How to read Vuln Signal: live-derived pages help you prioritize, but they do not replace analyst validation. Confirm asset exposure, vendor guidance, source confidence, and business impact before taking disruptive action.
Start Here
A simple path through the portal when everything looks important.
Use this page when you are new to Vuln Signal, returning after a break, or trying to explain the workflow to someone else.
Choose Your Question
Start from the problem, not the menu
Patch team
What should be fixed first?
Open Defenders Today, Patch Watch, KEV, and Urgent Week. Prioritize exploited, internet-facing, no-patch, and public-PoC items.
Scenario
I know the situation, not the page
Use Scenario Library for practical cases like KEV patching, no-patch mitigation, SOC handoff, exposure uncertainty, identity risk, and reporting.
Runbook
I need the whole path
Use Runbook Index when you want the recommended chain of pages by situation, cadence, owner, and expected output.
SOC / hunter
What should we hunt for?
Open Detection Starter Pack, Detection Readiness, IOC Extractor, Hunt Query Helper, and Sigma Helper.
Threat intel
What campaign or actor context matters?
Open Threat Map, Ransomware Watch, Exploit Chain Watch, Actors, Trending, and Source Analytics.
Leadership
What should be communicated?
Open Executive Report, Briefing Room, Status, and Trust Review. Focus on exposure, owners, exceptions, and evidence of progress.
Key Terms
The minimum vocabulary to use the site confidently
KEV
Known Exploited Vulnerabilities. If a CVE is in KEV, defenders should treat it as more urgent than score alone suggests.
EPSS / exploit likelihood
A probability-style signal that helps estimate whether exploitation is likely, but it should be combined with exposure and business impact.
Public PoC
Public proof-of-concept exploit code can reduce attacker effort. It does not prove active exploitation by itself.
Exposure
Whether the affected system is reachable, internet-facing, unauthenticated, privileged, or operationally important.
Source confidence
A quality signal for how much trust to place in the current record. Low confidence means validate before escalating.
Live-derived
A view built from current loaded data. It is useful for prioritization, but it is not a direct observation of attacker traffic.
If Something Looks Broken
Quick checks before assuming the site is wrong
Blank cards or empty lists
Check Status and Diagnostics. Some pages are live-data driven and may show empty states when the API is unreachable or no matching records exist.
Too many choices
Use Site Map or Daily Workflow. They group pages by mission so the top navigation does not need to carry all the meaning.
Recommended first move: if you only have a few minutes, open the daily workflow and follow the 10-minute triage path.