Now that we understand how we can utilize the data classification of systems and information to prioritize the remediation of vulnerabilities, we can take this a step further in using threat intelligence as a means of prioritizing the remediation of vulnerabilities based on their relevance:

Here is an example. Threat intelligence reports that the software's HIGH severity vulnerability, A, is being exploited. There is a high impact system that resides on the network that has this vulnerability, but also has another high-level vulnerability, B, and a HIGH impact non-conformance to a configuration, C. As this information is being filtered through risk to amplify threat intelligence information, the report that is delivered to the stakeholder should focus on addressing vulnerability A. It is not that B or C are not as important as A, but it is because a possible exploitation attempt is more likely.