ATLSECCON 2026

The Problem: The Severity vs. Exploitability Gap Modern cybersecurity faces a paralyzing volume of disclosed vulnerabilities, yet traditional scoring systems like the Common Vulnerability Scoring System (CVSS) often fail to predict actual real-world risk. Research shows that 73% of vulnerabilities rated as high-severity by CVSS show little to no evidence of actual exploitation. Conversely, Advanced Persistent Threats (APTs) frequently exploit "low-risk" vulnerabilities by chaining them together into devastating attack paths, as seen in the HAFNIUM and ProxyShell campaigns. This leads to a dual crisis: "False Positive Fatigue" for security teams and a "Dependency Blindness" that leaves organizations vulnerable to hidden threats.
The Solution: The XYZ Framework This talk introduces XYZ, a hybrid vulnerability assessment framework designed to shift the industry focus from static severity to dynamic exploitability. By integrating cross-source intelligence from over eight trusted repositories (including NVD, OSV, and ExploitDB), XYZ creates a centralized database of over 1.08 million records.
The framework's core innovation is the XYZ Score, a multi-dimensional algorithm that weights risk across four pillars:
• Base Risk (40%): Technical vulnerability characteristics.
• Exploitation History (30%): Observed real-world patterns and exploit availability.
• Environmental Context (20%): Dependency relationships and transitive impact.
• AI-Driven Assessment (10%): Exploitability confidence generated by a triadic AI Committee.
Key Takeaways and Impact Attendees will discover how this methodology achieves 38x higher vulnerability coverage than traditional tools while reducing false positives by 50%. I will demonstrate how the system identifies Phantom Critical Vulnerabilities (PCVs)—classifying "False Alarms" (Type 1) to save resources and unmasking "Hidden Threats" (Type 2) that traditional scanners miss. Finally, we will explore the automated attack chain detection that identifies high-risk paths in complex software dependency networks before they can be exploited.