PATCHTRIAGE
Evidence-informed deployment decisions

Patch what matters first.

Combine global threat evidence with your system exposure, mission impact, and safety context to make one defensible SSVC deployment decision — without letting AI invent a score.

Why this patch first?auditable signal path
01 / FINDScanner evidenceCVE · package · fixed version
02 / THREATExploitation stateActive · Public PoC · None · EPSS watch signal
03 / STAKEHOLDERSSVC factorsExposure · Automatable · Human impact
Upgrade libc6 on web-frontend
Active · Open · Not automatable · High human impact → Out-of-Cycle
Out-of-Cycle
CERT/CC SSVC · Deployer model

Severity informs. Your environment decides.

KEV and PoC evidence establish what attackers are doing. SSVC combines that state with how your system is deployed and what failure means to your organization.

EExploitationKEV → Active · public exploit → PoC
EXPYour attack surfaceOpen · Controlled · Small
HIHuman impactMission + safety consequences
0
targets in scope
0
known exploited
0
Immediate decisions
decisions verified

Patch decisions

ImmediateAct now · default target 3 days
Out-of-CycleNext available opportunity · 14 days
ScheduledNormal maintenance · 30 days
DeferMonitor and reassess · 90 days
Decision, not detection

See why the same CVE needs a different action here.

Load the bundled evidence. PatchTriage applies the official SSVC Deployer path, shows every inferred input and confidence level, then groups findings into package-level actions.

GLOBAL SIGNALSKEV · EPSS · CVSSwhat attackers can do
VS
SSVC / YOUR SYSTEMImmediatewhat your team should do now