Every security team managing a vulnerability backlog is making prioritisation decisions under pressure. The question is never whether to patch. It is which vulnerabilities to patch first, how urgently, and what happens to the organisation if the patch does not arrive in time.
CISA developed the Stakeholder-Specific Vulnerability Categorization framework, SSVC, in collaboration with Carnegie Mellon University's Software Engineering Institute to give organisations a structured methodology for answering that question. SSVC evaluates each vulnerability against five criteria: exploitation status, technical impact, whether exploitation is automatable, mission prevalence, and public wellbeing impact. The output is one of four decisions: Track, Track*, Attend, or Act.¹
Act is the most urgent designation. It requires attention from leadership, immediate response planning, and remediation as soon as possible. The criteria that most reliably push a vulnerability to Act are high technical impact and automatability of exploitation. A vulnerability that can be exploited automatically and leads to high-consequence system impact is an Act vulnerability. In the current environment, where Anthropic's research has demonstrated that AI models can generate a working exploit from a disclosed patch in as little as 31 minutes, automatability is increasingly the default assumption rather than a distinguishing factor.
GoFirm changes the technical impact input for a specific and important category of vulnerabilities: those whose exploitation path leads to high-consequence action execution.
When the execution boundary is protected, an attacker who exploits a vulnerability and gains access to a network still cannot initiate a transfer, exfiltrate data in bulk, modify critical system configurations, or execute any of GoFirm's seven categories of high-consequence action without a named human authority confirming it on a registered personal device through a separate out-of-band channel. The exploitation path exists. The technical impact does not materialise. The attacker reaches the execution boundary and stops.
In SSVC terms, the technical impact of that vulnerability has changed. It is no longer high, because the consequence the exploit was expected to produce cannot occur. A vulnerability that scored Act because it could lead to a financial transfer, a bulk data exfiltration, or an infrastructure configuration change now scores differently when the execution boundary is protected. Depending on the remaining criteria, it may drop to Attend or Track. The remediation urgency drops with it.
This is not a workaround or a rationalisation for deferring important security work. It is the correct application of CISA's own prioritisation methodology to an environment where the attack surface has materially changed. SSVC asks what the technical impact of exploitation would be. If the answer has changed because a new control has been deployed at the execution boundary, the SSVC score changes with it. That is the framework working as intended.
The practical consequence is significant. Security teams that deploy GoFirm can formally re-score a category of their most urgent vulnerabilities. The Act designations that were driving emergency maintenance windows, weekend deployments, and crisis-mode patching decisions become Attend or Track designations that can be addressed in the next planned window. The pressure does not disappear. It redistributes to the vulnerabilities GoFirm cannot cover: OS-level ransomware, denial of service, availability attacks, and infrastructure impact that does not go through the execution boundary.
That redistribution is itself valuable. Security teams with a finite budget and finite engineering hours can focus their emergency response capacity on the vulnerabilities that remain genuinely urgent rather than treating every disclosed critical vulnerability as an existential emergency. The patch cycle does not end. It becomes rational.
CISA built SSVC to help organisations make better prioritisation decisions with the information available to them. GoFirm adds a new and material piece of information: the execution boundary is protected. For the vulnerabilities whose impact depended on reaching that boundary, the score changes. The time bought is not approximate. It is the measurable difference between an Act remediation timeline and an Attend or Track one.
GoFirm is The Authority Platform. Stop unauthorised action. Every time.
In association with Osinto.ai, the collective intelligence platform for Security, Resilience & Defence. Osinto’s AI-enabled open-source network and governed collaborative operational environment help mitigate the growing security, resilience and governance obligation in seconds, not days.
References
1. CISA, Stakeholder-Specific Vulnerability Categorization (SSVC), https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc