CG
SkillsTriaging Vulnerabilities with Ssvc Framework
Start Free
Back to Skills Library
Vulnerability Management🔴 Advanced

Triaging Vulnerabilities with Ssvc Framework

Triage and prioritize vulnerabilities using CISA's Stakeholder-Specific Vulnerability Categorization (SSVC) decision tree framework to produce actionable remediation priorities.

3 min read8 code examples

Prerequisites

  • Python 3.9+ with `requests`, `pandas`, and `jinja2` libraries
  • Access to CISA KEV catalog API and EPSS API from FIRST
  • NVD API key (optional, for higher rate limits)
  • Vulnerability scan results from tools like OpenVAS, Nessus, or Qualys

Triaging Vulnerabilities with SSVC Framework

Overview

The Stakeholder-Specific Vulnerability Categorization (SSVC) framework, developed by Carnegie Mellon University's Software Engineering Institute (SEI) in collaboration with CISA, provides a structured decision-tree methodology for vulnerability prioritization. Unlike CVSS alone, SSVC accounts for exploitation status, technical impact, automatability, mission prevalence, and public well-being impact to produce one of four actionable outcomes: Track, Track*, Attend, or Act.

Prerequisites

  • Python 3.9+ with requests, pandas, and jinja2 libraries
  • Access to CISA KEV catalog API and EPSS API from FIRST
  • NVD API key (optional, for higher rate limits)
  • Vulnerability scan results from tools like OpenVAS, Nessus, or Qualys

SSVC Decision Points

1. Exploitation Status

Assess current exploitation activity:

  • None - No evidence of active exploitation
  • PoC - Proof-of-concept exists publicly
  • Active - Active exploitation observed in the wild (check CISA KEV)
# Check if a CVE is in CISA Known Exploited Vulnerabilities catalog
curl -s "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" | \
  python3 -c "import sys,json; data=json.load(sys.stdin); cves=[v['cveID'] for v in data['vulnerabilities']]; print('Active' if 'CVE-2024-3400' in cves else 'Check PoC/None')"

2. Technical Impact

Determine scope of compromise if exploited:

  • Partial - Limited to a subset of system functionality or data
  • Total - Full control of the affected system, complete data access

3. Automatability

Evaluate if exploitation can be automated at scale:

  • No - Requires manual, targeted exploitation per victim
  • Yes - Can be scripted or worm-like propagation is possible

4. Mission Prevalence

How widespread is the affected product in your environment:

  • Minimal - Limited deployment, non-critical systems
  • Support - Supports mission-critical functions indirectly
  • Essential - Directly enables core mission capabilities

5. Public Well-Being Impact

Potential consequences for physical safety and public welfare:

  • Minimal - Negligible impact on safety or public services
  • Material - Noticeable degradation of public services
  • Irreversible - Loss of life, major property damage, or critical infrastructure failure

SSVC Decision Outcomes

OutcomeAction RequiredSLA
TrackMonitor, remediate in normal patch cycle90 days
Track*Monitor closely, prioritize in next patch window60 days
AttendEscalate to senior management, accelerate remediation14 days
ActApply mitigations immediately, executive-level awareness48 hours

Implementation Steps

Step 1: Ingest Vulnerability Data

import requests
import json

# Fetch CISA KEV catalog
kev_url = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
kev_data = requests.get(kev_url).json()
kev_cves = {v['cveID'] for v in kev_data['vulnerabilities']}

# Fetch EPSS scores for context
epss_url = "https://api.first.org/data/v1/epss"
epss_response = requests.get(epss_url, params={"cve": "CVE-2024-3400"}).json()

Step 2: Evaluate Each Decision Point

def evaluate_exploitation(cve_id, kev_set):
    """Determine exploitation status from CISA KEV and EPSS data."""
    if cve_id in kev_set:
        return "active"
    epss = requests.get(
        "https://api.first.org/data/v1/epss",
        params={"cve": cve_id}
    ).json()
    if epss.get("data"):
        score = float(epss["data"][0].get("epss", 0))
        if score > 0.5:
            return "poc"
    return "none"

def evaluate_technical_impact(cvss_vector):
    """Parse CVSS vector for scope and impact metrics."""
    if "S:C" in cvss_vector or "C:H/I:H/A:H" in cvss_vector:
        return "total"
    return "partial"

def evaluate_automatability(cvss_vector, cve_description):
    """Check if attack vector is network-based with low complexity."""
    if "AV:N" in cvss_vector and "AC:L" in cvss_vector and "UI:N" in cvss_vector:
        return "yes"
    return "no"

