Why intake matters
A scanner finding, advisory, CVE record, KEV entry, penetration-test result, internal research note, incident finding, or asset-owner report is an input to investigation. It is not automatically a confirmed vulnerability on a local asset. Good intake preserves the source while separating what is reported from what still needs validation.
Minimum record
- Identifier and source: CVE, advisory, scanner plugin, ticket, or research reference.
- Product, version, platform, and feature or configuration claimed to be affected.
- Asset, service, owner, discovery time, and source timestamp where available.
- Known signals: CVSS, EPSS, KEV, exploit reporting, vendor guidance, and fixed-version information.
- Open questions, evidence location, assigned owner, and next review time.
Initial triage workflow
- Normalize the finding. Check the identifier, source date, and whether the record is duplicated, superseded, rejected, or too vague to action.
- Confirm local relevance. Ask whether the product exists, the installed version falls in the affected range, the vulnerable function is enabled, and the asset is in scope.
- Assess exposure. Record reachability, authentication boundary, network placement, data sensitivity, and compensating controls. A public CVE or scanner hit does not prove exposure.
- Enrich carefully. Review vendor guidance, Vendor advisories, KEV, CVSS, EPSS, and credible exploit evidence as separate signals.
- Choose the next question. Route to owner validation, patch planning, mitigation review, monitoring, or escalation. Keep unresolved facts explicit.
Intake checklist
- Is the finding valid and specific enough to investigate?
- Is the affected product and version present on an owned asset?
- Is the relevant functionality enabled and reachable?
- Is a compensating control already in place, and is there evidence it applies?
- Is there vendor guidance, a workaround, or a fixed version?
- Who owns the asset and who will confirm the next fact?
Common mistakes
Do not equate a product-family match with an affected version, a high score with local compromise, or an absent record with safety. Avoid opening a broad remediation ticket before scope, ownership, and the next evidence request are named.
Example
A scanner flags a web appliance by product banner. Intake records the plugin and CVE, then asks the appliance owner to confirm model, installed release, exposure path, and enabled feature. KEV presence can raise the urgency of that request, but it does not establish that this appliance is affected or exploited.