Explainable Risk-Based Vulnerability Prioritization in Hybrid Cloud: Integrating CVSS, EPSS, and CISA KEV with Asset Criticality Signals

The paper describes a risk-based, explainable vulnerability prioritization scheme that is specific to a hybrid cloud environment, incorporates CVSS (severity), EPSS (probability of exploitation), CISA KEV (evidence of active exploitation), and asset criticality indicators (criticality tier, exposure, compensating controls), to make optimal remediation decisions. The hybrid clouds, which consist of on-premises, public (AWS, Azure, Google Cloud), and private cases, generate dynamic and fragmented surfaces of attack, with temporary assets and collective security efforts. By 2025, the NVD will have published to the database around 48,185 new CVEs (an increase of 20.6% over 2024), bringing the overall count to more than 308,000 and producing tens of thousands of findings per scan cycle in an average enterprise. Conventional CVSS-only prioritization causes alert fatigue, ineffective utilization of resources and long-term exposure since scores are fixed, theoretical, and context-independent, and do not correlate well with actual exploitation.
The framework combines these signals into a clear weighted linear composite score, augmented with rule-based overrides (e.g. KEV-listed CVEs automatically escalate to Critical) and a transparency layer, which gives contribution breakdowns, natural-language descriptions, and audit-readable logs. Simulated hybrid dataset (approximately 25,000 vulnerabilities on 12,000 asset) evaluations have demonstrated 80-95 percent decrease in urgent remediation tasks compared to CVSS baseline, 85-92 percent exploit vulnerability recall, efficiency ratio of about 4.7 times, and a reduction in exposure period of high-risk items to around 9 days versus 41 days. The internet-facing critical assets were properly raised by the Hybrid-specific context amplification.
This provides a lightweight, interpretable model that can be deployed using existing tools/APIs and governance-aligned transparency that can be audited and reported using ISO 27001/SOC 2 tools and executive reporting. Guidelines on implementation include workflows, SLAS (e.g. 7 days in case of KEV) and dashboards. Limitations (e.g. dependency on asset tagging, non-linearity in KEV) are identified, and directions of future research, which may potentially include non-linear ML with SHAP explainability and cloud-native signals are noted.