Blackbox Intelligence Group
Sign in
← All modules

Starter · Module 5

Module 5: Vulnerability Prioritization

Ten real-style vulnerability cards. Students learn that severity is not the whole story - exposure, exploitability, and asset value drive what gets fixed first.

Length
60 min
Level
beginner
Track
Starter
Cadence
Free preview

Career paths

Penetration Tester
Unlock this module →Request a review copyTry the free pack

Download 1-page brochure (PDF)·Share with admins, parents, or your CTE director.

What's in the lesson pack

Everything you need to teach this period.

Built by an OSCP-certified instructor who teaches this material every week. Print-ready, classroom-tested, copy-paste-able.

Teacher Guide

Locked

Lesson at a glance, learning objectives, vocabulary, pacing, mini-lessons, and discussion notes.

In-browser presenter

Locked

Full themed slide deck you can run live from your laptop. Speaker notes built in. Works offline once loaded.

PowerPoint (.pptx) export

Locked

Editable slide deck for districts that mandate PowerPoint or want to customize for their LMS.

Module overview

The full lesson plan, public.

Read everything before you commit. The plan, objectives, vocabulary, standards alignment, and pacing are open. Only the print-ready deliverables are gated.

Module 5 - Vulnerability Prioritization

Lesson at a glance

| Field | Value | | ------------------- | ------------------------------------------------------------------- | | Grade band | 9–12 | | Total time | 60 minutes | | Difficulty | Beginner–Intermediate | | Required materials | Vulnerability card packet (10 cards included), worksheet, projector | | Lab access | None | | Standards alignment | NICE Framework K0009, K0019; CSTA 3A-NI-05 |

Safety: All vulnerability descriptions are illustrative. Students do not test, exploit, or scan any system in this module. The skill is prioritization, not exploitation.

Learning objectives

By the end of this lesson students will be able to:

  1. Define severity, exploitability, exposure, and asset value and explain how each affects priority.
  2. Rank a set of 10 fictional vulnerabilities and defend the ranking.
  3. Distinguish a CVSS score from a risk decision - and explain why a CVSS 9.8 may be a P3 in a specific environment while a CVSS 5.4 may be a P1.
  4. Recommend a fix, a mitigation, or an accept-the-risk decision for each card.

Vocabulary

  • CVE - Common Vulnerabilities and Exposures. The catalog of publicly disclosed flaws.
  • CVSS - Common Vulnerability Scoring System. A 0.0–10.0 score that estimates technical severity.
  • Exploit availability - whether public, working exploit code exists for the vulnerability.
  • Exposure - whether the affected system is reachable by the attacker (internet-facing, internal-only, behind MFA, etc.).
  • Asset value - how much the business (or school) cares about the system: revenue, safety, data sensitivity.
  • Compensating control - a different defense that reduces the risk without fixing the underlying flaw (e.g., a WAF rule).
  • KEV (Known Exploited Vulnerabilities) - CISA’s list of vulnerabilities being actively exploited in the wild.

Why this module (teacher background)

Real defensive teams cannot patch everything at once. The hard work is deciding what to fix first. A naive team patches by CVSS score top-down, which produces a backlog where critical-on-paper bugs on internal systems get fixed before exploited bugs on internet-facing systems. Real prioritization weighs four levers:

  1. Severity (how bad if exploited)
  2. Exploitability (is it being used in the wild)
  3. Exposure (can the attacker reach it)
  4. Asset value (how much do we care about the affected system)

Students leave with a defensible ranking they can explain to a non-technical stakeholder. That conversation - “why this fix and not that one” - is what real vulnerability managers do every week.

Materials checklist

  • [ ] Printed Vulnerability Cards (10 cards - provided below).
  • [ ] Printed Prioritization Worksheet.
  • [ ] Projector or board for the class ranking.
  • [ ] Optional: a copy of CISA’s Known Exploited Vulnerabilities list intro page for context.

Pacing - minute-by-minute

| Time | Block | What happens | | ----- | -------------- | ------------------------------------------- | | 0–5 | Opener | The patch-everything trap | | 5–18 | Mini-lesson | The four levers and why CVSS isn’t a plan | | 18–42 | Activity | Rank the 10 cards in pairs | | 42–53 | Discussion | Whole-class ranking and disagreements | | 53–58 | Decision sheet | Each student picks top 3 and writes the why | | 58–60 | Exit ticket | One swap and the reason |

0–5 min · Opener - the patch-everything trap

Project: “Last week the scanner found 4,217 vulnerabilities on the school’s servers. The IT team has 8 hours this week. What gets fixed first?”

