Vulnerability Triage Worksheet

Worksheet for triaging a CVE — severity inputs, exposure questions, compensating controls, and a decision matrix that combines CVSS, EPSS, and CISA KEV.

Download PDF ↓

Vulnerability Triage Worksheet

Use this when a new CVE shows up in scanner results, news, or vendor advisory. The goal is to move from “we have 4,000 CVEs” to “we are patching these 12 first” in under 30 minutes per item.

Core Identifiers

CVE ID: ****____****
Vendor / Product: ****____****
Affected Versions: ****____****
Disclosed: ****____****
Vendor Patch Available? ☐ Yes ☐ No ☐ Mitigation only

Severity Inputs

Source	Score	Notes
CVSS v3.1 base	/ 10
CVSS v3.1 environmental	/ 10	Adjusted for our context
EPSS (likelihood %)	%	First.org — refresh quarterly
CISA KEV listed?	☐ Yes ☐ No	If Yes, treat as critical regardless of CVSS

Exposure Questions

Is the affected product running in our environment? ☐ Yes — count: ____ ☐ No ☐ Unknown
Is it internet-facing? ☐ Yes ☐ No ☐ Partially
Does the vulnerable feature/endpoint run in our deployment? (Many CVEs apply only when a specific module/option is enabled.)
Is authentication required to exploit? ☐ Pre-auth ☐ Auth-required ☐ Local only
Does the affected system process or store sensitive data? ☐ Yes ☐ No
Is there a working public exploit? ☐ POC ☐ Weaponized ☐ None known

Compensating Controls Already in Place

WAF rule blocks the attack pattern
Network segmentation limits blast radius
EDR detects the post-exploit behavior
IDS/IPS signature deployed
Vendor mitigation applied (config change, feature disable)

Triage Decision Matrix

Internet-facing	KEV / Active exploit	Auth	Decision
Yes	Yes	Pre-auth	Patch within 24h, emergency change window
Yes	No	Pre-auth	Patch within 7 days
Yes	Yes	Auth	Patch within 7 days
No	Yes	Pre-auth	Patch within 14 days
No	No	Any	Patch in next monthly cycle
Any	EPSS > 50%	Any	Bump priority by one tier

Action Plan

Patch: scheduled date ****____****
Mitigate (interim): control: ****____**** effective date: **__**
Accept risk: rationale, expiration date, sign-off: ****____****
Defer: justification + revisit date: ****____****

Verification

Patch deployed and tested in non-prod
Asset inventory updated; affected version no longer present
Re-scan confirms remediation
Detection rule deployed in case the vector re-emerges

Communication

Owner: ****____****
Stakeholders notified: ☐ App team ☐ Risk / Compliance ☐ Exec
Ticket / change record: ****____****

Quick math reminder: CVSS measures severity if exploited. EPSS measures likelihood of exploitation in the wild. CISA KEV says we already have evidence of exploitation. A CVSS 9.8 with EPSS 0.5% and not in KEV is rarely the most urgent thing on your queue. A CVSS 6.5 in KEV with a public weaponized exploit, on an internet-facing host, often is.

# Vulnerability Triage Worksheet

Use this when a new CVE shows up in scanner results, news, or vendor advisory. The goal is to move from "we have 4,000 CVEs" to "we are patching these 12 first" in under 30 minutes per item.

## Core Identifiers

- **CVE ID:** **\*\*\*\***\_\_\_\_**\*\*\*\***
- **Vendor / Product:** **\*\*\*\***\_\_\_\_**\*\*\*\***
- **Affected Versions:** **\*\*\*\***\_\_\_\_**\*\*\*\***
- **Disclosed:** **\*\*\*\***\_\_\_\_**\*\*\*\***
- **Vendor Patch Available?** ☐ Yes ☐ No ☐ Mitigation only

## Severity Inputs

| Source                  | Score      | Notes                                        |
| ----------------------- | ---------- | -------------------------------------------- |
| CVSS v3.1 base          | / 10       |                                              |
| CVSS v3.1 environmental | / 10       | Adjusted for our context                     |
| EPSS (likelihood %)     | %          | First.org — refresh quarterly                |
| CISA KEV listed?        | ☐ Yes ☐ No | If Yes, treat as critical regardless of CVSS |

## Exposure Questions

1. **Is the affected product running in our environment?**
   ☐ Yes — count: \_\_\_\_ ☐ No ☐ Unknown
2. **Is it internet-facing?** ☐ Yes ☐ No ☐ Partially
3. **Does the vulnerable feature/endpoint run in our deployment?**
   (Many CVEs apply only when a specific module/option is enabled.)
4. **Is authentication required to exploit?** ☐ Pre-auth ☐ Auth-required ☐ Local only
5. **Does the affected system process or store sensitive data?** ☐ Yes ☐ No
6. **Is there a working public exploit?** ☐ POC ☐ Weaponized ☐ None known

## Compensating Controls Already in Place

- [ ] WAF rule blocks the attack pattern
- [ ] Network segmentation limits blast radius
- [ ] EDR detects the post-exploit behavior
- [ ] IDS/IPS signature deployed
- [ ] Vendor mitigation applied (config change, feature disable)

## Triage Decision Matrix

| Internet-facing | KEV / Active exploit | Auth     | Decision                                      |
| --------------- | -------------------- | -------- | --------------------------------------------- |
| Yes             | Yes                  | Pre-auth | **Patch within 24h, emergency change window** |
| Yes             | No                   | Pre-auth | Patch within 7 days                           |
| Yes             | Yes                  | Auth     | Patch within 7 days                           |
| No              | Yes                  | Pre-auth | Patch within 14 days                          |
| No              | No                   | Any      | Patch in next monthly cycle                   |
| Any             | EPSS > 50%           | Any      | Bump priority by one tier                     |

## Action Plan

- [ ] **Patch:** scheduled date **\*\*\*\***\_\_\_\_**\*\*\*\***
- [ ] **Mitigate (interim):** control: **\*\*\*\***\_\_\_\_**\*\*\*\*** effective date: \***\*\_\_\*\***
- [ ] **Accept risk:** rationale, expiration date, sign-off: **\*\*\*\***\_\_\_\_**\*\*\*\***
- [ ] **Defer:** justification + revisit date: **\*\*\*\***\_\_\_\_**\*\*\*\***

## Verification

- [ ] Patch deployed and tested in non-prod
- [ ] Asset inventory updated; affected version no longer present
- [ ] Re-scan confirms remediation
- [ ] Detection rule deployed in case the vector re-emerges

## Communication

- Owner: **\*\*\*\***\_\_\_\_**\*\*\*\***
- Stakeholders notified: ☐ App team ☐ Risk / Compliance ☐ Exec
- Ticket / change record: **\*\*\*\***\_\_\_\_**\*\*\*\***

---

**Quick math reminder:** CVSS measures _severity if exploited_. EPSS measures _likelihood of exploitation in the wild_. CISA KEV says _we already have evidence of exploitation_. A CVSS 9.8 with EPSS 0.5% and not in KEV is rarely the most urgent thing on your queue. A CVSS 6.5 in KEV with a public weaponized exploit, on an internet-facing host, often is.