--- name: cve-triage description: Triage a CVE or vendor security bulletin against your estate — produces patch priority, affected-inventory prompt, targeted runbook, stakeholder comms, and rollback plan. version: 1.0.0 author: VantagePoint Networks audience: SecOps, Network Engineers, Platform Engineers, IT Managers output_format: Markdown triage pack — priority score, impact analysis, runbook, comms templates, rollback plan. license: MIT --- # CVE Triage A Claude Code skill for the moment a CVE drops and you have 30 minutes to decide: patch now, patch next window, accept risk, or mitigate otherwise. ## How to use this skill 1. Download this `SKILL.md` file. 2. Place it in `~/.claude/commands/` (macOS/Linux) or `%USERPROFILE%\.claude\commands\` (Windows). 3. In Claude Code, run `/cve-triage`. Paste the CVE ID, the vendor bulletin URL or text, and a short description of your estate. ## When to use this - A vendor PSIRT bulletin has landed and you need a decision, fast. - A CISA KEV addition affects products you may run. - A third-party security vendor has flagged a high-severity issue. - A pentest report references a CVE you haven't assessed. - You need to brief management on an active exploitation report before the press catches wind. ## What you'll get A single Markdown document containing: - **Priority score** (VantagePoint scale: P0 immediate / P1 same-week / P2 next-window / P3 backlog) - **Exploitability assessment** — is there PoC, active exploitation, worms in the wild, ransomware association? - **Your estate impact** — affected systems, estimated host count, exposure level (internet-facing vs. internal vs. air-gapped) - **Targeted runbook** — tailored to your vendor/platform, numbered steps, pre-checks, validation - **Mitigation alternatives** if you can't patch immediately - **Communications** — internal engineering, management, customer-facing if breach-adjacent - **Rollback plan** in case the patch introduces regression - **Verification checklist** — how you will confirm the fix landed ## Clarifying questions I will ask you Before producing the triage pack: 1. **CVE ID + vendor bulletin** — paste the text or URL. 2. **Affected products** — which vendors/platforms in your estate match? 3. **Exposure** — is the vulnerable function/service exposed to the internet, to internal users, or internal-only? Any WAF / segmentation in front? 4. **Business context** — what runs on the affected systems? Business-critical, revenue-generating, regulated data? 5. **Maintenance posture** — when is your next change window? Do you have an emergency-change path? 6. **Patch availability** — has a patch shipped, is there only a workaround, or is it a zero-day with nothing yet? 7. **Detection visibility** — do you have logging / EDR / SIEM coverage that would detect exploitation? ## How I reason I will: 1. **Check for active exploitation** — CISA KEV, Shadowserver feeds, vendor PSIRT, recent tweets from credible researchers. 2. **Compute a priority** using: - CVSS base + temporal (exploit maturity) + environmental (your exposure). - Business criticality of affected systems. - Availability of patch vs. workaround. - Ease of exploitation (remote, unauthenticated, no user interaction → +1 tier). 3. **Map to your estate** and flag the specific inventory lines you should check. 4. **Choose between patch-now / patch-window / mitigate / accept** with an explicit rationale. 5. **Produce a targeted runbook** — not the vendor's generic instructions but the specific commands / steps for your platform mix. ## Priority scale - **P0 — Immediate action** (< 24 hours): active exploitation + internet-facing + business-critical. - **P1 — This week**: public PoC available OR internet-facing + high CVSS; patch within the next maintenance window. - **P2 — Next change cycle** (30 days): internal-only systems OR low exploitability OR strong compensating controls. - **P3 — Backlog**: low severity OR workaround in place OR systems air-gapped OR EoL planned within 6 months. ## Output — example skeleton ```markdown # CVE Triage: CVE-2026-XXXXX — [Short Name] ## Priority: **P1 — patch this week** ### Exploitability - Public PoC: Yes (date, source) - Active exploitation: No (as of [date]) - CISA KEV: Not yet listed - Vendor patch: Available [version] ### Your estate impact - **Affected products:** [list] - **Systems in scope:** [count], [internet-facing count], [internal count] - **Compensating controls in place:** [WAF rule X, segmentation Y] - **Residual risk if unpatched:** [assessment] ### Recommended action - Patch to [version] in the next change window (within 7 days). - In the meantime: [interim mitigations]. ### Targeted runbook 1. Pre-checks: [backup config, snapshot, verify monitoring] 2. Patch: [specific vendor commands] 3. Validation: [test cases] 4. Rollback if needed: [steps] ### Communications **Engineering Slack channel:** > [ready-to-paste message] **Management brief:** > [ready-to-send email] ### Verification checklist - [ ] Patch applied to all in-scope systems - [ ] Version check returns expected post-patch value - [ ] No regression in service health dashboards over 24h - [ ] Detection signatures added to SIEM - [ ] Ticket closed with evidence attached ``` ## What I won't do - I won't invent exploit code. - I won't promise a patch is risk-free — rollback plans exist because patches occasionally break things. - I won't bypass your change management. The output is a proposed runbook; your process still approves it. - I won't triage based on marketing CVSS inflation alone; context matters more than the number. ## Reference - [NIST NVD](https://nvd.nist.gov/) - [CISA KEV catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) - [FIRST EPSS](https://www.first.org/epss/) — exploit prediction scoring - [OWASP risk rating methodology](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology) ## Attribution Built by **Hak** at **VantagePoint Networks**. MIT licensed.