What is SSVC? Stakeholder-Specific Vulnerability Categorization, explained
A plain-English guide to context-aware patch prioritisation · all security terms → · updated June 2026
SSVC (Stakeholder-Specific Vulnerability Categorization) replaces a single severity number with a decision. It walks a short decision tree — is it being exploited? how exposed is the system? how critical is it to you? — and outputs an action: Track, Attend or Act. The point is that the same vulnerability deserves different urgency depending on where it runs.
What does SSVC stand for?
SSVC stands for Stakeholder-Specific Vulnerability Categorization, developed by Carnegie Mellon's Software Engineering Institute (SEI) with CISA as a more decision-oriented alternative to scoring everything with CVSS alone.
SSVC vs CVSS — score vs decision
CVSS gives every team the same severity number for a given CVE. SSVC is context-aware: a critical flaw on an internet-facing, business-critical system is "Act now", while the same flaw on an isolated lab box is "Track". It converts a static score into a prioritised action for your environment.
The Track / Attend / Act outcomes
- Track — no action needed right now; keep watching.
- Attend — get it into your normal remediation flow.
- Act — remediate as soon as possible, possibly out of cycle.
The decision is driven by signals like active exploitation (KEV), automatability and the exposure and mission impact you set.
SSVC-style prioritisation, built in
IsItPatched's patch queue ranks every item Act → Attend → Track by combining exploitation with the exposure and business importance you set per product — and shows every point inline, so nothing is a black box.
- Open your dashboard — a context-aware, SSVC-inspired patch queue.
- How it's scored — the full, published formula.
Frequently asked questions
What is SSVC?
SSVC — Stakeholder-Specific Vulnerability Categorization — is a decision framework for prioritising vulnerability remediation. Instead of a single severity number, it walks you through a small decision tree using factors like whether a flaw is being exploited, how exposed the system is, and how critical it is to your mission, and outputs an action: typically Track, Attend or Act.
What does SSVC stand for?
SSVC stands for Stakeholder-Specific Vulnerability Categorization. It was developed by Carnegie Mellon University’s Software Engineering Institute (SEI) with CISA.
How is SSVC different from CVSS?
CVSS gives every vulnerability the same severity score regardless of where it runs. SSVC is context-aware: the same CVE can be "Act now" on an internet-facing, mission-critical system and "Track" on an isolated test box. It turns a score into a decision tailored to your environment.
What are the SSVC outcomes?
A common SSVC decision model produces four outcomes — Track, Track*, Attend and Act — ordered from "no action needed yet" to "remediate as soon as possible". Simpler implementations collapse these into Track / Attend / Act.
Why use SSVC for patch prioritisation?
Because not every critical-scored CVE is urgent for you. SSVC combines technical signals (exploitation, automatability) with your own context (exposure, mission impact) so your team spends effort on the fixes that actually matter, with the reasoning shown rather than hidden in a number.
IsItPatched is independent and not affiliated with the SEI/CMU or CISA. SSVC is a framework published by the Software Engineering Institute. See our disclaimer.