moderate Signals

Some indicators exist, but exploitation isn’t confirmed.
  • Score 40-59, or edge cases
  • Indicators present but not definitive

NO - Unlikely

No evidence of exploitation yet.
  • Score < 40 without PoC or active exploitation
  • Limited exploitability signals

N/A - Insufficient Data

No vulnerability intelligence available.
  • Very new or obscure vulnerabilities
  • Insufficient data to calculate score

The Score Calculation

Exploitability scores are calculated using a weighted formula that combines multiple threat intelligence signals. Each signal contributes points to the final score (0-100):

Signal Components

Weight: 30 points (highest priority)Indicates if the vulnerability is actively being exploited in the wild.
  • Source: CISA Known Exploited Vulnerabilities (KEV) catalog
  • Why it matters: Active exploitation means attackers are using this vulnerability right now
Example: Log4Shell (CVE-2021-44228) appears in KEV → +30 points
Weight: 25 pointsIndicates if working exploit code is publicly available.
  • Sources: Public exploit databases and repositories
  • Why it matters: Public exploit code dramatically lowers the barrier for attackers
Example: If public exploit code or PoC repository exists → +25 points
Weight: 15 pointsIndicates if easy-to-use exploit tools exist in penetration testing frameworks.
  • Sources: Exploitation frameworks and toolkits
  • Why it matters: Weaponized tools make exploitation trivial, even for low-skill attackers
Example: If an exploit module exists in a public framework → +15 points
Weight: 15 pointsIndicates if detailed security research or technical analysis exists.
  • Sources: Security advisories, technical publications, research papers
  • Why it matters: Deep technical analysis confirms exploitability and provides attack paths
Example: If detailed vendor advisories or research papers exist → +15 points
Weight: 15 pointsMeasures how technically difficult the vulnerability is to exploit, derived from CVSS vector components.
  • Source: CVSS vector from scanner reports
  • Components considered:
    • Attack Vector: Network, Adjacent, Local, or Physical
    • Attack Complexity: Low or High
    • Privileges Required: None, Low, or High
    • User Interaction: None or Required
Example: CVSS:3.1/AV:N/AC:L/PR:N/UI:N (network, low complexity, no privileges, no interaction) → +15 pointsExample: CVSS:3.1/AV:L/AC:H/PR:H/UI:R (local, high complexity, high privileges, interaction required) → +3.75 points

EPSS Fallback

When no threat intelligence signals are found but EPSS data is available, Backline uses the EPSS probability as a fallback score. EPSS (Exploit Prediction Scoring System) is a machine learning-based probability (0-100%) that predicts the likelihood of exploitation in the next 30 days. Example: EPSS probability of 0.42 (42%) becomes a score of 42
EPSS is used only as a fallback when no concrete evidence exists. Actual evidence (KEV listings, public exploits, weaponized tools) always takes precedence.

Classification Logic

After computing the score, Backline applies classification rules:
Score ≥ 60 AND (Proof-of-Concept exists OR Active exploitation detected)
Score between 40-59, or edge cases where indicators are mixed
Score < 40 AND No PoC AND No active exploitation
No data available from any threat intelligence source

Real-World Examples

Example 1: Log4Shell (CVE-2021-44228) 🔥

Context: One of the most critical vulnerabilities in recent history Threat Intelligence Signals:
  • ✅ Active Exploitation: Listed in CISA KEV catalog
  • ✅ Proof-of-Concept: Multiple PoCs available publicly
  • ✅ Weaponized Tools: Exploit modules exist in public frameworks
  • ✅ Research: Extensive security research and writeups
  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N
Score Calculation: 
Active Exploitation: +30 points (in KEV)
PoC Available: +25 points
Weaponized Tools: +15 points
Security Research: +15 points
Ease of Exploitation: +15 points (network accessible, low complexity)

Total Score: 100

Classification: YES (score ≥ 60 AND PoC exists)

Example 2: Local Privilege Escalation with PoC ⚠️

Context: A privilege escalation vulnerability with public exploit code but limited scope Threat Intelligence Signals:
  • ❌ Active Exploitation: Not in KEV
  • ✅ Proof-of-Concept: Public PoC code available
  • ❌ Weaponized Tools: No exploit modules yet
  • ✅ Research: Technical blog post with analysis
  • CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N
Score Calculation: 
Active Exploitation: 0 points (not in KEV)
PoC Available: +25 points
Weaponized Tools: 0 points
Security Research: +15 points
Ease of Exploitation: +9 points (local access required, low privileges)

Total Score: 49

Classification: UNCERTAIN (score 40-59)

Example 3: EPSS Fallback - No Evidence Yet 📈

Context: Recently disclosed, no exploits, but EPSS suggests rising risk Threat Intelligence Signals:
  • ❌ Active Exploitation: Not in KEV
  • ❌ Proof-of-Concept: No PoCs found
  • ❌ Weaponized Tools: No exploit modules
  • ❌ Research: Only basic disclosure
  • EPSS: 0.78 (78% probability)
  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N
Score Calculation: 
Active Exploitation: 0 points (not in KEV)
PoC Available: 0 points
Weaponized Tools: 0 points
Security Research: 0 points
Ease of Exploitation: +15 points (network accessible, low complexity)

Regular Score: 15

EPSS Fallback applies (no concrete evidence):
Score: 78 (from EPSS probability 0.78)

Classification: UNCERTAIN (high score but no PoC or active exploitation)

Vulnerabilities

Learn about the vulnerability dashboard and filtering

Remediations

Understand how remediations work in Backline

SLA Settings

Configure SLA policies for your organization

Dashboard

View metrics and trends across your organization