AGENDA
Maximize your time on the ground.
Navigate the full schedule of training sessions, peer-to-peer intelligence sharing, and uncompromising keynote presentations.
8:30 AM - 9:14 AM PST (45 MIN)
Building a Risk-Based Vulnerability Management Program That Actually Reflects Exploitability
A CVSS 9.8 vulnerability sitting on an isolated test server is not the same risk as a CVSS 7.5 vulnerability on an internet-facing system that threat actors are actively exploiting right now. Yet most MSPs still build their patching priorities around severity score alone, a habit that made sense when the National Vulnerability Database reliably enriched every CVE and exploitation data was hard to come by. Neither of those conditions holds true anymore. This session introduces true risk-based vulnerability management (RBVM): a prioritization model built on exploitability data like EPSS scores, asset criticality, and active threat intelligence, layered on top of (not instead of) traditional severity scoring. Attendees will learn how to combine CVSS, EPSS, and CISA's Known Exploited Vulnerabilities catalog into a single defensible scoring model, how to communicate "why we patched this and not that" to a client in plain language, and how to build the lightweight internal process that makes RBVM sustainable for a five-person MSP team, not just an enterprise SOC. The session closes with a working scorecard template attendees can implement the same week.
