Financial Risk Exposure (FIRE) vulnerabilities are CVEs identified by insurance carriers as linked to insurance claims are a proxy for losses. Incident Causing Exposures (ICE) are vulnerabilities that are known to be exploited by attackers but have no evidence of being associated with a financial loss. There is a huge difference between a vulnerability, a breach and a financial loss.
It doesn't appear that financially motiviated hackers care about when a vulnerability is published, they just want to exploit what works for them. This graphs refuses the idea that financial adversaries prefer zero-day exploits.
There is overlap between FIRE and various KEV lists, but none of them are complete. Each catalog has different inclusion criteria. Even when the KEV lists are combined, they still miss a significant number of FIRE vulnerabilities. ICE is defined as the non-overlapping breaches as of yet have never lead to a financial loss according to the insurance carriers. ICE thus far is DFIR data, CISA KEV, ENISA KEV, VCDB, VulnCheck, Google P0, Mandiant M-Trends, and CrowdStrike Global Threat Report.
Data unavailable. Run fire and vulncheck processors.
Data unavailable. Run fire and enisa-kev processors.
Data unavailable. Run the pipeline (requires fire, kev, enisa-kev, vcdb, vulncheck, google-p0).
Google Project Zero tracks CVEs exploited in the wild before a patch existed. There does not appear to be a significant overlap between FIRE and Google Project Zero. This may indicate the type of adversary that uses zero-day exploits is not the same as the type of adversary that is interested in FIRE vulnerabilities.
How do FIRE vulnerabilities score on EPSS? EPSS is a machine learning model that claims to predict the likelihood of a vulnerability being exploited in the next 30 days. It is not a perfect measure, by their own admission, and should not be used instead of KEV lists according to first.org guidance, but even with that in mind, it does not seem to be a good proxy for loss prediction.
Data unavailable. Run fire and epss processors.
The various different sources for CVE and CVSS data each have different inclusion criteria and severity ratings for FIRE vulnerabilities. A number of these sources are incomplete and do not include all FIRE vulnerabilities or have different severity ratings or rate the CVEs that lead to losses as low or even fail to score them at all.
Data unavailable. Run fire and nvd processors.
Data unavailable. Run fire, nvd, and euvd processors.
Data unavailable. Run fire, nvd, and cnvd processors.
Data unavailable. Run fire, nvd, and jvndb processors.
The relationship between the severity of a CVE and the breach/loss category is virtually non-existent. The left side of the diagram shows the severity of the CVE, and the right side of the diagram shows the breach/loss category. Attackers do not appear to care about the severity of the CVE, they just want to exploit what works for them.
Data unavailable. Run fire, kev, enisa-kev, vcdb, vulncheck, google-p0, and nvd processors.
Verizon DBIR and Mandiant M-Trends track CVEs from breach investigations for a single year at a time. They overlap with FIRE to some extent, but so few new vulnerabilities are used in breaches each year that the year-over-year numbers are very low.
Data unavailable. Run fire and vcdb processors.
Data unavailable. Place mandiant-m-trends-2025.csv in data/raw/ and run the pipeline.
The common wisdom about the “Metasploit metric” appears to be wrong: there is very little overlap between Metasploit CVEs and actual losses. The same holds for Nuclei, which has become the new standard among penetration testers.
Data unavailable. Run fire and metasploit processors.
Data unavailable. Run fire and nuclei processors.
The common understanding that CVEs with exploit references are frequently used to lead to losses appears to be wrong. Percentages below show how infrequently FIRE maps to ExploitDB or CVEs with exploit references in cvelistV5.
Data unavailable. Run fire and cvelistV5 processors.
Data unavailable. Run fire and exploitdb processors.
CWE is a common weakness enumeration (CWE) list that is used to classify vulnerabilities. Not all CWEs seem to have even one FIRE vulnerability, but some do have many. MITRE Top 25 is a list of the most common weaknesses in the CWE list according to MITRE.
Data unavailable. Run fire, cwe, and cvelistV5 processors.
Data unavailable. Run fire, cwe, and cvelistV5 processors.
Proportion of CWEs with one or more FIRE vulnerabilities.
Data unavailable. Run fire, cwe, and cvelistV5 processors.
The Open Web Application Security Project (OWASP) Top 10 is a list of the vulnerabilities that are most often found by security vendors who test web applications. Not all OWASP Top 10 appear to have CVEs that have ever been used in a cyber insurance claim.
Data unavailable. Run fire, owasp, and cvelistV5 processors.
The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework attempts to document what adversaries use in practice. Each point in the following graph is one ATT&CK group. The scatter shows what percentage of their TTPs use CISA KEV CVEs vs FIRE CVEs. A hole in the data appears on the bottom right hand quadrant. There is little representation of groups that primarily use FIRE vulns, suggesting MITRE ATT&CK may not be tracking many financial-fraud-focused groups.
Data unavailable. Run fire, kev, attack-stix, and mappings-explorer processors.
The overlap is very low between ransomware group names (PrivTools EU, RansomFeed.it, Zywave claims) and MITRE ATT&CK identified groups. MITRE ATT&CK does not appear to be tracking most financial fraud and ransomware groups in their dataset.
Data unavailable. Run privtools-eu, attack-stix processors.
Data unavailable. Run ransomfeed-it, attack-stix processors.
Data unavailable. Place cyber_incident*.csv in data/raw/Zywave/zywave-archive-*/ and run attack-stix.
Not all industries suffer the same sized losses according to Zywave. One bubble represents one sector or actor the X axis shows the number of claims where the Y axis shows the total amount of claims (USD), and the bubble size shows the average dollar amount per breach. Hover for details including group name.
Data unavailable. Place cyber_incident*.csv in data/raw/Zywave/zywave-archive-*/.
Data unavailable. Place cyber_incident*.csv in data/raw/Zywave/zywave-archive-*/.
The most common CVSS vector attributes for FIRE vulnerabilities give us some window into what financial attackers find most valuable when attacking based on claims data. The 8 CVSS vector attributes in CVSS 3.x are Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality, Integrity, and Availability.
Data unavailable. Run fire and nvd processors.
Data unavailable. Run fire and nvd processors.
Data unavailable. Run fire and nvd processors.
Data unavailable. Run fire and nvd processors.
Data unavailable. Run fire and nvd processors.
Data unavailable. Run fire and nvd processors.
Data unavailable. Run fire and nvd processors.
Data unavailable. Run fire and nvd processors.
The most commonly used CVSS Vector while used often is not used enough to limit our view to it alone. The following is a breakdown of the most common CVSS vector used in FIRE vulns or all CVEs (NVD).
Data unavailable. Run fire and nvd processors.
Data unavailable. Run nvd processor.