Microsoft Defender Vulnerability Management gets a smarter exposure score
Microsoft Defender Vulnerability Management’s updated exposure score model adds vulnerability risk signals and asset context to help teams understand where risk is concentrated and which remediation actions are likely to have the greatest impact. The model is available in public preview.
“The updated model addresses these customer pain points by combining vulnerability risk, exploitability signals, and asset context into a more representative exposure score. The goal is to help security teams move from a score that explains ‘how severe are the vulnerabilities?’ to a score that helps answer ‘where should we focus remediation first, and why?’,” Moti Bani, Senior Product Manager at Microsoft, explained.
Changes to the exposure score model
Instead of relying primarily on CVSS severity, the updated model uses multiple vulnerability risk signals to assess CVE risk. One of the signals used to estimate exploitation likelihood is the Exploit Prediction Scoring System (EPSS).
CVSS (Common Vulnerability Scoring System) measures the severity of a security vulnerability. EPSS, a machine learning model, estimates the likelihood that a published CVE will be exploited in the wild within the next 30 days.
To improve scoring consistency, the model uses normalized CVE data from multiple vulnerability sources. This allows the score to better reflect which vulnerabilities are more likely to be exploited.
The asset exposure score now reflects all vulnerabilities affecting a device, with each weighted according to vulnerability risk and asset context.
This gives security teams a more complete view of device exposure. Remediation work performed on a device also contributes more directly to exposure reduction.
The model incorporates asset context, including whether a device is internet-facing and its criticality level. This helps prioritize vulnerabilities on assets that carry greater business or exposure risk. For example, the same vulnerability may require a different response depending on whether it affects an exposed or business-critical device.
To better connect organizational posture with the assets and vulnerabilities contributing to risk, the organization-level exposure score is derived from individual asset scores. This provides a more representative view of vulnerability exposure throughout the environment.
Microsoft also uses asset-CVE-level data to calculate remediation impact. This improves the relationship between the predicted impact shown in recommendations and the score changes expected after remediation is completed. The updated calculations are reflected in the product, making score impact easier to understand and track.
What customers can expect
When the updated model is enabled, scores may change because of the revised calculation methodology. A higher or lower score does not necessarily indicate a change in security posture or the presence of new vulnerabilities.
The updated score should be treated as a new baseline because it is not directly comparable to the previous version.
Recommendations may be reprioritized based on recalculated impact values.
Exposure scores are updated daily, and remediation changes may take up to 24 hours to appear. Score bands remain unchanged: low (0–29), medium (30–69), and high (70–100).