Key insight

A vulnerability is a weakness that exists whether or not anyone uses it. A threat is who or what might exploit it. Risk weighs how likely they are to meet against how much damage would follow. Separating the three hands you three different ways to reduce danger — and lets you fix the things that actually matter first, ranked by risk rather than by fear.

People throw three words around as if they were interchangeable, and that muddle is exactly why so much security talk feels vague. A vulnerability is a weakness. A threat is who or what might take advantage of it. Risk is the honest judgement of how much you should really worry, once you weigh how likely something bad is against how much damage it would do. Picture a house: an unlocked window is the vulnerability, a burglar in the neighbourhood is the threat, and the risk is your sensible read of the two together. The same three layers apply to every computer system there is.

1 · Three words, three different meanings

Once you can tell the three apart, a great deal clicks into place, because each is a different kind of thing. A vulnerability is a fact about the state of your system. A threat is an actor or force in the world outside it. Risk is a judgement that combines both with the stakes. Keeping them distinct is what turns a vague sense of unease into a clear plan of what to do first.

Vulnerability as an unlocked window, threat as a burglar, and risk as the judgement of both together Three labelled boxes: an amber box labelled Vulnerability, a weakness; a red box labelled Threat, who might use it; and a violet box labelled Risk, how much to worry. A caption states that getting the three apart makes security stop being confusing. Vulnerabilitya weakness Threatwho might use it Riskhow much to worry A state, an actor, and a judgement — three different things
Figure 1. A weakness, an actor who might use it, and your judgement of the two together with the stakes. Confusing them is why security feels vague.

2 · Vulnerability: a weakness that just exists

A vulnerability is a flaw, a gap, or a mistake that could let something go wrong — and the key thing is that it exists on its own, whether or not anyone ever takes advantage of it. An unlocked ground-floor window is a vulnerability from the moment it is left open, even if no burglar ever passes. In computers, a vulnerability might be a bug in software, a password that is far too easy to guess, a setting left on the wrong value, or an old system nobody updated. It counts against you every day it remains, regardless of whether anyone has noticed or exploited it yet.

3 · Threat: who or what might exploit it

A threat is who or what might actually take advantage of a vulnerability. If the vulnerability is the unlocked window, the threat is the burglar who might notice it. Threats are not always people with bad intentions: a threat can be a criminal deliberately hunting for weaknesses, an automated program that scans millions of computers a day, a dishonest insider, or something with no intentions at all — a storm, a flood, or a power failure that threatens availability. The vulnerability is the opening; the threat is whatever might come through it. A weakness with no plausible threat is far less pressing than the same weakness sitting in the path of an active, motivated attacker.

4 · Risk: likelihood meets damage

Risk is the idea that finally tells you what to do, because it brings in the thing that matters most: consequences. Risk weighs two things together — how likely it is that a threat meets a vulnerability and something bad happens, and how bad that something would be if it did. A weakness that is easy to reach, that attackers are actively hunting, and that guards something precious is high risk, and deserves attention now. A weakness that is nearly impossible to reach, that nobody is looking for, and that protects something trivial is low risk, even if it is technically a flaw. This is why security teams cannot fix everything at once: they rank by risk, and spend their limited time where likelihood and damage are both highest.

5 · Putting the three together

Here is the quiet power of separating the three: it hands you three completely different ways to reduce danger. Risk grows when you have a real vulnerability, a real threat that could use it, and a real impact if they meet. Shrink any one of those three ingredients, and the overall risk falls. Remove the vulnerability, by fixing the flaw. Reduce the threat's ability to reach it, by adding barriers and monitoring in its path. Or lower the impact, by making sure that even if the worst happens, the damage is contained and recoverable. Most good security is a deliberate mix of all three, not a desperate attempt to make any single one perfect.

Risk as the combination of vulnerability, threat, and impact Three boxes labelled Vulnerability, Threat, and Impact are joined by plus signs, with an arrow leading to a violet box labelled Risk. A caption states that removing any one ingredient makes the risk fall sharply. Vulnerability + Threat + Impact Risk Remove any one ingredient and the risk falls sharply
Figure 2. Risk is the product of a weakness, an actor who can reach it, and the damage that follows. That gives you three separate levers to pull.

6 · CVE and CVSS: shared names and scores

Because the world has millions of known vulnerabilities, it needs a shared way to name and rank them. CVE — Common Vulnerabilities and Exposures — is a giant public catalogue that gives every publicly known flaw its own unique reference number, so a security team in one country and a software maker in another can be certain they are talking about the exact same weakness. CVSS — the Common Vulnerability Scoring System — assigns each flaw a severity score from zero to ten, based on how easy it is to exploit and how much damage it could do. A flaw scored 9.8 demands urgent attention; one scored 3.1 can usually wait. Together they let the whole world discuss the same weakness with the same name and the same measure of how much it matters — the raw material for ranking by risk.

7 · New weaknesses AI agents introduce

AI agents do not escape this three-part picture; they fill it in with new ingredients. The vulnerability is genuinely new: an agent tends to treat the text it reads as trustworthy instructions, a flaw older software following only rigid code never had. The threat is anyone who can slip words in front of that agent — hidden instructions inside a document, an email, or a web page the agent will process. And the impact can be unusually large, because an agent does not just display information; it takes real actions with real tools, so a successful trick can move money, delete data, or leak secrets directly. The shape of the risk is completely familiar — weakness, plus who can reach it, plus how bad the result — which is exactly why the same disciplined thinking still works on it.

8 · A simple test you can run this week

Turn a vague worry into a plan

1. Pick one weakness you already know about — in a system, an account, or an AI agent.
2. Name the threat: who or what could realistically use it?
3. Name the impact: if they succeeded, how bad would it genuinely be, and for whom?
4. High likelihood + high impact means fix it first; low + low can wait — and admitting that is good judgement, not laziness.

The lesson worth keeping: risk, not fear, is what should decide the order you fix things in.

9 · Glossary — every term, spelled out

Vulnerability
A weakness, flaw, or gap that could let something go wrong — it exists whether or not anyone ever exploits it.
Threat
Who or what might take advantage of a vulnerability: an attacker, an automated scanner, a dishonest insider, or a force like a storm or outage.
Risk
A judgement combining how likely a threat is to meet a vulnerability with how much damage would result — what actually tells you where to spend attention.
Impact
How bad the consequences would be if a threat successfully exploited a vulnerability.
CVE (Common Vulnerabilities and Exposures)
A public catalogue that gives every known flaw a unique reference number, so everyone can name the same weakness the same way.
CVSS (Common Vulnerability Scoring System)
A 0–10 severity score for a flaw, based on how easy it is to exploit and how much damage it could do.
AI agent
Software that decides on its own which tools to call and which actions to take — introducing a new vulnerability by treating read text as trusted instructions.
Key takeaways

A vulnerability is a weakness that exists on its own; a threat is who might use it; risk weighs likelihood against damage.
Separating the three gives three levers: remove the weakness, block the threat's path, or reduce the impact.
CVE names known flaws and CVSS scores their severity, so the world can rank the same weakness the same way.
AI agents introduce a familiar shape of risk with new ingredients — and risk, not fear, still decides what to fix first.

References

  1. NIST Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments — threat, vulnerability, likelihood, and impact, National Institute of Standards and Technology. csrc.nist.gov
  2. The CVE Program — the public catalogue of Common Vulnerabilities and Exposures. cve.org
  3. FIRST, Common Vulnerability Scoring System (CVSS) — the 0–10 severity scoring standard. first.org
  4. This guide’s Patch & Vulnerability Management, Explained From Zero — ranking and closing flaws by risk.