Patch Prioritization & SLA Management -- SSVC 2.1 / EPSS v3 / CISA KEV

Frameworks: SSVC 2.1 (CERT/CC), EPSS v3 (FIRST.org), CISA KEV (DHS/CISA) Role: Security Engineer, vCISO Time: 20-40 min Output: Prioritized patch plan with SLA assignments, exception documentation, and risk acceptance artifacts

When to Use

If a target is provided via arguments, focus the review on: $ARGUMENTS

Use this skill when managing a vulnerability remediation backlog, when assigning or validating patch SLAs, when a patch window needs to be scheduled against business constraints, when evaluating compensating controls as interim mitigation, or when processing risk acceptance or exception requests for deferred patches.

Do not use when: The task is initial CVE triage and severity scoring (use cve-triage), detection rule creation for unpatched systems (use detection-engineering), or SBOM-level dependency analysis (use sbom-analysis).