Security teams face a persistent vulnerability prioritization problem. At any given moment, there are more alerts, more vulnerabilities, more threat intelligence findings, and more potential incidents than any team has capacity to address. The question is not whether to prioritize. It is what principle to prioritize by.
The dominant model is threat-severity prioritization: rank by the severity of the threat, the CVSS score of the vulnerability, the criticality rating of the alert. High severity gets attention first. Low severity waits.
This model has a specific and consequential flaw. Threat severity is a property of the threat, not of the impact on your organization. A critical CVE with a CVSS score of 9.8 on a development sandbox behind strong controls with no sensitive data and no production connectivity is a low-priority finding. The same CVE on a payment processing system accessed by thousands of customers with controls that have been degraded for weeks is an emergency. The CVSS score is the same. The impact is completely different.
The ACT framework addresses this by reordering the question to achieve true, risk-based vulnerability prioritization.
Assets first
Before evaluating any threat or vulnerability, understand the asset it affects. What is this system? What does it do? What is its criticality to the enterprise's operations? What data does it process or store? What other systems depend on it? Asset criticality is the multiplier that determines how much everything else matters.
Controls second
Once you know the asset, understand the state of the controls on it. Not whether a control exists, but whether it is working as intended right now. A firewall rule that was misconfigured six weeks ago. An EDR agent that has been offline for three days. A privileged account whose MFA was quietly disabled. These control degradations are the holes in the roof. They transform a theoretical risk into an active exposure.
Threats third
Now evaluate the threat, in the specific context of this asset, with these controls in this state. Is this threat actively exploiting this type of asset? Is there evidence of this technique being used against organizations in your industry right now? Does the threat's approach align with the specific gaps in your current control posture?
The intersection of critical asset, degraded controls, and active relevant threat is where real urgency lives. Everything else is managed, not emergency.
At Netenrich, ACT is not just a vulnerability prioritization framework. It is the architecture of how the Resolution Intelligence Cloud produces intelligence. Every inference, every score, every alert is contextualized against asset criticality and control state before it reaches an analyst. The analyst sees impact-based priority, not raw threat severity.
The result is a security operation that spends its attention where it actually matters, not where the threat intelligence says the storm is worst, but where the storm meets a hole in the roof.
*Part of my ongoing series on data science and the future of security operations.*