Watch the stream
May 16 11:30 AM EDT
Talks will be streamed on YouTube and Twitch for free.
Vulnerability scoring is supposed to bring order to the chaos of risk management, but in practice, it can feels more like reading tarot cards or poking at entrails than applying science. CVSS performs monkey math to force fractal bell curves, EPSS tries to predict exploitation with statistical black magicks, and SSVC ditches math entirely in favor of structured gut feelings.
Meanwhile, defenders mix and match shortcuts — KEV lists, vendor advisories, and lived experience — to separate the truly urgent from the merely annoying. But are we actually making better risk decisions, or just using these frameworks to justify what we were going to do anyway?
This talk will dig into the strengths, weaknesses, and absurdities of CVSS, EPSS, and SSVC, comparing them to the reality of how security teams actually handle vulnerabilities. Tod will explore where these models help, where they mislead, and whether any of them are meaningfully better than rolling a D20 saving throw vs exploitation. Expect debate, disagreements, and plenty of astrology jokes.
Tod Beardsley VP of Security Research, runZero
Tod Beardsley is VP of Security Research at runZero, where he "kicks assets and fakes frames." Prior to 2025, he was the Section Chief for the Vulnerability Response section for CSD/VM/VRC at CISA, the Cybersecurity and Infrastructure Security Agency, part of the US government. He's also a founder and CNA point of contact for AHA!. He spends much of his time involved in vulnerability research and coordinated vulnerability disclosure (CVD). He has over 30 years of hands-on security experience, stretching from in-band telephony switching to modern ICS/OT implementations. He has held IT ops, security, software engineering, and management positions in large organizations such as the Rapid7, 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Tod is a CVE Board member, has authored several research papers, and hosted Rapid7's Security Nation podcast with Jen Ellis. He is also a Travis County Election Judge in Texas, and is an internationally-tolerated horror fiction expert.