Methodology

How Vuln Signal turns vulnerability data into defender guidance.

This page explains the assumptions behind prioritization, trust language, live-derived views, action labels, and the limits of the portal.

Important: Vuln Signal is a decision-support portal. It helps organize evidence and action paths, but it does not prove your environment is affected. Always validate asset exposure, affected versions, vendor guidance, and source confidence before taking disruptive action.

Data DictionaryCoverage Map

Signals that raise or lower urgency

Open Decision Matrix

Exploitation pressure

KEV status, known exploitation, exploit maturity, and public PoC availability raise urgency because they reduce attacker effort or show real-world abuse.

Exposure fit

Internet-facing, unauthenticated, remote, appliance, identity, or business-critical exposure can matter more than a raw CVSS score.

Remediation reality

Patch availability, fixed versions, supersedence, no-patch conditions, and mitigation options decide whether the next action is patch, mitigate, monitor, or escalate.

Trust quality

Source confidence, disputed or rejected status, stale feeds, and changing vendor guidance should slow down escalation until evidence is confirmed.

What the common action words mean

Patch Now

Confirmed exposure with a fix path

Use when affected assets are confirmed, exploitation or exposure pressure is high, and a safe fixed version or remediation path exists.

Mitigate First

Reduce exposure before patching

Use when patching is blocked, delayed, risky, or unavailable, but controls can reduce reachable attack paths.

Validate Exposure

Evidence is still incomplete

Use when the signal looks important but affected version, reachability, owner, or source quality is not confirmed.

Detect / Hunt

SOC visibility is useful

Use when IOCs, exploit behavior, public PoC, or suspicious campaign context can be turned into telemetry review.

Monitor

Watch for change

Use when exposure is low, source certainty is weak, patch status is evolving, or exploitation maturity may change.

Escalate

A decision is needed

Use when business impact, blocked remediation, accepted risk, or leadership visibility requires a named owner and decision.

How to interpret maps, hubs, and dashboards

Coverage Map Open Status

Live-derived does not mean live attack telemetry

Threat maps and pressure boards summarize loaded intelligence records. They are not packet-level observations or proof of active attacks against your network.

Empty can mean several things

A blank or small queue may mean no matching records, a filter mismatch, unavailable API data, or a source coverage gap. Check Status and Diagnostics before concluding risk is absent.

Scored lists are decision aids

Scores and rankings help order review, but final decisions should come from environment exposure, evidence, owner input, and business impact.

Context is inferred from fields

Ransomware, appliance, identity, exploit-chain, and detection views use keywords and structured fields. Treat them as useful lenses, not final attribution.