Microsoft’s public‑preview exposure score adds exploitability data, asset context and a holistic device view, shifting the focus from raw CVSS severity to real‑world risk. The change aligns Defender’s scoring with signals used by rivals such as Tenable and Qualys, and it reshapes remediation roadmaps, budgeting and executive reporting across hybrid environments.
What changed
Microsoft Defender Vulnerability Management (DVM) has replaced its single‑factor CVSS‑based exposure score with a multi‑factor model that blends several risk signals:
- Exploitability likelihood – the model now incorporates the Exploit Prediction Scoring System (EPSS) and other public exploit feeds, so a vulnerability that is being actively weaponized moves the score faster than a high‑severity CVE with no known exploit.
- Normalized CVE data – Microsoft aggregates vulnerability data from multiple sources and normalizes fields such as vendor attribution and patch status, reducing scoring gaps that previously appeared when the same CVE was reported by different feeds.
- Asset context – each device is tagged with exposure attributes (internet‑facing, criticality level, cloud‑region, workload type). Those attributes weight the vulnerability risk, meaning a medium‑severity flaw on a public‑facing database will impact the score more than the same flaw on an isolated test machine.
- Full‑device aggregation – instead of letting the highest‑severity CVE dominate a device’s score, the new algorithm sums the risk of all findings on the asset, applying the context weights described above. Remediation of any vulnerability now contributes visibly to the device’s exposure.
- Organization‑level roll‑up – the enterprise exposure score is a simple average of the weighted device scores, preserving the familiar 0‑100 banding (0‑29 low, 30‑69 medium, 70‑100 high) while reflecting the richer data underneath.
- Recommendation impact alignment – recommendation impact values are now derived from the same asset‑CVE calculations, so the expected score change shown in the UI matches the actual movement after a patch is reported.
The net effect is a score that moves in step with real‑world risk, not just with the number of high‑CVSS findings.
Provider comparison
| Feature | Microsoft Defender Vulnerability Management (new) | Tenable.io / Tenable.sc | Qualys VMDR |
|---|---|---|---|
| Risk model | Multi‑factor: CVSS + EPSS + asset context | CVSS primary; optional exploitability plugins | CVSS primary; optional exploitability add‑on |
| Device aggregation | All vulnerabilities weighted, context‑aware | Highest‑severity CVE often dominates device view | Similar to Tenable – highest severity drives device score |
| Asset metadata | Built‑in tags for internet‑facing, criticality, cloud region | Requires manual tagging or external CMDB integration | Supports custom asset groups, but context weighting is limited |
| Score visibility | Daily recalculation, impact‑aligned recommendations | On‑demand or scheduled scans; impact shown in separate dashboard | Daily refresh; impact shown as separate “risk score” metric |
| Integration with Microsoft 365 / Azure | Native telemetry, Azure AD, Microsoft Sentinel | Requires connectors or API pulls | Requires API integration, less native telemetry |
| Pricing model | Included in Defender for Cloud (per‑node) or as add‑on | Per‑asset or per‑core licensing; separate for Tenable.ot | Per‑asset subscription; separate for VMDR module |
| Public preview | Available now, free for existing Defender customers | Generally GA, no preview tier | |
| Migration considerations | Score baseline resets; recommendation order may shift; 24‑hour lag for post‑remediation updates | Existing scoring may need mapping to Tenable’s Risk Score; potential re‑prioritization of assets | May need to import Microsoft asset tags to retain context weighting |
Key takeaways for decision makers
- If your environment already lives in Azure and you use Microsoft Sentinel for SIEM, the new exposure score offers the tightest data‑plane integration and eliminates a separate licensing line.
- Tenable and Qualys still rely heavily on CVSS severity; organizations that need a quick, familiar view may prefer those platforms, but they will have to supplement with manual exploitability data to achieve the same granularity.
- The shift from a “most‑severe‑CVE dominates” model to a full‑device aggregation can change remediation roadmaps dramatically. Teams that previously patched only the top‑CVSS items should expect a broader set of tickets, but the expected score impact will be more predictable.
Business impact
1. Prioritization becomes evidence‑driven
The inclusion of EPSS and asset exposure means that a medium‑CVSS flaw on a public‑facing web server can outrank a critical CVSS issue on an internal build server. Security managers can now justify budget allocations with concrete exploit likelihood numbers, which resonates better with executives who ask for “why this patch now?”
2. Remediation metrics are more actionable
Because recommendation impact is calculated from the same data that drives the score, the “expected score improvement” shown next to each ticket matches the actual change observed after the patch is ingested. This reduces the “score‑stuck” frustration that many teams reported with the previous model.
3. Cross‑cloud consistency
Defender’s exposure score pulls asset tags from Azure Arc, Azure Virtual Machines, on‑prem Windows/Linux servers and even third‑party SaaS workloads that expose an API endpoint. The same scoring logic applies across all those surfaces, giving a unified view that rivals typically achieve only through custom scripting.
4. Migration planning
When you enable the preview, the score will reset to a new baseline. Treat the first 48‑hour period as a calibration window: compare the old and new rankings, adjust any automated ticketing rules, and verify that critical business processes (e.g., change‑management windows) still align with the new priority list. Because the score bands remain unchanged, existing SLA definitions based on “high‑risk” thresholds can stay in place, but the assets that fall into those bands will be different.
5. Cost considerations
For organizations already paying for Defender for Cloud, the exposure score is an included feature, so there is no incremental license fee. However, the broader remediation surface may increase the number of tickets generated per month, which could affect internal staffing or automation tooling budgets. A quick pilot—enabling the model on a single subscription—helps quantify that lift before a full‑scale rollout.
Getting started
- Open the Microsoft Defender portal and navigate to Exposure management > Vulnerability management > Overview.
- Turn on the Updated exposure score toggle (public preview).
- Review the new score card and click Improve score to see recommendations ordered by the refreshed impact values.
- Align your ticketing system (e.g., ServiceNow, Jira) with the updated recommendation IDs; the API payload now includes an
impactScorefield that mirrors the exposure score delta. - Monitor daily score changes for up to 24 hours after each remediation action; the UI will display a “last updated” timestamp.
For detailed guidance, see the official docs:
Bottom line
The refreshed exposure score moves Microsoft Defender Vulnerability Management closer to the risk‑centric approaches used by Tenable and Qualys, while retaining deep Azure integration. Security leaders should treat the new score as a fresh baseline, re‑evaluate ticket priorities, and leverage the added exploitability signals to drive faster, business‑aligned remediation.
Comments
Please log in or register to join the discussion