Vulnerability Haruspicy: Picking Out Risk Signals from Scoring System Entrails
Black Hat USA 2025 · Day 1 · Briefings
RunZero researcher Todd Carroll walks through CVSS, EPSS, and SSVC — the three dominant vulnerability scoring and prioritization systems — exposing what each actually measures, where each breaks down, and how security teams can use them together without mistaking statistical noise for signal. His central thesis: vulnerability scoring systems are sophisticated tools that, if misread as oracles, become modern haruspicy — reading meaning into patterns that may be artifacts of how data is collected and reported rather than reflections of actual risk. ---
AI review
Carroll knows his material and the haruspicy framing is more than a gimmick — it accurately diagnoses the industry's relationship with CVSS scores as a form of ritual number-reading. Competent demystification of three systems most practitioners misuse, but the veteran crowd already knows this.