Some embodiments bridge a gap between focusing on security alerts raised by conditions and events that have already occurred, and focusing on vulnerabilities that might be exploited in the future. Alerts are organized into alert categories, vulnerabilities are organized into vulnerability categories, and are optionally supplemented with misconfiguration categories. Correlations are identified between alert categories and vulnerability or misconfiguration categories, and the correlation values noted, to produce category association rules. The alerts, vulnerabilities, and other security findings are gathered in some situations from multiple similar environments, and in some cases are filtered to pertain to similar resources or similar configurations. The category association rules are utilized to perform cybersecurity prioritizations such as assigning priority levels to alerts and assigning likelihood levels to potential breaches. Graphs showing resources and data flow paths are annotated with risk scores or with security findings relevant to the applicable category association rules.