← all kits

KEV Triage

kit · v1.0

7 entity types · 11 relationships · 7 named queries · 5 workflows

reference: kev-reference

Local of the KEV reference world model for internal vulnerability triage. The reference layer (Vendor, Product, Vulnerability) comes from public feeds and is read-only. This overlay adds internal assets, services, controls, and the accepted judgment relationships that link public vulnerabilities to internal operational impact.

source on GitHub →

Entity types

7
Asset
Internal asset from CMDB, cloud inventory, or endpoint tooling.hostname · asset_type · criticality · environment · internet_exposed
BusinessService
Internal business or technical service depending on assets.name · criticality
Owner
Team or person responsible for an asset or service.name · team · email
CompensatingControl
Control that can reduce or block exploitability.name · control_type · status
VulnerabilityClass
Operational vulnerability category used by local controls, policy, and scenario analysis. This is local-layer classification rather than reference-layer public data.name · description · attack_vector
Exception
Approved patch or remediation exception.reason · review_due_at · status
PatchWindow
Operational patching schedule or change window.cadence · next_window_at · freeze_status · emergency_patch_allowed · outage_allowed · testing_required · rollback_required · owner_id

Relationships

deterministic governed11
service_depends_on_asset
BusinessServiceAsset
asset_owned_by
AssetOwner
asset_has_control
AssetCompensatingControl
asset_has_exception
AssetException
asset_patch_window
AssetPatchWindow
asset_runs_product
AssetProduct
asset_vulnerability_posture
AssetVulnerability
asset_patch_exception_for
AssetVulnerability
vulnerability_classified_as
VulnerabilityVulnerabilityClass
control_mitigates_class
CompensatingControlVulnerabilityClass
asset_remediated_vulnerability
AssetVulnerability

Named queries

7

vulnerability_asset_context · Vulnerability → Asset

Starting from a vulnerability, return internal assets that run affected products, with the relationship evidence needed to tell whether each asset is only a candidate, has pending or accepted exposure state, has remediation state, or is covered by operational context such as owners, services, exceptions, controls, and patch windows.

product_asset_context · Product → Asset

Starting from a reference product, return assets that run that product, with product-mapping evidence and side context for affected vulnerabilities, exposure state, owners, services, exceptions, controls, and patch windows.

asset_vulnerability_postures_requiring_action · → asset_vulnerability_posture

Return existing asset-vulnerability posture relationships that represent exposed work needing attention. This is a work-queue read surface for current posture facts, not candidate discovery.

owner_patch_queue · Owner → Vulnerability

Starting from an owner, return approved asset-vulnerability exposures across the owner's assets, excluding pairs already closed or covered by a scoped exception, and decorated with service, broad exception, control, and patch-window context for prioritization.

vendor_service_impact · Vendor → BusinessService

Starting from a vendor, trace through affected products, reviewable asset-vulnerability posture, and service dependencies to find business services in the blast radius. This broad investigation query keeps accepted, unreviewed, pending, remediated, and exception-covered context visible so agents can triage from the first result instead of treating it as a strict action queue.

control_coverage_gap · CompensatingControl → BusinessService

Starting from a compensating control, find the business services with asset-vulnerability posture tied to classes this control covers. This broad investigation query exposes the mitigation effect for agent interpretation: blocks/compensates are stronger mitigation coverage, reduces is risk-reduction coverage, and detects is monitoring rather than blocking mitigation. It keeps accepted, unreviewed, and pending posture/classification context visible where reviewable query visibility allows.

vulnerability_class_context · VulnerabilityClass → Vulnerability

Starting from a vulnerability class, return reviewable vulnerability classifications in the class and include the compensating controls mapped to that class.

Workflows

5

build_local_state · 28 steps

Load deterministic internal entities and relationships from the seed data bundle. This is the local's equivalent of the reference layer's build_public_kev_reference workflow.

propose_asset_products · 10 steps

Load software inventory, fuzzy match against reference-layer products, and propose asset_runs_product edges through the governed group resolution flow.

propose_asset_exposure · 30 steps

Derive affected asset-vulnerability candidates from approved asset-product mappings, then propose the asset exposure edges that should drive action.

propose_vulnerability_classification · 4 steps

Propose local-layer vulnerability classifications selected by an agent after reviewing the available VulnerabilityClass buckets and prior classification examples.

propose_exposure_reconciliation · 16 steps

After a KEV reference refresh or product-mapping refresh, derive the current affected candidate set through Asset -> Product <- Vulnerability and propose remediation/closure for accepted exposure edges that are no longer supported.