Vulnerability Prioritization is the process of determining which vulnerabilities are most critical and which ones corporations should focus their resources towards. Researchers at Marist University are working on a project to improve this process by accounting for context in an organization as well as using prompt engineering to help automatically make the connections between vulnerabilities and MITRE ATT&CK tactics, techniques, and procedures.¹
The issues with current vulnerability scoring methods (like CVSS) often overestimate risk, ignore contextual factors, and don’t consider real-world threat activity. This leaves security analysts overwhelmed with thousands of vulnerabilities and little guidance on which ones matter most. These scoring methods also only score individual vulnerabilities and not all-encapsulating cyber threats.²

Proposed Solution
The researchers have designed a modified vulnerability prioritization method called the “MITRE Mapper.” Making direct correlations between MITRE ATT&CK tactics, techniques, and procedures to vulnerabilities, formally identified in the industry as CVEs, is called mapping. The MITRE Mapper uses prompt engineering with AI models, such as GPT, to automatically map software vulnerabilities (CVEs) to hardware and software weaknesses (CWEs), then to MITRE ATT&CK techniques (TTPs).³ With this process, the industry would be able to more efficiently see direct correlations between common vulnerabilities, the weaknesses that cause them to appear, and what tactics and techniques threat actors will try to use to exploit the vulnerabilities.⁴

How does the MITRE Mapper tool work?

1. Collect relevant CVE descriptions and use AI prompts to extract detailed summary of the vulnerability
2. Use AI prompts to take the summary and make correlations to potential weaknesses (CWEs) that may cause the CVE to occur
3. Use AI prompts to map CVEs → CWEs → TTPs based on keywords and contextual understanding of the descriptions of all three parts
4. Assign a relevancy score that helps organizations see which vulnerabilities are most likely to be exploited against them

What are the results of this research?
In testing, the tool achieved a 61% success rate in correctly mapping vulnerabilities to ATT&CK techniques, with better accuracy when CVE descriptions contained more detail.⁵

What are some current limitations of this system?
The consistency of the system is reliant on how detailed the description of each individual CVE is written in the report. When the CVE description is vague, it causes the mapper to correlate some of the TTPs that have broader scopes, such as T1190 or T1210. The MITRE Mapper was originally written and developed using the MITRE ATT&CK v9.0, whereas as of September 2025, the current version they are using is ATT&CK v17.1. Version 9 of ATT&CK has 185 techniques and 367 sub-techniques, whereas version 17 has 211 techniques and 468 sub-techniques.⁶ The increase in techniques in the newest version would allow the mapper to apply more detailed and descriptive mappings, resulting in more accurate prioritization.⁷

What is the current development on the MITRE Mapper?
The research team currently working on the project is branching out into cyber threat intelligence reports (CTIs), which include vulnerabilities and weaknesses that companies have faced and reported on after an extended period. These reports contain more detail and context on what companies prioritize in their organization. With the increased detail, the team plans on increasing accuracy and relevancy through incorporating CTI reports into the tool.

How can this affect the future of the cyber industry?
As AI becomes more prevalent, this program and system will potentially be able to do the job of those who do this for a living and will likely be able to do the mappings faster and more efficiently. The method isn’t meant to replace traditional scoring methods such as CVSS or EPSS but rather supplement them with context-relevant prioritization. It can also be used as a training tool for analysts to learn the process to perform CVE to TTP or CTI to TTP mappings.

References
1. Tristan Barboni et al., Threat-Based Vulnerability Prioritization Through Prompt Engineering, in Proceedings of the 20th Annual Symposium on Information Assurance (ASIA ’25) (Albany, NY: University at Albany, SUNY, 2025): 19.
2. Jonathan M. Spring et al., “Time to Change the CVSS?” IEEE Security & Privacy 19, no. 2 (March 2021).
3. Barboni et al., Threat-Based Vulnerability Prioritization, 23.
4. Kai Zhang, Xiaoyang Wang, and Qiang Wei, “Automated Mapping of Common Vulnerabilities and Exposures to MITRE ATT&CK Tactics,” Information 15, no. 4 (April 2024).
5. Barboni et al., Threat-Based Vulnerability Prioritization, 25.
6. MITRE Corporation. 2025. "Enterprise Techniques." MITRE ATT&CK. Accessed September 18, 2025.
7. MITRE Corporation. 2021. "Enterprise Techniques." MITRE ATT&CK, version 9.0 (April 29, 2021–October 20, 2021).