Vulnerability-Management
CISA Kills the Flat KEV Deadline: BOD 26-04 Starts a Three-Day Patch Clock
BOD 26-04 revokes BOD 22-01 and 19-02, replacing flat KEV due dates with risk-tiered deadlines: three days plus mandatory forensic triage for internet-facing, automatable, total-control flaws.
The Edge Device Audit: Turn CISA's BOD 26-02 Into a Playbook You Can Actually Run
CISA's BOD 26-02 just handed every infrastructure team a free edge-device audit checklist. Here is how to run it on your own network — inventory, version, exposure, and end-of-support triage — before an attacker runs theirs.
Severity Drift: Why Your Vulnerability Triage Process Is Working With Bad Data
From silent reclassifications to incomplete patches to NVD enrichment backlogs, the severity data your vuln management program depends on is wrong more often than you think. Here's the proof — and what to do about it.