Compare Workflow Tutorial

Use Compare when the hard question is which item moves first.

Use this tutorial when two or three CVEs compete for the same patch window, SOC review, owner attention, leadership update, or exception decision.

Start tutorialOpen CompareDecision Matrix

Compare rule: compare a small set of close calls. Do not use the matrix to choose by score alone. Priority should combine exploitation, exposure, affected status, patch state, source confidence, business role, operational safety, and owner evidence.

Queue2-3 close calls

Add only records competing for the same capacity, owner, window, or decision.

Comparerisk signals

Severity, KEV, EPSS, public PoC, attack type, patch state, and source freshness.

Validatelocal fit

Exposure, affected version, feature state, asset role, business owner, and safe change path.

Decidenext lane

Patch first, mitigate first, SOC check, monitor, vendor case, exception, or not affected.

Compare Workflow

Move from queue to decision without flattening context.

1Find candidatesUse Search, CVEs, KEV, urgent views, or detail pages to identify close calls. 2Queue for compareAdd up to three CVEs that compete for the same patch, SOC, or leadership capacity. 3Validate local fitConfirm affected versions, exposure, owner, patch path, and not-affected evidence. 4Hand off decisionSend the chosen action with evidence, caveats, owner, deadline, and review trigger.

When To Compare

Use Compare for decision pressure, not browsing.

Patch window conflict

Several issues need the same maintenance window. Compare exploitation, exposure, patch readiness, rollback risk, and business role.

Next: patch-first or mitigation-first lane.

SOC capacity conflict

Several items could justify hunt or detection work. Compare attack type, public PoC, exploitation, telemetry fit, and likely local exposure.

Next: scoped SOC handoff.

Leadership escalation conflict

Several records look urgent. Compare what is proven, what remains unknown, business impact, and whether a decision is needed today.

Next: executive summary or no-escalation note.

Exception conflict

Several blocked items need risk handling. Compare temporary controls, exposure reduction, owner plan, exception expiry, and review cadence.

Next: approval, renewal, or rejection.

Vendor ambiguity conflict

Several product-family records may be false positives. Compare vendor guidance, NVD mapping, scanner evidence, distro backports, and owner proof.

Next: validate or vendor clarification.

Do not compare everything

If the queue contains unrelated issues with different owners and timelines, Search or Saved is a better organizing surface.

Limit: keep Compare small.

Decision Signals

Signals to compare before choosing priority.

Exploit pressure

KEV, public PoC, active exploitation, exploit maturity, ransomware relevance, and source recency can move an item forward.

Exposure and reachability

Internet-facing, unauthenticated, remote, edge, identity, cloud, or management-plane exposure can outweigh score differences.

Patch and mitigation state

A safe patch, unsafe patch, no patch, workaround, compensating control, or blocked window changes the next action.

Confidence and caveats

Rejected, disputed, stale, low-confidence, vendor-conflicting, or scanner-only evidence should not become a hard deadline without validation.

Business role

Identity, remote access, backups, production, revenue, regulated data, security tooling, and recovery paths deserve special attention.

Operational safety

Patch complexity, rollback risk, maintenance window, uptime, OT constraints, and owner readiness can change the safest lane.

Safe Language

Explain the comparison without overclaiming.

Say

We are prioritizing this item first because it combines exploitation pressure, plausible exposure, and an actionable fix.

Do not say: It has the highest score, so it is the worst.

Say

This item stays under validation because local affected status and owner evidence are not yet proven.

Do not say: It is safe because it ranked lower.

Say

Compare supports queue ordering; closure still requires remediation or not-affected evidence.

Do not say: Compare closed the issue.

Copy Template

Compare decision note

Compare decision note - [queue/date]
Items compared: [CVE IDs]
Decision needed: [patch order / SOC review / exception / leadership update / validation]
Top item: [CVE] because [exploitation, exposure, patch state, asset role, confidence]
Deferred item(s): [CVE IDs] because [validation needed, lower exposure, blocked patch, mitigated, not affected candidate]
Evidence reviewed: [KEV, CVSS, EPSS, PoC, source, vendor, scanner, owner, exposure]
Evidence missing: [affected version, owner proof, fixed version, SOC telemetry, business impact]
Next lane: [patch / mitigate / monitor / SOC / vendor case / exception / not affected]
Safe caveat: Compare orders work; it does not prove local exposure, compromise, or closure.
Owner and review trigger: [team/person/date/source update/retest/change window]