Step 3: Apply SSVC Decision Tree

def ssvc_decision(exploitation, tech_impact, automatability, mission_prevalence, public_wellbeing):
    """CISA SSVC decision tree implementation."""
    if exploitation == "active":
        if tech_impact == "total" or automatability == "yes":
            return "Act"
        if mission_prevalence in ("essential", "support"):
            return "Act"
        return "Attend"
    if exploitation == "poc":
        if automatability == "yes" and tech_impact == "total":
            return "Attend"
        if mission_prevalence == "essential":
            return "Attend"
        return "Track*"
    # exploitation == "none"
    if tech_impact == "total" and mission_prevalence == "essential":
        return "Track*"
    return "Track"

Step 4: Generate Triage Report

# Run the SSVC triage script against scan results
python3 scripts/process.py --input scan_results.csv --output ssvc_triage_report.json

# View summary
cat ssvc_triage_report.json | python3 -m json.tool | head -50

Integration with Vulnerability Scanners

Import from Nessus CSV

# Export Nessus scan as CSV, then process
python3 scripts/process.py \
  --input nessus_export.csv \
  --format nessus \
  --output ssvc_results.json

Import from OpenVAS

# Export OpenVAS results as XML
python3 scripts/process.py \
  --input openvas_report.xml \
  --format openvas \
  --output ssvc_results.json

Validation and Testing

# Test SSVC decision logic with known CVEs
python3 -c "
from scripts.process import ssvc_decision
# CVE-2024-3400 - Palo Alto PAN-OS command injection (KEV listed)
assert ssvc_decision('active', 'total', 'yes', 'essential', 'material') == 'Act'
# CVE-2024-21887 - Ivanti Connect Secure (PoC available)
assert ssvc_decision('poc', 'total', 'yes', 'support', 'minimal') == 'Attend'
print('All SSVC decision tests passed')
"

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

  • SOC 2: CC7.1 (Monitoring), CC8.1 (Change Management)
  • ISO 27001: A.12.6 (Technical Vulnerability Management)
  • NIST 800-53: RA-5 (Vulnerability Scanning), SI-2 (Flaw Remediation), CM-6 (Configuration Settings)
  • NIST CSF: ID.RA (Risk Assessment), PR.IP (Information Protection)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

Register this skill with your Claw GRC agent for automated execution:

# Install via CLI
npx claw-grc skills add triaging-vulnerabilities-with-ssvc-framework

# Or load dynamically via MCP
grc.load_skill("triaging-vulnerabilities-with-ssvc-framework")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

  • SHA-256 chain hashing ensures no step can be modified after execution
  • Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
  • Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

References

  • CISA SSVC Framework
  • CERT/CC SSVC Documentation
  • CISA SSVC Guide PDF
  • FIRST EPSS API
  • CISA Known Exploited Vulnerabilities

Use with Claw GRC Agents

This skill is fully compatible with Claw GRC's autonomous agent system. Deploy it to any registered agent via MCP, and every execution will be logged in the tamper-evident audit trail.

// Load this skill in your agent
npx claw-grc skills add triaging-vulnerabilities-with-ssvc-framework
// Or via MCP
grc.load_skill("triaging-vulnerabilities-with-ssvc-framework")

Tags

ssvcvulnerability-triagecisavulnerability-prioritizationdecision-treecvssremediationrisk-management

Related Skills

Vulnerability Management

Implementing Epss Score for Vulnerability Prioritization

3m·advanced
Vulnerability Management

Performing CVE Prioritization with Kev Catalog

5m·advanced
Vulnerability Management

Performing Asset Criticality Scoring for Vulns

3m·intermediate
Vulnerability Management

Implementing Vulnerability Remediation Sla

4m·advanced
Vulnerability Management

Building Vulnerability Aging and Sla Tracking

5m·intermediate
Security Operations

Building Vulnerability Scanning Workflow

6m·advanced

Skill Details

Domain
Vulnerability Management
Difficulty
advanced
Read Time
3 min
Code Examples
8

On This Page

OverviewPrerequisitesSSVC Decision PointsSSVC Decision OutcomesImplementation StepsIntegration with Vulnerability ScannersValidation and TestingReferencesCompliance Framework MappingDeploying This Skill with Claw GRC

Deploy This Skill

Add this skill to your Claw GRC agent and start automating.

Get Started Free →