Explainable Risk-Based Vulnerability Prioritization in Hybrid Cloud: Integrating CVSS, EPSS, and CISA KEV with Asset Criticality Signals
Kelvin Gyimah Agyei·Munashe Naphtali Mupa·Claude Anesu Samushonga·Tendai Nemure·Salvation Gwangwava·Hilton Hatitye Chisora·Marlon Bryce Monjoma
The paper describes a risk-based, explainable vulnerability prioritization scheme that is specific to a hybrid cloud environment, incorporates CVSS (severity), EPSS (probability of exploitation), CISA KEV (evidence of active exploitation), and asset criticality indicators (criticality tier, exposure, compensating controls), to make optimal remediation decisions. The hybrid clouds, which consist of on-premises, public (AWS, Azure, Google Cloud), and private cases, generate dynamic and fragmented