Zero-Day Response Guidance

Move quickly on zero-day pressure without outrunning the evidence.

Use this guide when a vulnerability looks exploited, pre-fix, mitigation-only, or likely to move faster than a normal patch cycle.

Review response lanesZero-Day WatchNo Patch

Zero-day rule: zero-day pressure can justify fast validation, exposure reduction, SOC review, and leadership caveats. It does not prove local exposure, successful exploitation, compromise, attribution, or business impact without asset, telemetry, owner, and incident-response evidence.

Validatereachable scope

Confirm product, version, feature, exposure, authentication, owner, and business role.

Reduceblast radius

Restrict access, disable features, isolate paths, rotate secrets, add rules, or raise monitoring.

CoordinateSOC checks

Ask for scoped telemetry review, relevant hunts, alert coverage, and containment triggers.

Reviewevery update

Track vendor guidance, fixed versions, KEV, exploit notes, IOCs, and mitigation changes.

Response Lanes

Choose the smallest fast action that reduces risk and preserves evidence

Likely exploited and reachable

Validate fast, reduce exposure, and ask SOC

Trigger: credible exploitation language, KEV, public PoC, active scanning, or campaign context plus a reachable affected product.

Next move: confirm version and exposure, restrict access where possible, request telemetry review, prepare patch or mitigation, and define IR escalation criteria.

Safe wording: This deserves priority response; exploitation in our environment is not proven yet.

No fix yet

Use mitigation-first handling with review triggers

Trigger: vendor confirms no patch, fix is pending, affected product is unsupported, or remediation guidance is incomplete.

Next move: apply compensating controls, disable vulnerable features, segment exposure, monitor telemetry, open vendor case, and set source-review cadence.

Safe wording: No fixed version is available, so temporary controls and monitoring are the active response.

Patch exists but window is constrained

Accelerate safely without breaking operations

Trigger: fixed release exists, but outage, compatibility, vendor support, HA order, OT safety, or rollback risk blocks immediate patching.

Next move: name owner, set emergency or next-safe window, document temporary controls, validate rollback, and capture exception approval if delay remains.

Safe wording: Patch is the target lane, with temporary risk reduction until change can complete safely.

Exposure unknown

Do not assign emergency work before scope proof

Trigger: record looks severe, but inventory, feature state, internet path, affected version, or ownership is unclear.

Next move: send asset-owner questions, check exposure data, validate installed versions, and keep leadership language caveated.

Safe wording: The vulnerability is high pressure, but local applicability is still being validated.

Telemetry concern

Escalate only when signals cross criteria

Trigger: suspicious logs, exploitation attempts, unusual admin activity, new webshell-like artifacts, anomalous process execution, or containment concern.

Next move: preserve evidence, route to SOC or IR, define containment needs, and avoid destructive remediation before evidence capture when possible.

Safe wording: Telemetry requires SOC or IR review; compromise is a finding, not an assumption.

Not affected or already controlled

Close with proof and reopen triggers

Trigger: product not deployed, version not affected, feature disabled, path blocked, provider remediated, or mitigation already verified.

Next move: attach evidence, owner signoff, control proof, source caveat, and reopen triggers for vendor or threat updates.

Safe wording: Current evidence supports not affected or controlled for this scope; reopen if guidance changes.

Fast Workflow

The first hour should produce evidence, owners, and temporary risk reduction

1Confirm scopeProduct, version, feature, reachability, owner, and business role. 2Reduce exposureRestrict, isolate, disable, monitor, rotate, or add temporary controls. 3Check telemetryAsk for scoped hunts, alerts, logs, IOCs, and suspicious behavior review. 4Escalate by criteriaMove to IR when telemetry, containment, exposure, or impact criteria are met.

Owner Handoffs

Copy-ready asks for zero-day pressure

Asset owner ask

Please confirm whether we run [product/version/feature], whether it is reachable from [internet/untrusted/user/partner/internal] paths, and who owns immediate mitigation or validation.

Patch owner ask

Please confirm fixed-version availability, emergency or next-safe window, rollback plan, compatibility risk, and temporary controls if patching cannot happen immediately.

SOC ask

Please review scoped telemetry for exploitation attempts, suspicious access, post-exploitation behavior, and detection coverage. This request does not assume compromise.

Leadership caveat

Public zero-day pressure exists. We are validating local exposure, applying temporary controls where needed, checking telemetry, and tracking vendor updates.

Copy Template

Zero-day response note

Zero-day response - [CVE/advisory/vendor notice]
Why surfaced: [exploited / KEV / public PoC / no patch / mitigation-only / active scanning / campaign context]
Local scope: [product/version/feature/exposure/business role/owner]
What is known: [source, affected range, fix status, mitigation, exploit pressure, confidence]
What is not proven: [local exposure / successful exploitation / compromise / attribution / business impact]
Immediate action: [validate / restrict / disable / mitigate / monitor / patch window / vendor case]
SOC or IR criteria: [telemetry finding, containment need, confirmed exposure, suspicious behavior, impact]
Owner and review trigger: [team/person/date/vendor update/KEV update/telemetry result/patch release]