Security teams are tired of alert overload. Too many “critical” vulnerabilities with too little context lead to slow remediation and wasted effort.
Tenable’s latest update to its Vulnerability Priority Rating (VPR) aims to change that equation by introducing AI-powered scoring, explainability, and tailored insights based on industry and region.
According to
Eric Doerr, chief product officer at Tenable, the new approach is a direct response to the limitations of static scoring. “The AI-powered Tenable VPR fundamentally reshapes traditional vulnerability management by moving beyond the broad, static assessments of CVSS to deliver unmatched precision and context,” Doerr told MSSP Alert. “While static CVSS broadly flags 60% of CVEs as high or critical, the enhanced VPR focuses teams on just 1.6% of vulnerabilities that represent actual business risk. This is a big shift, achieving a reduced workload and higher efficiency without compromising on risk.”
Explainability and Context Built In
The upgraded VPR doesn’t just deliver a score. It explains the score. AI-generated summaries clarify how a vulnerability is being weaponized, who’s exploiting it, and how to fix it. This isn’t generic text spit out by a model; it’s grounded in curated intelligence from vetted sources, and every AI-generated insight is flagged as such inside the product.
“We deliver human-readable, context-rich threat summaries,” Doerr said. “These include threat actor attribution, targeted regions and industries, and exploit trends. We also provide prescriptive remediation guidance, ranging from patch recommendations to compensating controls, helping teams understand both what to fix, how to fix it, and why it matters.”
This explainability isn’t a bonus; it’s essential for security leaders under pressure to justify decisions. “It provides detailed score drivers and AI-generated summaries, giving clear, defensible reasoning beyond just a score,” Doerr added. “Security practitioners can optimize their limited time and resources, focusing efforts on high-impact threats for faster risk reduction.”
Tailoring Risk to Business Reality
The ability to filter vulnerabilities by region and industry makes the system even more relevant. Instead of treating every CVE the same, VPR surfaces what’s actually being exploited in your environment.
"Tenable VPR’s ability to provide context on targeted industries and regions is a game-changer for CISOs,” said Doerr. “This moves beyond generic vulnerability lists to highly specific, actionable threat intelligence.” For instance, a bank in Europe can prioritize a vulnerability that’s actively being exploited in the finance sector across the region, instead of reacting to a distant threat with no local footprint.
"CISOs can confidently explain to management why a CVE is a high priority, backed by clear, defensible reasoning related to their specific industry and region," he added. "This critical context ensures they prioritize the risks that truly impact their organization.”
A Scalable Advantage for MSSPs
Managed Security Service Providers stand to benefit too. With AI handling the heavy lifting on CVE triage, analysts can spend more time on actual remediation and advisory.
“The AI-driven explainability and summarization significantly help MSSPs scale their analyst workflows,” Doerr said. “Analysts get instant clarity on why an exposure matters, how it’s been weaponized by threat actors, and clear, actionable guidance on the steps to take to remediate or mitigate. This reduces the time spent on manual research.”
It also improves reporting. “MSSPs can present transparent, easy-to-understand risk assessments that explain why certain vulnerabilities are prioritized, fostering greater trust,” he said. And thanks to API access and integrations with tools like ServiceNow and JIRA, automation isn’t an afterthought, it’s built in.
Trust, But Keep the Human in the Loop
Of course, using AI for security decisions raises valid concerns. Tenable’s response has been to design safeguards and oversight from the start.
"Tenable has implemented several safeguards to ensure the integrity, transparency, and accuracy of the AI-generated outputs, emphasizing a ‘human-in-the-loop’ approach,” Doerr said. “The generative AI model processes curated web articles taken from a reliable list of sources vetted by the Tenable Research Team.”
These summaries aren’t meant to replace analysts, but to scale their reach. “The AI augments Tenable’s human research experts, scaling their ability to monitor public data and news while providing clear, human-readable insights,” he said. And when the AI misses the mark, Tenable’s researchers can manually override scores as needed.
Security leaders are encouraged to verify before they trust. “Run a pilot program,” Doerr advised. “Have senior analysts compare the AI’s recommendations against their own research and established playbooks. Cross-validate the AI-generated summary and steps with at least one or two other trusted sources.”
Most importantly, don’t lose sight of context. “The AI-generated content is generic for a given CVE. It does not have specific knowledge of your organization’s unique architecture, compensating controls, or business context,” he added. “Human analysts must bridge this gap.”
With the enhanced VPR, Tenable is offering a faster, more intelligent way to cut through vulnerability noise, without cutting out human judgment. For teams grappling with alert fatigue, strained resources, and pressure to reduce risk faster, that’s not just useful. It’s necessary.
