Resource created as part of Mari Galloway’s TI Essentials article: “How the BrickHaus CTI team prioritized their vulnerability backlog” | Published April 16, 2026 | feedly.com/ti-essentials/
Here's a checklist with relevant tools/resources that you can use and customize to ensure your CTI team provides effective support for exposure management process.
☐ Identify key CTI sources Relevant tools/resources: CISA KEV, EPSS, MITRE ATT&CK, ISACs, MISP, OpenCTI, AlienVault OTX
☐ Subscribe to threat feeds relevant to your industry
☐ Understand what scanners and tools feed your VM team's backlog Relevant tools/resources: TenableVM, Rapid7, Qualys, OpenVAS, OWASP ZAP, Snyk
☐ Establish a recurring sync cadence with VM, SOC, and remediation teams
☐ Cross-reference backlog CVEs against the CISA KEV database Relevant tools/resources: CISA KEV
☐ Pull EPSS scores to gauge exploitation likelihood Relevant tools/resources: EPSS
☐ Check NVD for CVSS scores and additional context Relevant tools/resources: NVD
☐ Identify which threat actors are exploiting the CVE and their TTPs Relevant tools/resources: MITRE ATT&CK Groups, Malpedia
☐ Escalate items the scanner rated MEDIUM if they appear in KEV or carry a high EPSS score Relevant tools/resources: CISA KEV, EPSS
☐ For non-CVE findings (misconfigurations), map flaws to attacker techniques or use STRIDE Relevant tools/resources: MITRE ATT&CK, STRIDE, ScoutSuite
☐ Confirm business context for each exposure (asset type, data sensitivity, compliance scope, network location)
☐ Check for related incidents or exploitation reports, internal logs, and external threat reports
☐ Run targeted scans to identify all affected systems, software versions, and exposure duration Relevant tools/resources: TenableVM, Rapid7, Qualys
☐ Assess whether the asset is internet-facing (faster action required regardless of base CVSS) Relevant tools/resources: Shodan (community tier), Censys Search (free tier), GreyNoise (community tier)