Hi Alii,
That's a pretty broad question, but I'll give you my perspective.
Microsoft classified security threats in several ways, including:
Risk scores - often based on best practices, risk scores usually include recommendations on how to improve your configurations to reduce your risk against real-world internal and external threats.
These risk scores are provided within security.microsoft.com and in Azure (In Defender for Cloud). So the software I'm referring to here are SaaS related services.
Microsoft also uses risk severity values and Mitre ATT&CK to help security professionals provide their own classification of security threats within Microsoft Sentinel.
- so if there are specific known threats that are related to vulnerabilities in software, you can classify the threat severity level and also categorize the ATT&CK tactic/technique in order to provide granular classifications of threat categories.
Hope that helps.