Unlike legacy vulnerability management, risk-based vulnerability management does not just reveal vulnerabilities; it quantifies them with a threat context and potential business impact awareness.

RBVM uses threat intelligence to identify the vulnerabilities attackers are discussing, experimenting with, or using, and generates risk scores based on the likelihood of exploitation.  By contrast, the legacy Common Vulnerability Scoring System (CVSS) rates vulnerabilities based on the damage they would do if exploited. Time has demonstrated that many vulnerabilities with high CVSS scores pose little to no risk of ever being exploited. Given this low probability, directing resources toward risk-verified vulnerabilities reduces mitigation efforts and increases risk coverage.