KEV Triage
kit · v1.07 entity types · 11 relationships · 7 named queries · 5 workflows
reference: kev-reference
Local of the KEV reference world model for internal vulnerability triage. The reference layer (Vendor, Product, Vulnerability) comes from public feeds and is read-only. This overlay adds internal assets, services, controls, and the accepted judgment relationships that link public vulnerabilities to internal operational impact.
Entity types
7Relationships
deterministic governed11Named queries
7vulnerability_asset_context · Vulnerability → Asset
Starting from a vulnerability, return internal assets that run affected products, with the relationship evidence needed to tell whether each asset is only a candidate, has pending or accepted exposure state, has remediation state, or is covered by operational context such as owners, services, exceptions, controls, and patch windows.
product_asset_context · Product → Asset
Starting from a reference product, return assets that run that product, with product-mapping evidence and side context for affected vulnerabilities, exposure state, owners, services, exceptions, controls, and patch windows.
asset_vulnerability_postures_requiring_action · → asset_vulnerability_posture
Return existing asset-vulnerability posture relationships that represent exposed work needing attention. This is a work-queue read surface for current posture facts, not candidate discovery.
owner_patch_queue · Owner → Vulnerability
Starting from an owner, return approved asset-vulnerability exposures across the owner's assets, excluding pairs already closed or covered by a scoped exception, and decorated with service, broad exception, control, and patch-window context for prioritization.
vendor_service_impact · Vendor → BusinessService
Starting from a vendor, trace through affected products, reviewable asset-vulnerability posture, and service dependencies to find business services in the blast radius. This broad investigation query keeps accepted, unreviewed, pending, remediated, and exception-covered context visible so agents can triage from the first result instead of treating it as a strict action queue.
control_coverage_gap · CompensatingControl → BusinessService
Starting from a compensating control, find the business services with asset-vulnerability posture tied to classes this control covers. This broad investigation query exposes the mitigation effect for agent interpretation: blocks/compensates are stronger mitigation coverage, reduces is risk-reduction coverage, and detects is monitoring rather than blocking mitigation. It keeps accepted, unreviewed, and pending posture/classification context visible where reviewable query visibility allows.
vulnerability_class_context · VulnerabilityClass → Vulnerability
Starting from a vulnerability class, return reviewable vulnerability classifications in the class and include the compensating controls mapped to that class.
Workflows
5build_local_state · 28 steps
Load deterministic internal entities and relationships from the seed data bundle. This is the local's equivalent of the reference layer's build_public_kev_reference workflow.
propose_asset_products · 10 steps
Load software inventory, fuzzy match against reference-layer products, and propose asset_runs_product edges through the governed group resolution flow.
propose_asset_exposure · 30 steps
Derive affected asset-vulnerability candidates from approved asset-product mappings, then propose the asset exposure edges that should drive action.
propose_vulnerability_classification · 4 steps
Propose local-layer vulnerability classifications selected by an agent after reviewing the available VulnerabilityClass buckets and prior classification examples.
propose_exposure_reconciliation · 16 steps
After a KEV reference refresh or product-mapping refresh, derive the current affected candidate set through Asset -> Product <- Vulnerability and propose remediation/closure for accepted exposure edges that are no longer supported.