Security operations · Field guide 01
Monitor the stack you run, not the whole internet.
A working CVE programme joins vendor evidence to a real asset, makes one priority decision, and gives an owner a clear next action. This is the operating loop we use for multi-vendor monitoring.
The rule
No inventory match, no urgent alert. No version evidence, no “all clear.”
Daily operating loop
Five decisions, in order
Keep the order. Starting with severity before you know whether the product exists in your estate is how a vulnerability feed turns into noise.
- 01
Know what you actually run
Record vendor, product family, installed release, site or customer, internet exposure and a named owner. A scanner export with only hostnames is not enough to make a version decision.
OutputAsset + version + owner
- 02
Pull from the source closest to the fix
Prefer PSIRT, CSAF, vendor bulletins and CNA records. Use NVD and third-party research to enrich the record, not to replace the vendor's affected-version and remediation guidance.
OutputCVE + vendor advisory
- 03
Normalise the product language
Map product aliases before matching. FortiGate is usually FortiOS; vSphere Hypervisor maps to ESXi; Silver Peak is now EdgeConnect. Keep the original wording beside the normalised value for auditability.
OutputOne canonical product name
- 04
Decide priority from evidence
Start with an inventory match, then weigh known exploitation, internet exposure, privilege required, fix availability and support status. CVSS is useful context, not the queue by itself.
OutputAct now, schedule, or monitor
- 05
Route a complete hand-off
The alert should name the affected asset, installed and fixed versions, evidence, owner and verification step. If the recipient has to repeat the research, the alert is unfinished.
OutputAn actionable change ticket
Priority rules
What changes the queue
| Signal | Handling | Why it matters |
|---|---|---|
| Inventory match | Required | No confirmed or plausible asset match means no page. |
| CISA KEV / exploitation | Escalate | Moves a relevant item ahead of score-only findings. |
| Internet-facing | Escalate | Shortens the acceptable validation and patch window. |
| Fixed release available | Schedule | Creates a concrete upgrade target for the owner. |
| Version evidence missing | Investigate | Unknown is not the same as unaffected. |
| Product out of support | Risk decision | Patch availability may no longer be a safe assumption. |
The hand-off
Make the next action obvious
“Critical CVE published” is a news item. An operations alert connects the evidence to an asset and a deadline. It should survive copy-and-paste into a change or incident ticket.
- Asset
- edge-fw-02 · Sydney
- Product
- FortiGate / FortiOS 7.2.7
- Finding
- CVE matched to installed release
- Evidence
- Vendor PSIRT + CISA KEV
- Target
- Upgrade to vendor-fixed release
- Owner / due
- Network Ops · within 24 hours
- Verify
- Record new build and re-run exposure check
Failure modes
Where programmes drift
One inbox per vendor
Different formats and duplicate CVEs hide the actual patch queue. Normalise first, then triage once.
Severity-only paging
A 9.8 for a product you do not run should not outrank a known-exploited 8.1 on an exposed asset.
Missing version means safe
Absence of evidence is an investigation task. It is never a negative match.
Alert with no owner
If nobody owns the asset and deadline, the notification is documentation—not control.
Reference
Common questions
How can I monitor CVEs from multiple vendors?
Start with a current inventory, monitor authoritative vendor advisory sources, normalise product names, and route only the matches relevant to your vendors and platforms. A shared watchlist prevents every vendor feed from becoming a separate manual workflow.
Can I receive new CVE alerts by email?
Yes. VulniPulse can email matching watch rules after a newly ingested advisory is normalised and matched. Your plan's watch allowance applies across whole-vendor and specific-platform rules.
What is the difference between a vendor watch and a platform watch?
A vendor watch follows every tracked advisory from that vendor. A platform watch narrows the scope to a product family such as Cisco ASA, FortiOS, PAN-OS, VMware ESXi, or Veeam Backup & Replication.
Does a CVE always affect every software version?
No. A CVE can affect only particular products, release trains, builds, configurations, or hardware. Treat missing version evidence as unknown and confirm remediation against the linked vendor advisory.
How should CISA KEV affect priority?
A CISA Known Exploited Vulnerability flag is strong evidence of exploitation in the wild. Combine it with asset relevance, exposure, vendor severity, available fixes, and operational impact rather than using CVSS alone.
Build the queue from your own stack.
Start with a vendor or platform watch. Add exact device versions when you are ready for exposure checks.