DREAD risk scoring for
vulnerability management
DREAD scores a weakness by its real-world consequences on a specific asset — Damage, Reproducibility, Exploitability, Affected users, Discoverability — instead of by an abstract severity label. Centraleyezer automates DREAD per finding, mapping every scanner's severity scale to a tunable DREAD vector, and combines it with five more contextual factors to produce one comparable risk score across your whole estate.
The five DREAD questions
Each factor is scored 1–10 for a finding on a given asset; together they describe how much a weakness actually matters where it lives:
Damage
How bad is it if this weakness is exploited on this asset — data loss, downtime, safety, regulatory impact?
Reproducibility
How reliably can the attack be repeated — every time, or only under rare conditions?
Exploitability
How much skill, access, and effort does exploitation require in practice?
Affected users
How many users, systems, or clients are hit when it goes wrong?
Discoverability
How easily does an attacker find the weakness — requires source access, or indexed by Shodan today?
DREAD vs CVSS vs EPSS
Deeper comparison with worked examples: Contextual RBVM — DREAD vs CVSS & EPSS
How Centraleyezer automates DREAD
Manual DREAD died in spreadsheets because every analyst scored differently. Centraleyezer removes the variance: every one of the 40+ scanner integrations carries a severity-to-DREAD mapping — a Nessus severity 4, a Qualys 5, or a Burp “High” each resolve to a defined Damage / Reproducibility / Exploitability / Affected / Discoverability vector. The defaults ship per scanner and are fully editable per source.
The DREAD vector is then only one of six factors: asset criticality, network exposure, exploitability in your environment, CTI signals, and a human/AI feedback loop (which adapts risk to how your teams actually respond) complete the score. CVSS, EPSS, and CISA KEV are deliberately not scoring inputs — they are preserved on each finding for reference, filtering, and reports.
The result: two identical CVEs land at very different queue positions when one sits on an internet-facing payment system and the other on an isolated dev VM — which is exactly what your remediation team needed to know.
Common questions
What does DREAD stand for?
Damage, Reproducibility, Exploitability, Affected users, and Discoverability — five questions scored per threat. DREAD originated in Microsoft’s threat-modelling practice as a way to rank risks by their real-world consequences rather than by an abstract severity label.
How is DREAD different from CVSS?
CVSS describes a vulnerability’s intrinsic technical severity — the same CVE gets the same base score everywhere on Earth. DREAD asks contextual questions about a specific weakness on a specific asset: how much damage here, how many users affected here, how discoverable here. That per-asset framing is what makes it usable for prioritisation.
Does Centraleyezer replace CVSS and EPSS with DREAD?
For scoring, yes: CVSS, EPSS, and CISA KEV are not inputs to the risk score. Each finding gets a DREAD vector — mapped automatically from the scanner’s own severity scale and tunable per source — which combines with asset criticality, network exposure, environment-specific exploitability, CTI signals, and a human/AI feedback loop. CVSS/EPSS values are still imported and shown on findings for reference and reporting.
How do scanner severities become DREAD values?
Every import source carries a severity-to-DREAD mapping table: for example a Nessus severity 4 or a Qualys severity 5 maps to a defined [Damage, Reproducibility, Exploitability, Affected, Discoverability] vector. The defaults ship per scanner and are fully editable, so your risk model reflects your judgement, not a vendor’s black box.
Is DREAD subjective?
The classic criticism — different people score differently — applies to ad-hoc manual DREAD. Centraleyezer removes that variance: mappings are defined once per scanner/severity, applied consistently by the platform, and refined over time by the human/AI feedback loop instead of by gut feel in a spreadsheet.
Why not just use EPSS for prioritisation?
EPSS predicts the probability that a CVE is exploited somewhere in the world in the next 30 days. It says nothing about whether the affected asset is your crown-jewel database or a dev VM, whether it is internet-exposed, or what the blast radius is. Exploitation probability is one useful signal; it is not business risk.