Cogent Risk Assessment And Contextual Prioritization

Finding A: CVSS 9.8, no public exploit, internal-only host behind two VPN hops. Finding B: CVSS 7.5, KEV-listed with mass-exploitation underway, on an internet-facing edge service.

Per Cogent's stated principle — agents 'evaluate real exploitability in the environment, not just CVSS severity' — Finding B must rank above Finding A. The explanation must cite KEV listing, mass-exploitation telemetry, and exposure (internet-facing vs internal-only) as the dominant inputs, with CV…

Risk Assessment Agent assigns priority P1 to a finding but the underlying exploit-availability evidence is partial (PoC code exists in a private channel; reachability analysis incomplete).

Per Cogent's documented 'full explainability and confidence levels' for every prioritization decision, the agent must surface both the verdict and the confidence (low/medium/high or numeric) and explain what evidence is missing. Low-confidence P1 must be visually distinct from high-confidence P1 in…

A CVE on a database engine. The instance is in a private subnet with no ingress and credentialed access only from a hardened bastion.

Risk Assessment Agent must factor environment-specific exposure (network reachability, auth posture, segmentation) into its verdict, not just the abstract CVE properties. The explainability artifact must show the exposure evidence (subnet, security-group, ingress rules) so the engineer can verify.