Every security team knows the struggle: You’ve got hundreds (or thousands) of vulnerabilities, limited resources, and the constant question – “What should we fix first?”
CVSS scores? They’re a start, but they don’t know that your payment processing system is more critical than your internal wiki. Traditional severity ratings? They can’t tell that a “High” vulnerability on an air-gapped system poses less immediate risk than a “Medium” one on your internet-facing API.
Today, we’re thrilled to announce a game-changing feature that puts you in complete control: Customizable Risk-Based Prioritization Rules.
The Problem We’re Solving
Let’s paint a familiar picture. Your vulnerability scanner just finished its weekly run:
- 47 Critical vulnerabilities
- 238 High vulnerabilities
- 892 Medium vulnerabilities
- 2,341 Low vulnerabilities
Traditional approach? Start with the Criticals and work your way down. But we all know that’s not how real risk works.
[Image: Traditional vulnerability list sorted by CVSS score showing the limitations]
What if:
- Those Critical vulnerabilities are on internal development servers?
- A Medium vulnerability has a public exploit and sits on your customer data API?
- Your compliance requirements prioritize certain types of vulnerabilities?
- Different business units have different risk tolerances?
This is where static severity scores fail, and why we built Prioritization Rules.
Introducing Risk-Based Prioritization Rules: Your Risk, Your Rules
With just a flip of a switch, you can move from standard prioritization to custom rules that reflect your organization’s unique risk profile. No complex configurations, no coding just an intuitive interface that puts you in control.
How It Works: Simple Yet Powerful
Creating prioritization rules is as easy as writing an IF-THEN statement:
IF a vulnerability matches your conditions
THEN add a specific score value
The beauty? You can layer multiple rules, weight them differently, and even use pre-built templates to get started quickly.
Building Your First Rule Set: A Visual Journey
Let’s walk through creating a rule set for critical web applications:
Step 1: Create a Rule Set
Click “Create Rule Set” and give it a meaningful name and description. This helps your team understand the purpose of each rule set at a glance.
Step 2: Define Where It Applies
Use the “Build Filter” button to specify which findings this rule set should evaluate. Want it to only look at web applications? External-facing assets?
Assets tagged with “production”? The visual query builder makes it simple.
Step 3: Set the Weight
Assign a weight from 1-100 to determine how much influence this rule set has compared to others. Higher weights mean more impact on the final priority score.
Step 4: Choose Processing Behavior
- Active: Process findings through this rule set
- Continue Processing: After matching, continue evaluating other rule sets
- Stop on Match: When a finding matches, stop and don’t process other rule sets (perfect for emergency scenarios)
Step 5: Add Your Rules
Click “Add Rule” and build your conditions:
- Name your rule clearly (e.g., “Critical Web Vulnerabilities”)
- Build your query using the visual builder
- Set the score to add (1-999)
Real-World Impact: See the Difference
Once activated, your custom rules immediately transform how vulnerabilities are prioritized. Watch as:
- That SQLi on your payment API jumps to score 950
- The critical vulnerability on the isolated dev server drops to 200
- Compliance-related findings automatically bubble up
The result? Your team focuses on what truly matters to your business.
Templates: Learn from the Best
Not sure where to start? We’ve included 20+ battle-tested templates based on industry best practices:
Popular Templates Include:
🏢 External-Facing Critical Assets
Prioritizes vulnerabilities on internet-facing systems with high business impact
🚨 Zero-Day and Active Exploit Priority
Immediately elevates actively exploited vulnerabilities
đź“‹ Compliance-Focused Prioritization
Ensures regulatory requirements drive your remediation efforts
🏥 Healthcare Security Priority
Protects patient data and medical systems
đź’ł Financial Services Security
Focuses on payment processing and financial data protection
🏠OT/ICS Manufacturing Security
Prioritizes operational technology and safety systems
Simply browse templates, preview their rules, and import with one click. Then customize to match your exact needs.
Advanced Strategies: Layering Rule Sets
The real power comes from combining multiple rule sets. Here’s how leading security teams structure their risk-based prioritization:
Layer 1: Business Context (Weight: 100)
Target your most critical business assets and apply the highest scores
Layer 2: Threat Intelligence (Weight: 90)
Incorporate exploit availability and active threats
Layer 3: Compliance Requirements (Weight: 80)
Ensure regulatory obligations are met
Layer 4: Quick Wins (Weight: 60)
Identify easy-to-patch vulnerabilities for rapid risk reduction
The Results: Measurable Impact
Early adopters are seeing dramatic improvements:
- 73% reduction in mean time to remediate critical business risks
- 90% more accurate prioritization aligned with actual business impact
- 5x faster identification of truly critical vulnerabilities
- Zero critical vulnerabilities missed due to generic scoring
One CISO told us: “For the first time, our vulnerability priorities actually match our business priorities. It’s transformative.”
Getting Started is Simple
- Navigate to Settings → Prioritization Rules
- Toggle to Custom Rules
- Choose a template or create your first rule set
- Watch as your vulnerabilities reorganize based on real risk
No training required. No professional services. Just immediate, meaningful risk-based prioritization.
Tips for Success
- Start Simple: Begin with one or two rule sets targeting your most critical assets
- Use Templates: Learn from pre-built templates before creating complex custom rules
- Iterate Often: Refine your rules as you learn what works for your organization
- Document Everything: Use clear names and descriptions so your team understands each rule’s purpose
- Monitor Impact: Track how prioritization changes affect your remediation metrics
What’s Next?
This is just the beginning. We’re already working on:
- AI-powered rule suggestions based on your environment
- Integration with threat intelligence feeds
- Automated rule effectiveness scoring
- Team-specific rule sets for different business units
Your Security, Your Rules
Generic vulnerability scoring is dead. With Strobes risk-based prioritization Rules, you’re not just managing vulnerabilities – you’re managing risk in a way that makes sense for YOUR organization.
Ready to take control? Log into your Strobes platform and navigate to Settings → Prioritization Rules to get started today.
Have questions about setting up prioritization rules? Our support team is standing by at [email protected], or schedule a personalized walkthrough with our customer success team.
[Image: Call-to-action banner encouraging users to try the feature]
