Is the vulnerable system Internet-facing or internal-only? - Are there compensating controls (WAF, IPS, network segmentation)? - Is the vulnerability reachable from the attacker's starting position?