Define the numbers before they become decisions.

Triage pressure

What needs attention?

Track urgent items, KEV-linked items, exploited candidates, public PoC items, ransomware-relevant pressure, and new-since-last-review volume.

Patch execution

Can work move?

Track patch-ready items, owner assignment, target dates, blocked changes, fixed-version availability, rollback readiness, and overdue windows.

Exposure fit

Does this affect us?

Track internet-facing, unauthenticated, edge appliance, identity, cloud, OT, and business-critical exposure indicators separately from severity.

Exception risk

What remains accepted or delayed?

Track no-patch items, approved exceptions, expired reviews, compensating-control coverage, residual risk, and trigger-based re-review events.

Detection readiness

Can SOC see enough?

Track hunt-ready items, telemetry gaps, IOC availability, rule drafts, high-noise detections, and follow-up owner assignment.

Trust and freshness

Can we rely on the view?

Track source freshness, source confidence, disputed/rejected records, unavailable data, stale pages, and live-derived assumptions.

Critical count without exposure

A high CVSS score does not mean the affected asset is reachable, used, exploitable, or business-critical.

Patch SLA without exception context

A missed SLA may be a real failure, or it may reflect a documented no-patch case with compensating controls.

Vendor volume without normalization

Large vendors can dominate counts because of disclosure volume, product breadth, or source coverage.

Exploit signal without confidence

Public PoC, exploit chatter, KEV status, and confirmed exploitation are different signals and should not be merged blindly.

Detection count without telemetry

A rule is not coverage if the needed logs, fields, or retention do not exist in the environment.

Green status without freshness

A page can render successfully while the upstream data behind it is stale, incomplete, or filtered empty.