Skip to content

What to Act on First

Every ICS operator faces the same challenge: too many vulnerabilities, too few maintenance windows, and too much at stake to get the priority wrong. This guide provides a practical framework for deciding what to fix first, using the intelligence BreachSpider provides.

The Four-Tier Prioritization Framework

Tier 1 - Act Immediately (Same Day)

These findings represent active, confirmed threats to your operational environment. Do not wait for the next maintenance window.

  • BCS 9.0+ AND KEV flagged AND the CVE matches an asset in your environment.
  • Any finding where exploit_maturity is WEAPONIZED and the asset is matched.
  • Any CVSS 10.0 with poc_available = true and no patch available (active threat with no remediation).

What "act immediately" means in OT: You may not be able to patch the device today. But you can and should:

  1. Verify the finding is accurate (check asset version against affected range).
  2. Implement compensating controls: isolate the device, disable the vulnerable service, add monitoring rules.
  3. Notify your vendor if a patch is needed but not available.
  4. Acknowledge the finding with documented actions.
  5. Create a ticket to track remediation.

Tier 2 - Act Within 72 Hours

These findings have strong exploitation signals but may not require same-day emergency response.

  • KEV flagged AND asset matched (any CVSS score). Confirmed exploitation of a CVE that affects your devices.
  • BCS 8.0+ AND exploit_maturity = FUNCTIONAL. A working exploit exists and the CVE is high priority.
  • Any critical-severity finding on an internet-facing asset (VPN, firewall, remote access gateway).

Tier 3 - Act in Next Maintenance Window

These findings are significant but do not have the active exploitation urgency of Tier 1 or Tier 2.

  • BCS 7.0-8.9 with poc_available = true. A proof-of-concept exists, raising the likelihood of future exploitation.
  • CVSS 9.0+ with a patch available but no active exploit. Severe, patchable, but not under active attack.
  • High-severity findings on OT-adjacent systems (engineering workstations, historians).

Tier 4 - Track and Monitor

These findings should be on your radar but do not require immediate action.

  • EPSS above 75th percentile but no current exploit. The model predicts exploitation potential but it has not materialized.
  • CVSS 7.0-8.9 with no KEV, no exploit. High severity but no exploitation intelligence.
  • Medium-severity findings on isolated OT network segments.

Using the Strike List

The Strike List on your dashboard implements this prioritization automatically. It is sorted by BCS, which incorporates all the signals described above.

The top 10 items on your Strike List are your Tier 1 and Tier 2 priorities. Start there every day.

Click any entry to open the full CVE detail page with SAGE analysis, patch information, and the acknowledge/ticket workflow.

When You Cannot Patch

For OT devices that cannot be patched -- legacy PLCs with end-of-life firmware, systems without available updates, devices under vendor maintenance agreements that prohibit unauthorized modifications -- BreachSpider supports a documented compensating control workflow:

  1. Acknowledge the finding with reason: compensating_control.
  2. Describe the control in the notes field. Be specific: "Isolated PLC-A-Line3 to dedicated VLAN 10.3.x with ACL blocking all inbound except HMI at 10.3.0.5. Added Snort rule for CVE-2025-32433 exploitation signature."
  3. The finding moves to Acknowledged status. It remains in your list, showing that you were aware of the vulnerability and took documented action.
  4. The audit log records everything: the CVE, the asset, the acknowledgment reason, your notes, the timestamp, and who made the decision.

This is what auditors want to see. Not every finding needs a patch. But every finding needs a documented decision.

The Daily Workflow

For most operators, the daily triage workflow is:

  1. Open the dashboard. Check the Strike List.
  2. Review new findings that appeared since yesterday (sort by date).
  3. For each new finding: read the BCS score, check KEV/exploit status, read the SAGE summary.
  4. Tier 1 findings: implement compensating controls or emergency patch. Acknowledge with documentation.
  5. Tier 2 findings: create tickets, schedule remediation.
  6. Tier 3 findings: add to the maintenance window plan.
  7. Tier 4 findings: acknowledge with a monitoring note, or leave for the next review cycle.

The goal is not to resolve every finding every day. The goal is to ensure every critical finding has a documented decision and the highest-priority items are being actively addressed.

Weekly Review

Once a week, review your overall posture:

  • Check the dashboard trends: is your active finding count increasing or decreasing?
  • Review the Acknowledged findings: are compensating controls still in place?
  • Check for EPSS spikes on previously low-priority findings.
  • Generate an Executive Summary report to document the week's posture for management.