How ExPRT.AI Predicts the Next Exploited Vulnerability | CrowdStrike
overwhelmed, especially those relying on outdated tools. ExPRT.AI, the native intelligence engine embedded in CrowdStrike Falcon®️ Exposure Management, is built to help teams prioritize which vulnerabilities are most urgent for them.
Without real-world adversary telemetry, most vulnerability management tools are disconnected from attacker behavior. Their backward-looking threat feeds only assess risk after adversaries act. With shallow automation, their triage still depends on manual rules, tagging, and guesswork.
All the while, adversaries are getting faster: The eCrime breakout time has dropped to a low of 51 seconds, the CrowdStrike 2025 Threat Hunting Report found. SCATTERED SPIDER has accelerated from account takeover to ransomware in just 24 hours.
ExPRT.AI does more than score vulnerabilities. It predicts which will be exploited, using live adversary signals, observed attack behavior, and AI trained on CrowdStrike's proprietary threat intelligence. With ExPRT.AI, security can act faster to fix the vulnerabilities most critical to their environment.
How ExPRT.AI Knows What Attackers Will Exploit
ExPRT.AI takes a fundamentally different approach than traditional scanning tools that still rely on static severity ratings, statistical projections, and legacy scanning infrastructure. It uses AI trained on years of threat intelligence from CrowdStrike Counter Adversary Operations, combined with observed exploit behavior and global telemetry across endpoints, cloud workloads, and identities. The result is a dynamic, transparent, and forward-looking exploitability score that indicates what attackers are most likely to target next.
While CVSS score is an important factor, the decision to prioritize a patch should not be based on this score alone. In fact, attackers sometimes favor lower-severity vulnerabilities, in particular when chaining vulnerabilities — a method that allows adversaries to achieve remote code execution (RCE) by combining multiple exploits into a single attack.
As explained in the CrowdStrike 2025 Global Threat Report, exploit chaining undermines the severity score-based patching process that many businesses follow. While pre-authentication vulnerabilities receive out-of-band patches and are typically prioritized for patching, associated post-authentication exploits receive less attention and may be ignored. This could potentially allow the exploit to be chained with a different vulnerability later on to again achieve RCE.
Unless an organization addresses the root cause of multiple vulnerabilities, threat actors can repurpose similar techniques and quickly develop alternatives that bypass initial mitigations. Given this, it's essential to understand the context of vulnerabilities when prioritizing patching.
ExPRT.AI evaluates vulnerabilities in the context of real attacker tradecraft. And it gets smarter every day.
The Mechanics of Prediction: Inside the ExPRT.AI Model
ExPRT.AI is trained to rank vulnerabilities based on how likely they are to be exploited in the real world. Powered by years of CrowdStrike's proprietary threat intelligence, adversary tradecraft, and real-time telemetry, the model doesn't ask, "How bad is this vulnerability in theory?" It asks, "Would an attacker actually use this?"
To answer this, ExPRT.AI evaluates a blend of behavioral and environmental factors, including:
- How broadly the affected software is deployed across global environments
- Whether exploitation techniques are public or already weaponized
- How easy it is to execute (e.g., no user interaction, remote code execution)
- Whether it enables adversary objectives like persistence, lateral movement, or privilege escalation
With this information, it shares the real-world exploitability of each vulnerability so teams can focus on what's likely to be used against them.
How the Exploitability Score Is Created
Each vulnerability is evaluated using a curated set of adversary-aligned signals. These inputs are indicators of attacker interest, intent, and opportunity, and they're mapped directly to outcomes that matter for defenders.
The signals listed below are some of the most impactful and predictive, based on what we consistently observe in real-world exploit activity. They represent a subset of the broader set of inputs ExPRT.AI uses to assess exploitability.
- Exploit activity: CrowdStrike tracks vulnerability exploitation in the wild. If attackers are already using a vulnerability, ExPRT.AI prioritizes it.
- Adversary tooling reuse: ExPRT.AI identifies vulnerabilities included in malware kits, offensive security tools, and active campaign infrastructure. This helps security teams detect and patch flaws that are already operationalized in attacker workflows.
- Software prevalence: The broader the deployment of the affected software, the more attractive the vulnerability becomes to adversaries seeking scale. By factoring in prevalence, ExPRT.AI helps teams prioritize vulnerabilities that attackers are more likely to target across environments.
- Patch availability: ExPRT.AI evaluates whether a patch exists and how widely it's been adopted. This helps defenders focus on exposures that are still viable attack vectors.
- Attack vectors: While ExPRT.AI moves beyond CVSS, it still incorporates key vectors like attack complexity, required privileges, and user interaction. This ensures the exploitability score reflects the true exploit potential of a vulnerability.
- CrowdStrike Threat Graph®️: Every score is enriched with real-time global telemetry and adversary intelligence from CrowdStrike Threat Graph. This gives ExPRT.AI visibility into attacker activity across endpoints, identities, cloud workloads, and more.
