VRCM Assessment Tool

Answer 12 questions across 4 dimensions to calculate the real risk of a vulnerability in your environment - not just its CVSS score.

What & Why

CVSS tells you how severe a vulnerability is in isolation. It doesn't know if your system is internet-facing, whether a WAF is blocking the attack pattern, or whether the data exposed is patient health records or a public wiki. Those details are everything.

The Vulnerability Risk Context Matrix (VRCM) is a synthesis framework combining OWASP Risk Rating, FAIR, and CVSS 4.0 into 12 questions that produce a context-driven risk score - so your team can prioritise with confidence rather than treat every CVSS 9.8 as a fire drill.

Read the full VRCM article →

0–40

Exploitability

Can it be reached?

0–30

Business Impact

What gets damaged?

0–20

Threat Landscape

Is it being exploited?

–10

Controls Posture

What defences exist?

or try a pre-loaded example

12 questions · 4 sections · ~3 minutes · No data leaves your browser

Disclaimer: This framework and tool were developed independently in a personal capacity and do not represent the views or practices of any current or former employer. For educational purposes only.