Take voices for 90 seconds. Most students go to “the highest CVSS.” That’s the trap.

Teacher script:

“If we just sort by score, we’ll spend Tuesday fixing critical bugs on the cafeteria menu server while an exploited bug sits open on the public registration page. Today we learn the four levers real teams use to decide what gets fixed first.”

5–18 min · Mini-lesson - the four levers

Write on the board:

Priority ≈ Severity × Exploitability × Exposure × Asset value

Walk each lever:

  • Severity - what an attacker could do if they exploited this. Remote code execution > info disclosure > denial of service.
  • Exploitability - does working exploit code exist? Is it on CISA KEV? A CVSS 9.8 with no public exploit is less urgent today than a CVSS 7.5 that’s being used right now.
  • Exposure - internet-facing wins. Behind authentication, behind a VPN, on an internal network: each layer reduces priority. A critical bug on an isolated lab box is not the same as a critical bug on the public-facing portal.
  • Asset value - what does the school care about? Student data > marketing site > internal dev box.

Say: “One number can’t tell you what to do. Four short questions can.”

18–42 min · Activity - rank the cards (24 minutes)

Pair students up. Give each pair the 10 cards. They must produce a ranked list 1–10, with a one-line reason per card.

The 10 cards follow. The full key with rationales is in the Answer Key PDF.

Card 1

  • CVE-FAKE-2025-001 - Remote code execution in the school’s public-facing student portal.
  • CVSS: 9.8 (Critical)
  • Exploit: Public PoC released yesterday; observed in the wild against other districts (on CISA KEV).
  • Exposure: Internet-facing.
  • Asset value: High - holds student records.
  • Workaround: WAF rule provided by the vendor blocks the exploit.

Card 2

  • CVE-FAKE-2025-002 - Stored XSS in the cafeteria menu CMS.
  • CVSS: 7.4 (High)
  • Exploit: Theoretical only.
  • Exposure: Internet-facing but the editor account is staff-only.
  • Asset value: Low.
  • Workaround: None easy.

Card 3

  • CVE-FAKE-2025-003 - Privilege escalation in the school file server OS.
  • CVSS: 8.8 (High)
  • Exploit: Working exploit on GitHub. Requires existing low-privilege access.
  • Exposure: Internal-only.
  • Asset value: High - holds teacher and student files.
  • Workaround: Restrict who can authenticate to the server.

Card 4

  • CVE-FAKE-2025-004 - Authentication bypass in the VPN appliance.
  • CVSS: 9.6 (Critical)
  • Exploit: No public exploit yet, but the vendor advisory says one is expected within a week.
  • Exposure: Internet-facing (VPN concentrator).
  • Asset value: Critical - gateway to the internal network.
  • Workaround: Vendor patch available now.

Card 5

  • CVE-FAKE-2025-005 - Information disclosure (server version banner).
  • CVSS: 3.1 (Low)
  • Exploit: N/A.
  • Exposure: Internet-facing.
  • Asset value: Low.
  • Workaround: Configuration change, 5 minutes of work.

Card 6

  • CVE-FAKE-2025-006 - DoS in a printer firmware.
  • CVSS: 7.5 (High)
  • Exploit: Public exploit; trivial to use.
  • Exposure: Internal network only.
  • Asset value: Low - printers can be cycled.
  • Workaround: Network segmentation already isolates printers.

Card 7

  • CVE-FAKE-2025-007 - SQL injection in a teacher-grade-book web app.
  • CVSS: 9.0 (Critical)
  • Exploit: Public exploit.
  • Exposure: Internet-facing, behind SSO + MFA.
  • Asset value: High - grades, student PII.
  • Workaround: Vendor patch available; deploy window required.

Card 8

  • CVE-FAKE-2025-008 - RCE in a development server used by the IT team only.
  • CVSS: 9.8 (Critical)
  • Exploit: Public exploit.
  • Exposure: Internal-only, on the IT subnet.
  • Asset value: Medium - dev box, no production data.
  • Workaround: Patch available; can be taken offline at any time.

Card 9

  • CVE-FAKE-2025-009 - Hard-coded credentials in a smart-thermostat firmware.
  • CVSS: 8.0 (High)
  • Exploit: Credentials are public; trivially abused.
  • Exposure: Internal network only.
  • Asset value: Low - building-management device.
  • Workaround: Network ACL prevents traffic to/from the device subnet.

