Runbook rule: start with the smallest path that answers the decision. Open deeper pages only when you need proof, owner handoff, detection support, or leadership reporting.
Runbook Index
Turn Vuln Signal into repeatable operating paths.
Use this page when you know the situation but want a clear route through triage, evidence, handoff, tracking, and reporting without guessing which page comes next.
Runbooks
6situation-first paths for common workCadences
4daily, weekly, incident, monthly rhythmsOwners
5patch, SOC, asset, risk, leadershipOutput
Cleardecision, evidence, ticket, brief, reviewBy Situation
Choose the closest runbook and follow the path
Exploited or urgent CVE
Decide patch, mitigate, detect, or escalate
Use this when a KEV, public PoC, ransomware-relevant, or internet-facing item needs a calm but fast decision.
Patch blocked
Reduce risk while waiting for a safe fix
Use this when there is no patch, unclear vendor guidance, risky change timing, or an exception request.
SOC request
Turn vulnerability context into huntable work
Use this when analysts need indicators, telemetry ideas, Sigma drafts, or quick hunt query starting points.
Leadership update
Summarize pressure, ownership, and blockers
Use this when the audience needs business-readable posture, not raw CVE detail or noisy analyst notes.
Program improvement
Find the next capability to strengthen
Use this after busy triage periods to identify whether the weak link was ownership, evidence, telemetry, communication, or follow-up.
Trust or data issue
Check freshness before relying on output
Use this when a count looks stale, a source looks weak, a page is blank, or a user asks why the portal recommends a path.
By Cadence
Use the right rhythm for the work
Daily 10-minute triage
Briefing Room, Defenders Today, KEV, and Saved. Output: top decisions, immediate blockers, and owners.
Weekly patch review
Patch Watch, Patch Window, Exception Register, Vendor Analytics, and Action Tracker. Output: patch plan, blockers, and time-bound exceptions.
Incident hot path
Decision Matrix, Evidence Checklist, Detection Starter Pack, Handoff Center, and Status. Output: fast owner-aligned actions.
Monthly maturity review
Operational Readiness, Maturity Model, Quality Center, Coverage Map, and Release Notes. Output: one focused improvement batch.
By Output
Know what artifact you are trying to produce
Decision lane
Patch now, patch soon, mitigate first, detect, validate, monitor, escalate, or accept. Use Decision Matrix.
Evidence note
A compact proof set for exposure, affected version, source confidence, fixed version, and owner context. Use Evidence Checklist.
Owner handoff
A short copy-ready message for patch, SOC, asset, risk, vendor, or leadership owner. Use Stakeholder Matrix and Handoff Center.
Tracked follow-up
A saved item with state, note, owner, deadline, review date, and closure evidence. Use Saved, Action Tracker, and Remediation Evidence.
Leadership brief
A plain-English update about what changed, what is owned, what is blocked, and what decision is needed. Use Brief Builder.
Improvement item
A focused quality or maturity action that prevents the same problem next time. Use Quality Center and Maturity Model.
Best next move: if you are unsure where to begin, open Daily Workflow for today, Scenario Library for the situation, or Quality Center if the site itself needs tightening.