CYBERSECURITY AND DFIR

KEV Exposure Triage Tool.

Additional page sections

Prioritizes review of a known-exploited vulnerability using user-entered exposure, asset criticality and compensating controls.

Version 3.1 Beta Protected engine Known-exploited vulnerability review note
PURPOSE

Decision supported.

Prioritizes review of a known-exploited vulnerability using user-entered exposure, asset criticality and compensating controls.

Intended user

research, assurance and technical review teams

Output status

Preliminary outputHuman review requiredNot certification
USE CASES

Where this instrument fits.

  • Prioritize KEV remediation discussions
  • Create a vulnerability review memo
  • Identify evidence required before risk acceptance
  • Plan patch, mitigation and monitoring actions
INPUTS

Required input fields.

  • CVE or advisory reference (required)
  • Known exploitation status (required): Unknown or not checked, Known exploited catalog or confirmed exploitation, Active exploitation observed internally or by trusted source
  • Asset criticality (required): Low, Material, Critical
  • Internet exposure (required): Not internet-facing, Limited exposure, Internet-facing
  • Patch availability (required): Patch available, Mitigation only, No patch or unknown
  • Compensating controls (required): Strong and monitored, Partial, Weak or unknown
  • Patchability (required): Routine window, Complex dependency, Blocked or high-risk

Data handling: this interface uses the L2ET protected same-origin instrument engine. Do not enter confidential, regulated, privileged, incident, medical or sensitive operational data.

METHOD

Heatmap logic.

Scores exploitation status, exposure, criticality, patch availability, compensating controls and patchability to recommend review priority and SLA pressure.

Source families

CISA KEV source familyNVD source familyvulnerability management practice

Assumptions

  • User must verify CVE and product applicability.
  • No live asset discovery is performed.
  • Priority is an orientation signal, not a vulnerability management system.
INTERACTIVE INSTRUMENT

Known-exploited vulnerability review note.

Use the controls below to generate a preliminary artifact. The output is intentionally bounded and requires human review.

OUTPUT ARTIFACT

Known-exploited vulnerability review note.

The generated artifact includes findings, assumptions, limitations, recommended next actions and exportable structured output.

Export options

Copy outputMarkdownJSON
EXAMPLE

Example input and output.

Example input

Known exploited CVE on an internet-facing critical service with patch available but complex deployment.

Example output

Outputs high-priority review, short SLA recommendation, evidence required and residual-risk notes.

LIMITATIONS

What this tool does not do.

  • Does not scan assets.
  • Does not exploit or validate vulnerabilities.
  • Does not replace emergency change governance.

This instrument does not provide legal, medical, cryptographic, engineering, regulatory or compliance certification.

RELATED METHOD

Method and workflow links.

Read the family method note for assumptions, output artifacts, update policy and review boundaries.

Open methodology Open family

RELATED TOOLS

Suggested workflow sequence.

DFIR Evidence Map Builder

Builds an evidence source matrix and investigation sequence for a selected incident scenario.

open instrument →

Cyber Resilience Control Mapper

Maps a disruption scenario to controls, telemetry, recovery evidence and test cadence.

open instrument →

Cyber/AI Convergence Risk Mapper

Maps where an AI system changes cyber dependencies, identities, data flows and incident-response paths.

open instrument →
CHANGELOG

Version history.

  • v3.1 - Research-grade instrument template, method notes, assumptions, limitations, example and export actions added.
  • Last updated: 2026-05-27.
  • Maturity state: Beta.