Runbook rule: start with the smallest path that answers the decision. Open deeper pages only when you need proof, owner handoff, detection support, or leadership reporting.
Runbook Index
Turn Vuln Signal into repeatable operating paths.
Use this page when you know the situation but want a clear route through triage, evidence, handoff, tracking, and reporting without guessing which page comes next.
Runbooks
8situation-first paths for common workWorkflow lanes
8shared intake-to-reference route mapCadences
4daily, weekly, incident, monthly rhythmsOwners
5patch, SOC, asset, risk, leadershipOutput
Cleardecision, evidence, ticket, brief, reviewRunbook Or Workflow
Use runbooks for situations, Workflows for roaming
Situation-first
Use this index when the problem already has a shape: urgent CVE, patch blocked, scanner noise, SOC request, leadership update, training session, program improvement, or data trust question.
Lane-first
Use Workflows when you want to move through intake, validation, decision, action, communication, governance, practice, or reference without memorizing page names.
Term-first
Use Search when you only know a CVE, vendor, source, product, weak signal, or phrase. Search now marks lane-aware page results where a workflow fit is known.
1I know a termStart with Search when you have a CVE, vendor, product, source, or vague workflow phrase.
2I know the situationUse Scenario Library when the problem is operational but the exact route is fuzzy.
3I know the workflowUse Workflows when you need intake, validation, decision, action, communication, governance, practice, or reference lanes.
4I know the site is messyUse Quality Center when the next task is cleanup, QA, governance, or release review.
By Situation
Choose the closest runbook and follow the path
Exploited or urgent CVE
Decide patch, mitigate, detect, or escalate
Use this when a KEV, public PoC, ransomware-relevant, or internet-facing item needs a calm but fast decision.
Patch blocked
Reduce risk while waiting for a safe fix
Use this when there is no patch, unclear vendor guidance, risky change timing, or an exception request.
Scanner or false-positive noise
Validate before assigning or closing work
Use this when a scanner finding, CPE match, stale scan, backport, feature-state claim, or not-affected request needs proof before action.
SOC request
Turn vulnerability context into huntable work
Use this when analysts need indicators, telemetry ideas, Sigma drafts, or quick hunt query starting points.
Leadership update
Summarize pressure, ownership, and blockers
Use this when the audience needs business-readable posture, not raw CVE detail or noisy analyst notes.
Program improvement
Find the next capability to strengthen
Use this after busy triage periods to identify whether the weak link was ownership, evidence, telemetry, communication, or follow-up.
Training or app review
Practice safely and verify the Android-facing loop
Use this when the goal is onboarding, role practice, game content QA, Android WebView review, or a local progress report rather than live remediation work.
Trust or data issue
Check freshness before relying on output
Use this when a count looks stale, a source looks weak, a page is blank, or a user asks why the portal recommends a path.
By Cadence
Use the right rhythm for the work
Daily 10-minute triage
Briefing Room, Defenders Today, KEV, and Saved. Output: top decisions, immediate blockers, and owners.
Daily practice warmup
Training Coach, Daily Challenge, Practice Packs, and Training Report. Output: one safe practice route, local progress, and a next learning target.
Weekly patch review
Patch Watch, Patch Window, Exception Register, Vendor Analytics, and Action Tracker. Output: patch plan, blockers, and time-bound exceptions.
Incident hot path
Decision Matrix, Evidence Checklist, Detection Starter Pack, Handoff Center, and Status. Output: fast owner-aligned actions.
Monthly maturity review
Operational Readiness, Maturity Model, Quality Center, Coverage Map, and Release Notes. Output: one focused improvement batch.
By Output
Know what artifact you are trying to produce
Decision lane
Patch now, patch soon, mitigate first, detect, validate, monitor, escalate, or accept. Use Decision Matrix.
Evidence note
A compact proof set for exposure, affected version, source confidence, fixed version, and owner context. Use Evidence Checklist.
Owner handoff
A short copy-ready message for patch, SOC, asset, risk, vendor, or leadership owner. Use Stakeholder Matrix and Handoff Center.
Tracked follow-up
A saved item with state, note, owner, deadline, review date, closure evidence, and evidence-quality grade. Use Saved, Action Tracker, Remediation Evidence, and Evidence Quality.
Leadership brief
A plain-English update about what changed, what is owned, what is blocked, and what decision is needed. Use Brief Builder.
Training report
A browser-local summary of practice runs, packs, focus lanes, badges, and next recommendation. Use Training Report.
Improvement item
A focused quality or maturity action that prevents the same problem next time. Use Quality Center and Maturity Model.
Best next move: if you are unsure where to begin, open Daily Workflow for today, Scenario Library for the situation, Training Coach for safe practice, or Quality Center if the site itself needs tightening.