CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

How to triage a new CVE in 10 minutes

A CVE lands in your feed, Slack, or inbox. Before it eats your afternoon, run this six-step pass. Every step points at a live, free data source, so the workflow is the same whether you triage one CVE a week or forty a day.

1 · Confirm it touches your stack (2 min)

Extract the product and affected versions before anything else. The CSIRTS triage block on each advisory names the vendor, product and affected versions in plain English, and the product pages aggregate every advisory we have ever correlated to that product. Not in your stack → stop here, note it, move on.

2 · Is it being exploited? (1 min)

Check for the exploited badge — CISA KEV membership. If present, this is no longer a scheduling question: it is an incident-prevention question. The exploited list is the fastest scan of everything currently in that state.

3 · Is there public exploit code? (1 min)

The public exploit badge shows whether Metasploit, Exploit-DB, Nuclei or GitHub PoCs reference the CVE. Code without KEV means the attack is one download away — see why the distinction matters.

4 · How likely is exploitation soon? (1 min)

The exploitation outlook on each CVE page interprets the EPSS score for you — the probability of observed exploitation within 30 days and the percentile against all scored CVEs. High outlook + reachable service = treat like step 2.

5 · What do the CERTs say? (3 min)

One vendor bulletin is a data point; a CERT alert on the same CVE is an escalation signal. The CVE page lists every advisory across all 24 sources — a CERT-FR alerte or CISA advisory citing your CVE means national responders consider it campaign-grade.

6 · Decide and record (2 min)

Exploited or exploit-code-public → patch now (or mitigate: isolate, filter, disable the feature). High EPSS/CVSS on an internet-facing asset → this patch window, and watch the product so a status change reaches you. Everything else → backlog with the CVE link as the record; the page updates itself as flags change.

Automate the boring half

Steps 2–4 are lookups, and lookups belong to machines: the JSON API returns exploited and has_exploit per advisory, the MCP server gives your AI agent get_cve for the full picture in one call, and live badges put the current status inside your README or runbook. The daily briefing and morning email handle the "did anything change overnight" sweep for you.

Background reading: KEV vs EPSS vs CVSS · exploited vs public exploit code.