This work addresses the limitations of traditional vulnerability prioritization frameworks—such as CVSS—which often neglect the dynamic interplay among exploitability, compliance requirements, and business impact, leading to suboptimal remediation efficiency. To bridge this gap, we propose RiskBridge, a novel framework that uniquely integrates multi-source intelligence including CVSS v4, EPSS, and CISA’s Known Exploited Vulnerabilities (KEV) catalog. RiskBridge employs probabilistic zero-day exposure simulation (ZDES), a policy-as-code compliance engine supporting standards like PCI DSS and NIST, and an ROI-driven risk optimizer to unify risk assessment, regulatory compliance, and resource allocation decisions. Evaluated on real-world CVE datasets, RiskBridge substantially outperforms existing commercial solutions, reducing residual risk by 88%, accelerating SLA compliance by 18 days, and improving remediation efficiency by 35%.

Enterprises are confronted with an unprece- dented escalation in cybersecurity vulnerabil- ities, with thousands of new CVEs disclosed each month. Conventional prioritization frame- works such as CVSS offer static severity met- rics that fail to account for exploit probabil- ity, compliance urgency, and operational im- pact, resulting in inefficient and delayed re- mediation. This paper introduces RiskBridge, an explainable and compliance-aware vulner- ability management framework that integrates multi-source intelligence from CVSS v4, EPSS, and CISA KEV to produce dynamic, business- aligned patch priorities. RiskBridge employs a probabilistic Zero-Day Exposure Simulation (ZDES) model to fore- cast near-term exploit likelihood, a Policy-as- Code Engine to translate regulatory mandates (e.g., PCI DSS, NIST SP 800-53) into auto- mated SLA logic, and an ROI-driven Opti- mizer to maximize cumulative risk reduction per remediation effort. Experimental evalua- tions using live CVE datasets demonstrate an 88% reduction in residual risk, an 18-day improvement in SLA compliance, and a 35% increase in remediation efficiency compared to state-of-the-art commercial baselines. These findings validate RiskBridge as a prac- tical and auditable decision-intelligence sys- tem that unifies probabilistic modeling, com- pliance reasoning, and optimization analytics. The framework represents a step toward auto- mated, explainable, and business-centric vul- nerability management in modern enterprise environments