2025-08-05 –, Florentine F
Many financial institutions still rely on outdated CVSS-based prioritization models that create alert fatigue and leave critical, exploitable vulnerabilities buried in noise. This talk offers a practical, phased strategy for modernizing vulnerability management by combining four evolving frameworks: EPSS v4, CVSS v4, SSVC, and VEX.
The session walks through how each framework contributes—EPSS adds exploit likelihood, CVSSv4 refines severity scoring, SSVC brings context-aware decision logic, and VEX helps validate exploitability in specific environments. Together, they create a unified approach to triaging vulnerabilities across infrastructure and applications.
Attendees will gain practical guidance for integrating these models into their existing workflows, along with examples of how they’ve been used to reduce patch workload, streamline cross-team coordination, and stand up to audit scrutiny. This talk is aimed at security professionals working in regulated sectors—particularly those balancing technical risk, compliance, and remediation velocity.
This session is for anyone tired of fixing “critical” vulnerabilities that don’t actually matter while missing the ones that do. Through the lens of financial-sector security, the talk explores how modern frameworks like EPSS, CVSSv4, SSVC, and VEX can be layered together to build a smarter vulnerability management process.
Expect real-world examples, sample triage logic, and rollout ideas that won’t break your existing workflows. Whether you're in AppSec, infrastructure, or risk management, you’ll walk away with a better way to prioritize what matters most—and communicate those decisions clearly across teams.
I’m a senior security professional with a master’s in cybersecurity from Northeastern University and hands-on experience spanning infrastructure vulnerability management, application security, SOC operations, and IT audit. I’ve worked across diverse environments—financial services, healthcare, startups, and MSSPs—where I’ve helped teams evolve from traditional CVSS-only approaches to more risk-aligned models. My recent focus has been building centralized AppSec vulnerability triage workflows, integrating tools like Nexus, Contrast, and Jira for streamlined remediation. I’ve also worked closely with audit and compliance teams to map technical risks to frameworks like NIST, ISO 27001, and SOC2. Earlier in my career, I led SOC alert tuning, incident response, and detection engineering efforts, which gave me a solid foundation in real-time operations and threat behavior analysis. My work now centers on connecting these domains—bridging AppSec, infrastructure, SOC, and governance—to help orgs prioritize better, reduce noise, and move faster when it matters.