Anthropic-Cybersecurity-Skills/skills/performing-endpoint-vulnerability-remediation/references/workflows.md

# Workflows - Performing Endpoint Vulnerability Remediation

## Workflow 1: Standard Vulnerability Remediation Cycle

```
[Vulnerability Scan Complete]
    │
    ▼
[Import scan results into tracking system]
    │
    ▼
[Risk-based prioritization]
    │
    ├── CVSS + EPSS + CISA KEV + Asset criticality
    │
    ▼
[Assign priorities: P1/P2/P3/P4]
    │
    ▼
[Identify remediation action per CVE]
    │
    ├── Patch available ──► [Schedule patch deployment]
    ├── Config change needed ──► [Create change request]
    ├── No patch available ──► [Apply workaround/compensating control]
    └── Accept risk ──► [Document with CISO approval]
    │
    ▼
[Test patches in staging environment]
    │
    ▼
[Deploy to production (phased rollout)]
    │
    ▼
[Re-scan to validate remediation]
    │
    ├── Vulnerability closed ──► [Mark resolved in tracker]
    │
    └── Still open ──► [Investigate failure, re-remediate]
```

## Workflow 2: Emergency Zero-Day Response

```
[Zero-day CVE announced (CISA alert / vendor advisory)]
    │
    ▼
[Assess exposure: How many endpoints affected?]
    │
    ▼
[Is patch available?]
    │
    ├── Yes ──► [Emergency patch deployment (skip staging)]
    │               │
    │               ▼
    │          [Monitor for deployment failures]
    │               │
    │               ▼
    │          [Validate patch across fleet]
    │
    └── No ──► [Apply vendor workaround immediately]
                    │
                    ├── Disable vulnerable service/feature
                    ├── Deploy network-level mitigation
                    ├── Create EDR detection rule
                    │
                    ▼
               [Monitor for patch release]
                    │
                    ▼
               [Deploy patch when available]
                    │
                    ▼
               [Remove workaround, validate fix]
```

## Workflow 3: Patch Deployment Pipeline

```
[Patch Tuesday (or vendor release)]
    │
    ▼
[Download and catalog new patches]
    │
    ▼
[Risk assessment: Which patches are critical?]
    │
    ▼
[Deploy to test ring (5% of fleet) - Day 1-3]
    │
    ├── Test application compatibility
    ├── Monitor for BSOD, crashes, performance issues
    │
    ▼
[Deploy to pilot ring (20% of fleet) - Day 4-7]
    │
    ├── Broader application testing
    ├── User feedback collection
    │
    ▼
[Deploy to production ring (remaining fleet) - Day 8-14]
    │
    ▼
[Generate compliance report]
    │
    ├── Endpoints patched: X%
    ├── Pending reboot: Y
    └── Failed deployments: Z (investigate)
```

## Workflow 4: SLA Compliance Tracking

```
[Weekly SLA Review]
    │
    ▼
[Query open vulnerabilities grouped by SLA status]
    │
    ├── Within SLA ──► [Track progress, no action needed]
    │
    ├── Approaching SLA (7 days) ──► [Escalate to endpoint team]
    │
    └── Overdue (past SLA) ──► [Escalate to management]
                                     │
                                     ├── Remediation feasible ──► [Emergency remediation]
                                     │
                                     └── Blocked (dependency) ──► [Document exception, compensating control]
```