A security analyst is prioritizing vulnerabilities for remediation. The analyst has identified several vulnerabilities with CVSS scores, but wants to incorporate additional context to ensure the most critical vulnerabilities are addressed first. Which TWO factors should the analyst consider beyond the CVSS base score? (Choose two.)
EPSS predicts the likelihood of exploitation in the wild.
Why this answer
EPSS provides a probability of exploitation based on real-world data, and KEV is a catalog of known exploited vulnerabilities from CISA. Both give additional context beyond CVSS. Business context is important but is not a standardized scoring system like EPSS or KEV.