Card 10

  • CVE-FAKE-2025-010 - RCE in the Microsoft Office suite (school-licensed, district-wide).
  • CVSS: 8.8 (High)
  • Exploit: Public exploit; observed in the wild via malicious documents.
  • Exposure: Every staff and student laptop.
  • Asset value: High - every endpoint.
  • Workaround: Patch ships through district MDM; rollout window 48 hours.

42–53 min · Discussion - whole-class ranking and disagreements

Build the class ranking on the board. Where pairs disagree, slow down.

Predictable hot spots:

  • Card 7 vs. Card 1. Card 7 has a higher CVSS but is gated by SSO + MFA. Card 1 is internet-facing, on KEV, and being exploited today. Most cohorts swap them on first ranking; the discussion fixes it.
  • Card 8 (CVSS 9.8 internal dev box) vs. Card 6 (CVSS 7.5 internal printer). Both are internal. The dev box has higher score but lower asset value; the printer has lower score but higher exploit availability. Real teams might fix both this week, but the dev box is a stronger learning lever.
  • Card 9 vs. Card 5. Both look low priority. Card 9 has an active exploit but is mitigated by a network ACL; Card 5 is internet-facing but trivial impact. Push: which one would a parent care about? Often neither - that’s the lesson. Some bugs get accepted.

Introduce the three real outcomes:

  1. Fix - patch or remove the exposure now.
  2. Mitigate - apply a compensating control (WAF rule, segmentation, MFA gate) that reduces risk while a fix is scheduled.
  3. Accept the risk - document and move on. This is a legitimate decision for low-impact, low-likelihood items.

53–58 min · Decision sheet

Each student writes:

  • Top 3 vulnerabilities to fix this week, in order, with one sentence each.
  • One vulnerability they would accept the risk on, with reasoning.

58–60 min · Exit ticket

Pick one card you originally ranked low and another you ranked high, and explain why you would now swap their order if you had a working exploit appear overnight.

Differentiation and supports

  • Below grade level / EL: Provide a partially scored worksheet (cards 1, 5, 10 already ranked). Students fill in the rest.
  • Above grade level: Extension - pick any three cards and write the IT director the email recommending the patch order, with budget and downtime windows considered.
  • IEP/504: Use 6 cards instead of 10 (1, 3, 4, 7, 8, 10).

Common student misconceptions

  • “Higher CVSS = patch first.” No. CVSS is one of four levers.
  • “If it’s on KEV, drop everything.” Often true - but not if exposure is zero. A KEV vuln on an air-gapped lab box is still less urgent than a moderate KEV vuln on the public site.
  • “Mitigation is cheating.” Mitigation is a real, valid path while a fix is scheduled.

Career connection

  • Vulnerability manager - $90K–$140K. Runs the weekly version of this exercise across thousands of CVEs.
  • Security engineer - $100K–$150K. Implements the fixes and the compensating controls.
  • Risk analyst - $80K–$120K. Documents the “accept” decisions and what would change them.

Assessment

  • Formative: Pair ranking - defended ranking, not just a list.
  • Summative: Decision sheet - top 3 with reasoning, one accept-the-risk with reasoning. Rubric in the Answer Key.

Answer Key (summary - full version in the Answer Key PDF when generated)

A defensible top-priority list (one of several reasonable orderings):

  1. Card 4 - Authentication bypass in VPN, internet-facing, exploit imminent. Patch tonight.
  2. Card 1 - RCE in public student portal, on KEV, being exploited. Apply WAF rule immediately, patch this week.
  3. Card 10 - Office RCE district-wide, exploited in the wild. Begin staged MDM rollout.
  4. Card 7 - Critical SQLi but gated by SSO + MFA. Patch in next deploy window.
  5. Card 3 - Internal privesc, exploit exists, restrict authentication first.
  6. Card 8 - Critical RCE, internal-only, low asset value. Patch this week.
  7. Card 6 - Easy DoS, segmented. Patch when the printer firmware updates next month.
  8. Card 9 - Active exploit but ACL-mitigated. Plan replacement at the next refresh cycle.
  9. Card 2 - Theoretical XSS on low-value site, staff-only editor. Track.
  10. Card 5 - Banner disclosure. Accept the risk or fix in the next config push (5 minutes).

Ready to use this in class?

Unlock the full Starter edition.

All teacher guides, worksheets, scenarios, quizzes, answer keys, and the in-browser presenter for every module in the track. Site-license pricing for schools and districts. Free review copies for verified educators.

View pricingRequest review copySee full curriculum