Threat intelligence driven vulnerability prioritisation
CTI signals operationalised into the queue, not into a spreadsheet

The team reads CISA KEV every morning and forwards interesting CERT advisories into Slack. The prioritisation queue keeps running on its CVSS-base ordering. The fix is making CTI ingest a structured action that produces a recorded prioritisation determination on the engagement, not an informational post in a chat channel that nobody is required to act on.

A team integrates EPSS scoring at first import and treats the value as static. Six months later the queue is using a six-month-old probability estimate that no longer reflects current exploitation patterns. EPSS is updated daily and the prioritisation logic has to read the live estimate, not the snapshot taken at the moment of import.

Findings that should have been escalated to the tightest SLA tier sit in the standard queue for weeks before someone notices the underlying CVE landed in KEV. The fix is making KEV a queue-entry signal so KEV-listed findings carry the tightest SLA from the moment they land, with the listing date and the CISA due date stamped against the finding for the determination trail.

A CERT alert prompts an emergency prioritisation; the team patches the affected systems and closes the loop. Six months later an audit asks what evidence the prioritisation read against; the team cannot reconstruct which alert, on which date, with which content. The fix is recording the source identifier, the source link, the ingest date, and the original content excerpt in document management so the determination chain stays defensible.

TLP:AMBER and TLP:RED bulletins land with general counsel or with the chief privacy officer because of contractual handling restrictions. The vulnerability management team never sees them and the prioritisation queue is blind to the sector-specific intel. The fix is naming the privileged-intel handler on the engagement, capturing the TLP classification at ingest, and routing the rendering through a permissioned engagement view so the operational signal reaches the queue without violating the sharing constraints.

The PIR/TIR list was written when the programme stood up. Eighteen months later the business has shifted to a new product line, a new compliance regime, a new geographic market, and a new supplier panel. The PIRs still talk about the old estate. The fix is reviewing the PIR/TIR list on a documented cadence (often quarterly with a board read-out, plus trigger-driven reviews when business context shifts) so the intel programme keeps reading against the current programme rather than the legacy programme.

The source the determination read against (KEV addition, EPSS shift, CERT alert reference, vendor PSIRT advisory, ISAC bulletin reference, internal finding identifier, supplier advisory reference, contracted-service rendering note), the date observed, the analyst who logged the signal, the source link, and the document management reference for the upstream artefact. Provenance is the root of every later defensibility check.

The scanner runs the fitness assessment commissioned (code scans across connected repositories, authenticated DAST against verified domains, external scans against the asset estate), the date and time of each scan, the in-scope asset count examined, and the affected asset list the assessment produced. The fitness assessment is what converts a generic CTI signal into a programme-specific exposure picture; without it the determination is operating on broadcast information.

The SLA tier the determination moves the affected findings into (immediate, accelerated, standard, monitoring, no-change), and the explicit criteria the decision read against (KEV listing on internet-facing crown jewel, EPSS percentile crossing the programme threshold, CERT advisory aligned with active sector-specific exploitation, vendor advisory with concrete patch availability, internal finding with chained exploitation path). Criteria are recorded as enumerable rules from the prioritisation policy rather than as narrative text so the audit can read the rule against the determination.

The named decider for the determination (typically the vulnerability management lead, the on-call CTI analyst, or the security operations leader depending on the signal class), any dissenting views captured during the deliberation, the deliberation duration, and the determination timestamp. Dissent is captured rather than suppressed because the artefact is what shows the deliberation was substantive when a regulator, auditor, or insurer asks how the determination was reached.

The list of affected finding identifiers the determination cites explicitly so the routing layer does not have to guess scope, the named owners the routing assigns each finding to, and the response decision the routing expects (patch upstream, deploy mitigation, apply workaround, accept with exception register, decommission). Routing is the bridge between the prioritisation determination and the remediation work; without explicit citation the queue drift is undetectable.

The named re-evaluation triggers that would reopen the determination (new EPSS percentile shift, new KEV addition, scope expansion from the next fitness scan, vendor advisory amendment, sector ISAC bulletin update), the cadence on which the determination is re-read, and the chronology of subsequent determinations stitched against the original. Each re-evaluation produces a fresh determination; nothing is edited in place so the chronology is reconstructable as the chain of decisions actually rendered.

The asset criticality classification rides on the asset criticality scoring workflow, the named-owner mapping rides on the asset ownership mapping workflow, and the broader prioritisation policy lives on the vulnerability prioritisation workflow.

The single-event emergency response triggered by a critical advisory rides on the zero-day and emergency response workflow, the SLA enforcement runs on the vulnerability SLA management workflow, and the leadership read-out lands on the security leadership reporting workflow.

No signal lives only in chat. The KEV addition, the EPSS shift, the CERT advisory, the ISAC bulletin, and the vendor PSIRT alert all land on the engagement with provenance, ingest date, and analyst attribution.

A KEV addition is not treated as urgent for the entire backlog by default. The fitness assessment converts the signal into the in-scope picture so the prioritisation determination is rendered against the deployed estate rather than against the broadcast advisory text.

Prioritisation is not decided once. New EPSS shifts, KEV additions, scope expansions, and vendor advisory amendments produce fresh determinations on the engagement; the chronology is reconstructable as the chain of decisions actually rendered.

The PIR/TIR list, the source allowlist, the ingest log, the fitness assessments, the determination chronology, and the routed-work evidence all read from the same engagement. ISO 27001, SOC 2, NIST, PCI DSS, NIS2, and DORA assessors get the evidence as a query rather than a multi-week reconciliation sprint.