Application security debt can quickly overwhelm security and development teams. This translates into greater risk. For example, research reveals that the average application has 20 vulnerabilities in development and 4 in production. The reality is that certain vulnerabilities pose greater risk than others, and moreover vulnerability risk changes over time. Existing risk scoring approaches are static, require a lot of work to use and fail to heed threat intelligence changes. Under these risks scoring models, a vulnerability receives the same risk rating whether it is undiscovered or widely known, exploits exist, and if cybercriminals are actively attempting to exploit it. A different risk approach is needed that is simple to understand and use, dynamically adapts to real-world context, allows for uncertainty and missing data, and adaptively requires additional data when near the threshold.