How do you analyze a vulnerability report and determine its actual risk in the context of the application architecture?