Collect enough evidence to choose the next lane without turning the packet into a full investigation.
Training Drill
Build the evidence before choosing the lane.
Practice collecting the smallest useful evidence packet for patching, mitigation, monitoring, escalation, not-affected closure, and remediation proof.
Keep affected, exposed, patched, mitigated, monitored, and not affected as separate conclusions.
Leave a packet another owner can verify, act on, or challenge without guessing what was checked.
Evidence Cases
Choose what proof is missing before the lane is safe
Each case trains a different closure or action pattern. The useful answer is the evidence that changes the decision.
Signal says a fixed version exists, but installed versions are unknown.
Missing proof: Installed product, version, deployment scope, owner, and change window constraints.
Safe lane: Validate affected status before assigning a patch deadline.
No patch is available, and the vulnerable service may be reachable.
Missing proof: Reachability, feature state, current access controls, proposed compensating control, owner, and review date.
Safe lane: Mitigation-first with evidence and revisit criteria.
Exploit reporting exists, but local exposure is still being validated.
Missing proof: Data sources, telemetry coverage, suspicious activity checks, and the time window SOC should review.
Safe lane: Monitoring support while asset owners validate exposure.
A public exploit exists and an exposed affected asset has suspicious logs.
Missing proof: Log details, affected asset evidence, exploit relevance, containment status, and who owns the next IR decision.
Safe lane: Escalate for incident-response review without claiming compromise until evidence supports it.
Scanner flags a product family, but the owner says the vulnerable component is not installed.
Missing proof: Installed component inventory, product/version evidence, feature state, scan scope, and owner attestation.
Safe lane: Not-affected closure only when the evidence disproves applicability.
Patch ticket is marked done, but the last scan has not refreshed.
Missing proof: Fixed version, deployment evidence, restart or rollout status, compensating control removal, and follow-up scan timing.
Safe lane: Remediation pending proof until closure evidence catches up.
Packet Pattern
A compact packet beats a vague priority label
Signal
CVE, advisory, source confidence, KEV or EPSS context, severity, and affected product language.
Local check
Product, version, feature state, reachability, ownership, business role, and operational constraints.
Lane evidence
Patch proof, mitigation proof, monitoring scope, escalation trigger, not-affected proof, or closure evidence.
Next Steps
Use the packet in real workflows
Evidence Checklist
Use the full checklist when a live item needs a defensible action lane.
Remediation Evidence
Turn patch, mitigation, monitoring, and not-affected claims into closure proof.
Handoff Drill
Practice turning the packet into language another owner can execute.