Free · For subscribers
The CVE triage cheat sheet. One page, one call.
A printable decision flow that turns a fresh CVE into a single verdict: patch now, patch this week, or safe to defer. It runs on the same signals the daily digest uses, so the call you make at your desk matches the call we make in your inbox. Pin it next to your monitor.
Confirm your subscription from the email we send, and the cheat sheet link arrives in your inbox. It is not posted anywhere else on the site.
What is on the sheet
-
01
Four verdicts, no maybe
Every CVE lands on one call: patch immediately, within 24 hours, this week, or monitor and defer. The same urgency model the daily digest runs on.
-
02
A stop-at-first-match flow
Run a new CVE down five questions: on CISA KEV, working exploit plus exposure, EPSS probability, CVSS and reachability, then does it even apply to you.
-
03
What each signal actually means
KEV, EPSS, CVSS, attack vector, and impact class on one line each. Where each one helps, and where it misleads if you read it alone.
-
04
The rule worth taping to the wall
Severity and likelihood are different questions. A 9.8 nobody is exploiting can wait behind a 7.5 that is already on KEV. Sort by CVSS alone and you patch the wrong things first.
Why it exists
Most triage stalls on the same question: this CVE is rated 9.8, but is it actually my problem today? CVSS tells you how bad a bug is if someone uses it. It says nothing about whether anyone will. The cheat sheet puts severity, exploitation, and exposure in the right order so you can clear a ticket without a 20-minute detour through three advisory pages.
PatchDay Alert runs this triage every morning across NVD, CISA KEV, MSRC, and EPSS, then sends only the CVEs that clear the bar, each with the reasoning that put it there. The sheet is the same model, in your hands, for the ones that land outside the digest.