OWASP BASC 2025

CVE, CVSS, EPSS, exploit-ability, reach-ability, risk based scoring, AI, lol..we use a bewildering and growing number of complex methods in an attempt to identify which CVEs are the ones that present the greatest technical or business risk. CVE volume increases year by year and some of our methodologies were developed in prior decades, when CVE volume was a fraction of what is is today. We can't predict which CVEs are going to go 'hot' in the future - but what if we could? This is the story of the NOFATE project, which is part of the SKYNET project for eliminating alert fatigue at scale. NOFATE has, since Jan. 3, published sixteen correct predictions on CVEs being added to a KEV watchlist, with early warning times as long as 30 - 50 days. If we can predictively micro-target the few 'superhot' CVEs for action quickly, around the same time they are released, we could be doing intrusion prediction, and incident avoidance, rather than doing threat detection and incident response in a series of CVE and incident fire drills. The predictions are published on GitHub.