FAQ

CAPEC stands for Common Attack Pattern Enumeration and Classification. It is a structured knowledge base developed by MITRE that lists and describes known attack patterns used against computer systems. Unlike isolated incidents, CAPECs describe reusable strategies used by attackers to exploit vulnerabilities.

Each CAPEC pattern is an abstract representation of malicious behavior: it explains how an attack is carried out, what type of weakness it targets, and for what purpose. The goal of CAPEC is to help security professionals better understand, detect, and anticipate the tactics used by attackers.

EPSS stands for Exploit Prediction Scoring System. It is a probabilistic model that assigns each vulnerability (typically identified by a CVE identifier) a probability of being exploited within 30 days of its observation.

The goal of EPSS is to complement other scoring systems (like CVSS) by adding a dynamic and contextual layer based on real-world exploitation data observed in the wild. This allows organizations to better prioritize their remediation efforts based on the actual risk of exploitation.

The CVSS (Common Vulnerability Scoring System) score measures the severity of a vulnerability by assigning it a rating from 0 to 10, where 10 represents an extremely critical flaw. It is designed to provide a standardized and objective assessment of vulnerabilities, so that organizations can compare them with each other and prioritize their remediation.

This score takes into account several aspects: the ease of exploitation, the potential effects on confidentiality, integrity and availability, as well as the conditions necessary for the attack. In summary, the CVSS helps to quantify the inherent level of danger of a security flaw.

CISA (Cybersecurity and Infrastructure Security Agency) is a U.S. government agency. It is responsible for protecting the United States' critical infrastructure from cyber and physical threats by providing support, tools, and recommendations to government agencies, businesses, and the public.

In the field of cybersecurity, CISA acts as a coordination center to prevent cyberattacks, respond to incidents, share threat information, and promote security best practices. Although American, its role and resources influence cybersecurity practices globally due to its transparency and leadership.

CISA plays a central role in managing vulnerabilities on a large scale. It actively identifies, assesses, and communicates about security flaws that could affect critical infrastructure, including government services, operators of essential services, and large enterprises. It often works in collaboration with MITRE, publishers, security researchers, and other international agencies.

Among its responsibilities, it publishes security bulletins, coordinates responses to certain major vulnerabilities, and sometimes imposes, through federal directives (BODs), mandatory remediation deadlines for certain flaws in public entities. Its goal is to reduce the time between the discovery of a vulnerability and its effective remediation in the field.

A CVE (Common Vulnerabilities and Exposures) is a unique identifier assigned to a known vulnerability in a computer system, software, or hardware. It allows for the precise naming and tracking of a flaw, even when it is addressed by different vendors, tools, or databases. Each CVE follows the format CVE-year-number, such as CVE-2023-12345.

The purpose of CVEs is to standardize communication about security flaws: instead of using variable descriptions, all actors can refer to the same identifier. This facilitates coordination between researchers, software publishers, security teams, and security solution providers.

The CWE Top 25 is an annual list of the 25 most dangerous software security weaknesses. It is compiled by MITRE using public data from the NVD (National Vulnerability Database) and other sources, analyzing the frequency and impact of weaknesses associated with real-world CVEs.

This ranking is valuable for developers and security teams because it highlights the most common and critical errors, such as injections, buffer overflows, or authentication problems. By focusing on these priority weaknesses, organizations can quickly improve their security posture, even with limited resources.

A CWE (Common Weakness Enumeration) is a standardized classification of weaknesses that can lead to vulnerabilities in software, firmware, or systems. Unlike CVEs, which designate specific and documented vulnerabilities in a given product, CWEs describe types of design or programming flaws that can affect the security of a system.

For example, a CWE might describe improper memory management, command injection, or insufficient input validation. These weaknesses can then be detected in multiple software programs and associated with individual CVEs if they are exploited in a real-world context.

A zero-day vulnerability is a security flaw unknown to the manufacturer or publisher of a software, hardware, or system. It is called "zero-day" because the publisher has had zero days to fix the vulnerability at the time it is discovered or exploited. Therefore, it has not yet been the subject of an official patch or public reporting.

These flaws can exist for months, or even years, without being detected. When they are found by cybercriminals or state-sponsored groups, they can be exploited discreetly, making their potential impact very serious.

CAPEC and CWE are two complementary databases maintained by MITRE, but they do not have the same objective. CWE describes technical weaknesses in code or design (e.g., lack of input validation), while CAPEC describes attack methods that exploit these weaknesses (e.g., SQL injection).

In other words, CWE focuses on the cause, while CAPEC focuses on the attacker's action. The two can be linked: a CAPEC pattern often specifies which CWEs it targets, making it possible to link the theoretical vulnerability, the practical exploitation, and the associated CVEs.

A CVE (Common Vulnerabilities and Exposures) is a security flaw that has already been identified, documented, and published in an official database. It is known to the public, and generally, patches are in progress or already available. In contrast, a zero-day is a flaw that has not yet been disclosed, and therefore not recorded in a CVE at the time of its discovery.

In other words, any zero-day can become a CVE, but not all CVEs are zero-days. The major risk of a zero-day is precisely that it can be exploited before it is even reported, whereas a CVE is by definition a vulnerability in the process of being addressed or corrected.

A CVE is simply a public declaration that a flaw exists in a given product, while an exploited vulnerability means that an attacker is actively using this flaw to compromise systems. In other words, not all CVEs are exploited in real-world conditions: some may remain theoretical or technical.

Conversely, a vulnerability can be exploited without yet having received a CVE - this is what is called a zero-day. To assess the real danger of a CVE, it is necessary to consult additional information such as the CISA's KEV data or the EPSS score, which indicate whether the flaw is actively used in cyberattacks. This information is available directly from our website CVE Find.

CVSS is broken down into three sub-scores:

• Base Score: assesses the intrinsic severity of the vulnerability, independent of any context. It is generally public.
• Temporal Score: adjusts the score based on factors such as the availability of an exploit or patch. It reflects the maturity of the threat.
• Environmental Score: allows organizations to adapt the assessment to their own context (asset importance, exposure, business impact). It is customized to each company.

By combining these three layers, the CVSS model becomes a more flexible tool that allows for refining treatment priorities according to the reality on the ground.

The official source of the CAPEC database is the MITRE website. This portal allows you to explore all patterns classified by attack type, complexity, target, or level of sophistication. Each record is accompanied by precise definitions, examples, and links to other useful resources (CWE, ATT&CK, etc.).

CAPEC attack patterns serve to document the tactics and techniques used by attackers to exploit systems. By studying them, security analysts, developers, and architects can understand the objectives of an attack, its typical steps, and the vulnerabilities exploited. This allows them to anticipate threats and design more effective countermeasures.

They are also useful for training, risk analysis, attack simulation (red teaming), and the implementation of defensive security controls. By linking CAPECs to CWEs and CVEs, a complete chain can be established from weakness to concrete exploitation, which enriches threat modeling or security by design approaches.