Together, these signals produce a daily updated, globally consistent exploitability score. But ExPRT.AI doesn't stop at a number — it also provides a transparent explanation of the top weighted factors that drove the result. This gives analysts confidence to act, and leadership visibility into why certain vulnerabilities take priority.
Powered by the AI-Native Falcon Platform
ExPRT.AI is natively embedded in Falcon Exposure Management and delivered from the CrowdStrike Falcon®️ platform, CrowdStrike's AI-native foundation that connects endpoint, identity, cloud, and threat intelligence in real time. It's powered by the same AI and telemetry that drive detection, investigation, and automated response across the platform.
The capabilities of the Falcon platform empower ExPRT.AI users to:
- Know what to fix first: When ExPRT.AI is paired with Falcon's AI-driven asset criticality, teams see what's likely to be exploited and why it matters to the business. Falcon Exposure Management surfaces vulnerabilities that intersect exploitability and business impact, using live Falcon platform data.
- Accelerate triage and incident response: Because ExPRT.AI is part of the Falcon platform, exploitability context appears immediately in detections and SOC workflows alongside endpoint, identity, and threat intelligence data. Analysts get the full picture from the start without the need to dig for data or rely on extra tools.
- Simplify remediation: ExPRT.AI exploitability scores and context flow directly into Falcon platform dashboards, CrowdStrike Falcon®️ Next-Gen SIEM, ticketing systems, and CrowdStrike Falcon®️ Fusion SOAR playbooks so teams don't need to jump between tools or reprioritize manually. Everything stays in sync across teams and workflows because it's all built on the same platform.
- Gain real-time threat context: Because ExPRT.AI is continuously updated with live data from CrowdStrike Threat Graph, every prioritization decision reflects what attackers are doing at that moment. This global telemetry comes from millions of sensors and adversary-tracked operations.
This is what vulnerability prioritization looks like on an AI-native platform: built-in intelligence, real-time context, and operational value on Day One.
Customer Impact: From Noise to Precision
Organizations using ExPRT.AI are seeing measurable, repeatable outcomes across risk reduction, remediation speed, and operational efficiency. Intermex, for example, achieved a 98% reduction in critical vulnerabilities in its DMZ by combining ExPRT.AI with AI-driven asset criticality, streamlining its entire patching workflow.²
Across CrowdStrike customers, ExPRT.AI has shown to³:
- Focus precision: ExPRT.AI helps teams focus 95% of their remediation effort on just 5% of vulnerabilities most likely to be exploited.
- Drive consolidation: Organizations can save up to $300K by consolidating legacy scanning tools and siloed risk platforms into Falcon Exposure Management.
- Boost operational efficiency: FEM customers reclaim up to 2,000 hours per year by eliminating manual triage, redundant patching, and false positives.
- Reduce incidents: Customers report up to a 50% reduction in incidents requiring vulnerability analysis, thanks to AI-driven exploit prediction.
Smarter, Informed Patching
We continue to innovate in vulnerability management. At Fal.Con 2025, we debuted the Exposure Prioritization Agent, one of several new AI agents built to fortify the agentic SOC. The Exposure Prioritization Agent summarizes vulnerabilities in plain language, validates their exploitability with Falcon platform telemetry, maps their impact to business-critical assets, and delivers a prioritized, high-confidence list of what to fix first.
Risk-based Patching, coming soon to CrowdStrike Falcon®️ for IT, aims to close the gap between security and IT teams. Falcon Exposure Management relies on adversary activity and attack paths to prioritize vulnerabilities, and Risk-based Patching acts on this information by using AI-powered patching with Patch Safety Scores and sensor intelligence to remediate risk.
As CrowdStrike leads the next era of cybersecurity with the agentic security platform, Falcon Exposure Management will deliver real-time, risk-based prioritization powered by the same intelligence behind CrowdStrike®️ Charlotte AI:trade_mark: and agentic SOC automation.
Additional Resources
- Download this guide to take the first step toward a smarter, faster, and more resilient approach to managing your organization's exposure: Beyond the Scan: An Ultimate Buyer's Guide to Modern Exposure Management.
- Learn more about how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments.
- To learn more about Falcon Exposure Management features, visit our Tech Hub.
¹. https://nvd.nist.gov/vuln/search#/nvd/home?resultType=statistics
². https://www.crowdstrike.com/en-us/resources/customer-stories/intermex/
³. These numbers are projected estimates of average benefits based on recorded metrics provided by customers during pre-sale motions that compare the value of CrowdStrike with the customer's incumbent solution. Actual realized value will depend on individual customer's module deployment and environment.
更多精彩内容 请关注我的个人公众号 公众号(办公AI智能小助手)
对网络安全、黑客技术感兴趣的朋友可以关注我的安全公众号(网络安全技术点滴分享)
公众号二维码
公众号二维码
