Dealing with the ever-increasing number of vulnerabilities these days has reached a level where even having a security champion on the development team won't cut it. We often hear that new vulnerabilities are detected every day even in systems that are in operation, and that it takes time to consider the need for countermeasures, which hinders the original work. While it is difficult to deal with all vulnerabilities, triage work to narrow down which vulnerabilities to deal with is a very important point. In some cases, the severity of the CVSS (Common Vulnerability Scoring System) is used for judgment, but it has also been confirmed that vulnerabilities with relatively low severity are used in attacks, and the criteria for determining how triage should be carried out. There are many scenes where you get lost. In this session, we will explain the concept of risk-based vulnerability triage and introduce a solution that automates the work.