After you rank vulnerabilities by threat level, or consult a service like CVSS that does this for you, you'll need to decide what vulnerabilities to dedicate your time and money on. After all, your deadline and limited budget will likely prevent you from testing every single vulnerability out there. By prioritizing vulnerabilities, you determine what vulnerabilities get the most attention when it comes to doing further research on how to exploit them. This ensures your time and money are being used effectively.

As mentioned earlier, the results of your adjudication will have a large influence on how you prioritize vulnerabilities. Vulnerabilities marked "critical" will be the most attractive targets, and may end up being the easiest to exploit and/or lead to the most significant outcomes. However, it's not always as simple as sorting by rating and then proceeding from there. Sometimes, you'll need to strike a balance between the likelihood of exploitation and the impact of that exploitation. The client organization’s unique environments will almost always inform how you go about doing this. For example, there might be a "critical" vulnerability that enables privilege escalation on a Windows domain controller, which can lead to severe consequences for the organization. However, the exploit might require certain factors that are very difficult to replicate in the organization's environment. You might therefore demote this vulnerability based on your knowledge of the target. Likewise, you might promote a "high" or "medium" vulnerability that provides a better opportunity for exploitation, even if its impact is not as severe.

It's important to keep in mind that threat ratings are not the only contributing factor to your prioritization efforts. You also need to consider the cost of mitigation. Even if the impact of a vulnerability isn't particularly high, it might be very difficult or expensive for the organization to fix it. Consequently, there's a higher likelihood that the organization will decide to accept the risk and forgo mitigation. This could prompt you to promote the vulnerability because there's a chance it'll be easier to exploit.