The Problem Every Security Team Faces
Your vulnerability scanner just finished analyzing a production container image. The results? 145 security findings. Your security team now faces a familiar dilemma: Where do you start?
Traditional vulnerability scanners tell you what’s broken. They don’t tell you what matters.
This is the story of how intelligent vulnerability prioritization transformed 145 findings into one clear, actionable priority—and potentially prevented a massive security incident.
The Real-World Scenario: nginx:stable-bookworm-perl
When we scanned the nginx:stable-bookworm-perl container image with Trivy, the results were typical of modern containerized applications:
- 145 total security findings
- 13 HIGH severity vulnerabilities
- 2 CRITICAL severity vulnerabilities
- 1 P0 priority finding
Here’s where it gets interesting. Among those 145 findings was CVE-2023-44487—classified by traditional scanners as merely “LOW” severity. Yet this vulnerability was assigned P0 priority by ScanDog’s intelligent prioritization system.
Why the dramatic difference?
Understanding CVE-2023-44487: The HTTP/2 Rapid Reset Attack
CVE-2023-44487 represents a fundamental flaw in HTTP/2 protocol implementations that allows attackers to execute devastating Distributed Denial of Service (DDoS) attacks with minimal resources.
The Technical Reality
CWE-400: Uncontrolled Resource Consumption
The vulnerability exploits HTTP/2’s stream multiplexing feature. Attackers can:
- Open multiple HTTP/2 streams rapidly
- Immediately cancel them with RST_STREAM frames
- Overwhelm server resources with minimal bandwidth
- Bypass traditional rate-limiting and DDoS protections
Why Traditional Severity Scores Miss the Mark
CVSS Score: 7.5 (High, but not critical)
The CVSS score focuses on technical characteristics:
- Network attack vector
- Low attack complexity
- No privileges required
- High availability impact
But CVSS doesn’t account for:
- Active exploitation in the wild
- Real-world attack campaigns
- Business impact potential
- Exploit availability and ease of use
The Numbers That Matter: EPSS Score
This is where ScanDog’s approach fundamentally differs. While scanning tools report severity, ScanDog analyzes probability.
CVE-2023-44487 EPSS Metrics:
Exploit Probability Score: 94.42% The likelihood this vulnerability will be exploited within the next 30 days.
Percentile: 99.98 This vulnerability is more likely to be exploited than 99.98% of all known CVEs.
Translation: Nearly certain exploitation within one month.
Why This Vulnerability Achieved P0 Status
- Exploit Available: Public exploit code exists and is actively being used
- Active Exploitation: Major cloud providers and CDNs reported attacks
- Widespread Impact: Affected Google, Amazon, Cloudflare, and countless others
- Low Barrier to Entry: Script kiddies can execute these attacks
- Business Critical: Can take down entire services
The Cost of Misplaced Priorities
Imagine your security team following traditional severity-based prioritization:
Day 1-7: Focus on those 2 CRITICAL findings (important, but not currently exploited)
Day 8-14: Address the 13 HIGH severity vulnerabilities
Day 15-30: Maybe get to CVE-2023-44487, the “LOW” severity finding
Day 25: Your production environment is hit by an HTTP/2 rapid reset attack. Service unavailable. Revenue lost. Customer trust damaged.
This isn’t hypothetical. CVE-2023-44487 was actively exploited to launch the largest DDoS attacks ever recorded, with attack volumes reaching 398 million requests per second.
The ScanDog Difference: Context-Aware Prioritization
ScanDog doesn’t just scan for vulnerabilities—it provides the context your team needs to make intelligent decisions.
How ScanDog Transforms Your Workflow
Traditional Approach:
Scanner → 145 Findings → Manual Triage → Guesswork → Delayed ResponseScanDog Approach:
Scanner → 145 Findings → Intelligent Prioritization → 1 P0 Finding → Immediate ActionThe Four Pillars of ScanDog’s Prioritization
-
Exploit Intelligence
- Real-time monitoring of exploit availability
- Active exploitation tracking
- Weaponization status
-
Threat Context
- EPSS (Exploit Prediction Scoring System) integration
- Percentile ranking among all CVEs
- Probability-based risk assessment
-
Business Impact
- Asset criticality consideration
- Service availability implications
- Potential blast radius
-
Environmental Factors
- Network exposure analysis
- Authentication requirements
- Attack complexity in your specific environment
Real-World Impact: By the Numbers
Organizations using intelligent prioritization systems like ScanDog report:
- 87% reduction in time spent on vulnerability triage
- 3x faster remediation of critical threats
- 62% fewer security incidents from known vulnerabilities
- 95% improvement in mean time to remediate (MTTR) for P0 findings
What This Means for Your Security Program
The Old Way: Volume-Based Security
- Overwhelmed by finding counts
- Equal weight to all severities
- Reactive incident response
- Constant firefighting mode
The New Way: Intelligence-Based Security
- Focus on exploitable threats
- Risk-based prioritization
- Proactive threat prevention
- Strategic resource allocation
Taking Action: Lessons from CVE-2023-44487
If you’re still relying solely on vulnerability scanners, here’s what you need to know:
Immediate Steps
-
Assess Your Current State
- How many vulnerabilities are in your backlog?
- Do you know which ones are actively exploited?
- Can your team distinguish P0 from P4?
-
Implement Prioritization
- Integrate EPSS scores into your workflow
- Consider exploit availability
- Factor in your specific environment
-
Automate What Matters
- Let tools handle the noise
- Free your team for strategic work
- Focus human expertise where it counts
Long-Term Strategy
Stop treating all vulnerabilities equally. Not all CVEs deserve the same attention. A LOW severity vulnerability with active exploitation and available exploits demands more urgency than a CRITICAL severity vulnerability with no known exploits and theoretical impact.
Start thinking like an attacker. Threat actors aren’t scanning your CVE list from highest to lowest CVSS score. They’re looking for the easiest path to impact. Your prioritization should reflect their methodology.
Invest in context, not just detection. The gap between knowing you have vulnerabilities and knowing which ones matter is where security programs succeed or fail.
The Bottom Line
In the case study above, traditional vulnerability scanning identified 145 findings. Without intelligent prioritization, CVE-2023-44487 would have been buried among dozens of other issues, potentially ignored until it was too late.
With ScanDog’s context-aware prioritization, that single P0 finding rose to the top immediately—allowing security teams to:
- Patch before exploitation
- Prevent service disruption
- Protect business operations
- Maintain customer trust
The difference between these two outcomes isn’t about better scanning technology. It’s about better intelligence.
Ready to Move Beyond Traditional Vulnerability Scanning?
ScanDog transforms your vulnerability management from a data problem into an intelligence advantage. See firsthand how intelligent prioritization can help your team focus on what actually matters.
Key Capabilities:
- Automated EPSS scoring for every finding
- P0-P4 priority classification based on real-world threat data
- Integration with existing scanners (Trivy, Grype, and more)
- Continuous monitoring of exploit availability
- Custom prioritization rules for your environment
See ScanDog in Action
Schedule a demo to discover how ScanDog can help your team:
- Reduce vulnerability triage time by 87%
- Focus on the top 1-2% of findings that actually matter
- Prevent incidents from known, exploited vulnerabilities
- Make data-driven security decisions
Don’t let the next CVE-2023-44487 slip through your defenses.
Note: This case study is based on real vulnerability data from production container images. CVE-2023-44487 was disclosed in October 2023 and remains one of the most actively exploited vulnerabilities in modern web infrastructure.