PentaTrail Logo
CTEM & Threat Intelligence#CTEM#Vulnerability Management#Risk Assessment#ASM

What is Threat Discovery Level (TDL)? — Vulnerability Ranking from CVSS × EPSS

PentaTrail Team··6 min read
Table of Contents

Why Better Prioritization is Needed

The biggest challenge security teams face is identifying which vulnerabilities truly require action among an overwhelming volume.

  • Approximately 30,000 new CVEs are published annually
  • About 15% are Critical (CVSS ≥ 9.0)
  • Yet only 2–5% are actually exploited in the wild

Prioritizing by CVSS alone wastes scarce resources on low-risk vulnerabilities. As a result, the genuinely dangerous ones may be addressed too late.

What is Threat Discovery Level (TDL)?

Threat Discovery Level (TDL) is the vulnerability ranking metric used by PentaTrail/CTEM. It maps each vulnerability to one of 5 levels based on CVSS (technical severity) and EPSS (exploit probability). tdl5 is the most critical; tdl1 is minor.

How it's computed

TDL combines two axes:

Technical severity (CVSS)

  • Impact when the vulnerability is exploited
  • Ease of attack (attack vector, complexity, required privileges)

Exploit probability (EPSS)

  • Probability of exploitation within the next 30 days
  • Availability of exploit code, dark web mentions

Base TDL table

Condition TDL
CVSS ≥ 9 and EPSS ≥ 0.1 tdl5
CVSS ≥ 9 tdl4
CVSS ≥ 7 and EPSS ≥ 0.1 tdl4
CVSS ≥ 7 tdl3
CVSS ≥ 4 and EPSS ≥ 0.1 tdl3
CVSS ≥ 4 tdl2
EPSS ≥ 0.1 tdl2
Otherwise tdl1

Effective TDL — Three Corrections

PentaTrail applies three corrections to the base TDL to determine the effective TDL.

Evidence Grade adjustment

Lowers TDL by 0–3 levels based on detection evidence quality. Findings detected by multiple sources or confirmed via active validation receive no shift (Grade A). Findings backed only by external CVE data may be lowered up to 3 levels (Grade D).

AI Deep Scan result reflection

PentaTrail actively scans targets. When a finding cannot be confirmed, TDL is lowered by 1 level, reflecting the assumption that "the issue is likely unreachable from outside or already silently patched."

KEV boost

Vulnerabilities listed in KEV (Known Exploited Vulnerabilities) have proven real-world exploitation, so TDL is raised by 1 level.

For details on each correction, see Threat Exposure Risk.

Comparison with Traditional Approaches

Approach Annual workload Issue
CVSS Critical only ~4,500 items Misses some important vulnerabilities
CVSS High and above ~15,000 items Mostly low-risk, excessive resource use
TDL-based ~1,500 items Focuses on genuinely dangerous vulnerabilities

Adopting TDL drastically reduces workload while maximizing risk reduction.

Display in the Dashboard

The PentaTrail dashboard color-codes vulnerabilities by TDL. Each finding card shows the CVSS score, EPSS score, Evidence Grade, and KEV status, so you can see at a glance why the TDL is what it is.

Relationship to TER

TDL is the technical-risk axis. Combined with the business-risk axis — the Business Impact (BI) Score — it produces Threat Exposure Risk (TER), the true risk an organization faces.

Summary

Vulnerability management succeeds or fails based on whether you can allocate scarce resources where they matter most. Moving from CVSS-only to TDL — which combines EPSS, KEV, Evidence Grade, and AI Deep Scan — significantly improves both team productivity and risk reduction.

To start TDL-based vulnerability management with PentaTrail/CTEM, Start Your 14-Day Free Trial.

Visualize your attack surface with PentaTrail/CTEM

From discovery to vulnerability validation and remediation — all powered by the CTEM framework.

Get Started

Related Articles

Threat Exposure Risk: Integrating Technical Risk and Business Risk

What is EPSS? Prioritizing Vulnerabilities by Exploitation Probability

Understanding CVSS Scores — And Their Limitations

← Back to Blog