Methodology

DREAD risk scoring for
vulnerability management

DREAD scores a weakness by its real-world consequences on a specific asset — Damage, Reproducibility, Exploitability, Affected users, Discoverability — instead of by an abstract severity label. Centraleyezer automates DREAD per finding, mapping every scanner's severity scale to a tunable DREAD vector, and combines it with five more contextual factors to produce one comparable risk score across your whole estate.

The five DREAD questions

Each factor is scored 1–10 for a finding on a given asset; together they describe how much a weakness actually matters where it lives:

D

Damage

How bad is it if this weakness is exploited on this asset — data loss, downtime, safety, regulatory impact?

R

Reproducibility

How reliably can the attack be repeated — every time, or only under rare conditions?

E

Exploitability

How much skill, access, and effort does exploitation require in practice?

A

Affected users

How many users, systems, or clients are hit when it goes wrong?

D

Discoverability

How easily does an attacker find the weakness — requires source access, or indexed by Shodan today?

DREAD vs CVSS vs EPSS

 
CVSS
EPSS
DREAD (contextual)
What it measures
Intrinsic technical severity of a CVE
Global probability of exploitation in the next 30 days
Consequences of this weakness on this asset
Context-aware?
No — same score everywhere
No — same score everywhere
Yes — scored per finding, per asset
Typical use
Severity labelling, compliance thresholds
Trend/probability signal
Prioritisation of real remediation work
Blind spot
Ignores your environment entirely
Ignores asset value and blast radius
Needs consistent mappings (automated in Centraleyezer)
In Centraleyezer
Imported and displayed, not scored on
Imported and displayed, not scored on
One of six factors driving the risk score

Deeper comparison with worked examples: Contextual RBVM — DREAD vs CVSS & EPSS

How Centraleyezer automates DREAD

Manual DREAD died in spreadsheets because every analyst scored differently. Centraleyezer removes the variance: every one of the 40+ scanner integrations carries a severity-to-DREAD mapping — a Nessus severity 4, a Qualys 5, or a Burp “High” each resolve to a defined Damage / Reproducibility / Exploitability / Affected / Discoverability vector. The defaults ship per scanner and are fully editable per source.

The DREAD vector is then only one of six factors: asset criticality, network exposure, exploitability in your environment, CTI signals, and a human/AI feedback loop (which adapts risk to how your teams actually respond) complete the score. CVSS, EPSS, and CISA KEV are deliberately not scoring inputs — they are preserved on each finding for reference, filtering, and reports.

The result: two identical CVEs land at very different queue positions when one sits on an internet-facing payment system and the other on an isolated dev VM — which is exactly what your remediation team needed to know.

Common questions

What does DREAD stand for?

Damage, Reproducibility, Exploitability, Affected users, and Discoverability — five questions scored per threat. DREAD originated in Microsoft’s threat-modelling practice as a way to rank risks by their real-world consequences rather than by an abstract severity label.

How is DREAD different from CVSS?

CVSS describes a vulnerability’s intrinsic technical severity — the same CVE gets the same base score everywhere on Earth. DREAD asks contextual questions about a specific weakness on a specific asset: how much damage here, how many users affected here, how discoverable here. That per-asset framing is what makes it usable for prioritisation.

Does Centraleyezer replace CVSS and EPSS with DREAD?

For scoring, yes: CVSS, EPSS, and CISA KEV are not inputs to the risk score. Each finding gets a DREAD vector — mapped automatically from the scanner’s own severity scale and tunable per source — which combines with asset criticality, network exposure, environment-specific exploitability, CTI signals, and a human/AI feedback loop. CVSS/EPSS values are still imported and shown on findings for reference and reporting.

How do scanner severities become DREAD values?

Every import source carries a severity-to-DREAD mapping table: for example a Nessus severity 4 or a Qualys severity 5 maps to a defined [Damage, Reproducibility, Exploitability, Affected, Discoverability] vector. The defaults ship per scanner and are fully editable, so your risk model reflects your judgement, not a vendor’s black box.

Is DREAD subjective?

The classic criticism — different people score differently — applies to ad-hoc manual DREAD. Centraleyezer removes that variance: mappings are defined once per scanner/severity, applied consistently by the platform, and refined over time by the human/AI feedback loop instead of by gut feel in a spreadsheet.

Why not just use EPSS for prioritisation?

EPSS predicts the probability that a CVE is exploited somewhere in the world in the next 30 days. It says nothing about whether the affected asset is your crown-jewel database or a dev VM, whether it is internet-exposed, or what the blast radius is. Exploitation probability is one useful signal; it is not business risk.

See DREAD-based scoring on your own data

Bring one scanner export to a 30-minute demo and watch the queue reorder by real risk.

DREAD Risk Scoring for Vulnerability Management | Centraleyezer