Exposure × exploitation-likelihood01 / MAP
Each product placed by exposed instances (x, log scale) against the EPSS exploitation likelihood of its CVEs (y). Bubble size = number of KEV CVEs. Top-right = most exposed and most likely to be exploited.
VPN / remote access
Edge / firewall
Enterprise / web apps
CVE → surface attribution02 / LEADERBOARD
Known-exploited vulnerabilities ranked by the exposed attack surface they explain, then by EPSS. This is the "attribute the surface to the CVEs" view.
| CVE | Attributed product | Exposed surface | EPSS | Ransomware |
|---|
Device → CVE drill-down03 / BY DEVICE
Expand a product to its actively-exploited (KEV) CVEs. Ransomware-linked CVEs are marked. Each links to its NVD record.
Pre-KEV exposure blind-spot04 / EARLY WARNING
Exposed catalog products carrying a recent (≤3y), high-likelihood (EPSS ≥ 50%) CVE that is not yet in CISA KEV — surface that may be heading toward active exploitation. A clear watch is a good sign, not an error.
| Product | Exposed surface | Non-KEV CVE | EPSS | Published |
|---|
⚠Upper-bound indicator. Exposed counts are internet-wide aggregates from Shodan; an exposed KEV-listed product is not necessarily running the vulnerable version. EPSS is a 30-day exploitation forecast, not observed attack volume.