Applicability
Is the affected product, version, feature, architecture, and vulnerable code path actually present?
Evidence: authenticated inventory, package/build data, vendor advisory, configuration, or safe validation.
Exposure and reachability
Can the attacker reach the vulnerable interface from the internet, a partner, a user network, or a compromised host?
Evidence: routing, firewall, identity, segmentation, port/service, and attack-path context.
Threat evidence
Is exploitation observed, predicted, publicly available, simple to reproduce, or associated with ransomware?
Evidence: KEV record, EPSS date, credible advisories, incident telemetry, and current intelligence.
Business consequence
What would exploitation affect: safety, operations, regulated data, identity, backups, revenue, or customer trust?
Evidence: asset owner, service dependency, data classification, impact analysis, and recovery capability.
Controls and prerequisites
Do MFA, segmentation, allowlisting, least privilege, EDR, WAF, configuration, or other controls materially block the known path?
Evidence: tested control behavior—not the mere existence of a policy or product.
Required action and feasibility
What must be done, by when, and can the organization patch, configure, isolate, retire, or temporarily mitigate safely?
Evidence: authoritative deadline, vendor fix, change plan, exception, owner, and verification method.