Reading the security surface in four dimensions
A primer on how this site reads security state. Cyber resilience covers a lot of ground — prevention, detection, response, recovery. This piece is about one of those: the situational-awareness layer that feeds the rest. Read the threats, exposures, assets, and controls daily; act on what changes.
The threat surface moves daily. The exposure surface changes every time a CVE drops, a control gets re-scored, or a CISA alert lands. The asset surface drifts each time a new service ships or an old one is retired. The control surface moves every time a patch lands or a configuration drifts. Anything that claims to summarise your security state without continuously sampling all four of those surfaces is summarising a moment that has already passed.
The premise of this site, and of this primer: real-time information on threats, exposures, assets, and controls is the best foundation we know of for the situational-awareness piece of cyber resilience. Prevention, detection, response, and recovery decisions all work better when they read off live data than when they read off last quarter’s spreadsheet. This is one primer on one piece — see the primers index for the others.
The four dimensions
Threats are the actors, malware families, and campaigns active against organisations like yours. The site tracks them through the MITRE ATT&CK and ATLAS catalogues, the CISA KEV list of vulnerabilities under active exploitation, CISA AA-series joint advisories, FBI / IC3 PSAs, and a working database of threat-actor attributions linking actors to specific CVEs. The threat surface is read-only from your perspective — you don’t control which adversaries are operating — but it’s the input that decides which controls deserve attention first. See /threat_mapping.html, /actors.html, and /campaigns.html.
Exposures are the specific vulnerabilities and weaknesses present in your software, configurations, and processes — the openings adversaries try to walk through. CVEs are the most familiar shape (the NVD catalogue, EPSS exploitation predictions, the CISA KEV add list). But exposures also include weakness classes (CWE) that describe failure modes independent of any specific product, and misconfigurations that may not have a CVE assigned at all. The site tracks daily CVE publications, EPSS daily refresh, KEV adds within hours of publication, and the cross-walk from CVEs back to the broader CWE classes those CVEs instance. See /vulnerabilities.html.
Assets are the things you’re trying to protect — software, data, identities, infrastructure. Asset inventory is the dimension organisations chronically underestimate; an exposure on an asset you don’t know exists is invisible until it’s exploited. This site currently emphasises one slice of the asset surface — AI/ML software, where coverage of the catalogues is maturing fastest — but the framing generalises. See /ai.html.
Controls are the safeguards you deploy: patches, monitoring, configuration policies, identity gates, hardening baselines. The site catalogues NIST 800-53 r5 (1,200+ controls), NIST CSF 2.0 (106 subcategories), OWASP ASVS 5.0, OWASP Top 10 for Web 2025, OWASP Top 10 for LLMs, and 12 DISA STIG hardening rule sets — plus a steadily-growing cross-walk between them so a finding under one framework lands somewhere you can act on under another. See /controls.html.
The arrows in the figure matter. Threats exploit exposures; exposures live on assets; controls protect assets and mitigate threats. Reading any one dimension in isolation loses information. A CVE without asset context is a list of bug numbers. A threat without exposure context is a list of TTPs. A control without threat context is a compliance checklist. The interplay between the four dimensions IS the read-out. The signal is daily.
Why real-time
The case for real-time isn’t that adversaries move faster than people do. It’s that signals lag the events they describe, and the lag matters.
EPSS — the Exploit Prediction Scoring System — is the cleanest example. A CVE published this morning gets an initial EPSS score based on shallow signals (description text, CWE class, reference exploits filed). The score updates daily as more exploitation evidence accumulates: PoC code shows up on GitHub, vendor advisories land, KEV adds the CVE, sensor networks observe scanning. A CVE that EPSS rated 0.02 on the day of publication can be at 0.5 by week two — a 25× change in our best estimate of "is this CVE being actively exploited right now." A risk register snapshot taken at publication will rank the CVE as low priority for as long as the snapshot survives. A daily refresh of the same data ranks it correctly within two weeks.
KEV adds are the other side of the same coin. CISA adds CVEs to the Known Exploited Vulnerabilities list when an authoritative source confirms active exploitation. The mean delay between CVE publication and KEV listing is months — sometimes years. Risk registers that snapshot risk annually will rank a CVE-then-KEV-add pair at its publication-day severity for one, two, three quarters. The same data read daily ranks it correctly the next morning. The Daily CVE Tracker exists because that latency is real and the consequences are measurable.
The composite Risk Priority signal each CVE detail page surfaces is one cut at the same problem: weight EPSS heavily because it captures real-time exploitation pressure, weight KEV heavily because it captures confirmed exploitation, weight CVSS moderately because it captures unchanging severity properties. The combination is more stable than any one signal alone, and more responsive than a publication-day snapshot.
Where the four dimensions help
This primer covers situational awareness; resilience itself is built elsewhere — in patch policies, response runbooks, backup tests, and the team practices that make those work. What the four-dimension read-out gives you is a clearer view of where the gaps live, so the rest of the work can be aimed.
Gaps become visible in the cross-product of the four dimensions. A threat targeting an asset class with thin control coverage is a gap. An exposure class with no detected mitigating controls is a gap. A control category whose mapped threats are undercounted is a gap. The site’s cross-walk machinery (see how the framework chips work) is built specifically to make those gaps visible at chip-level, not just dashboard-level. None of that builds resilience by itself — it just tells you where to point the resilience work you’re already doing.
Honest caveats
Real-time isn’t omniscient. The catalogues we read from publish on their own cadence (NVD hourly during business days; EPSS daily; KEV when CISA decides; MITRE ATT&CK irregularly). The site lags those sources by the time-to-ingest plus the time-to-render — usually under an hour, sometimes longer when a catalogue publishes late. The CVE → control coverage methodology page documents the specific gates on per-CVE annotation; only ~5–6% of CVEs carry mitigating-control annotations because the LLM-assisted pass is expensive and we gate it on EPSS / KEV / CVSS thresholds.
The cross-walks are interpretive guidance, not
compliance certifications. The same caveat that lives
on the cross-walk article applies here: chips are starting
points for analysis. The verb dictionary (covers
for control-to-control, mitigates for
control-to-threat, enables /
exploits for weakness-to-technique, etc.) was
settled 2026-06-03 and is documented at
/article_xwalks.html.
Asset coverage is uneven. AI/ML software is the asset class with the most depth on the site right now. SaaS, cloud-control-plane, mobile, and embedded are partial. If your asset surface is dominated by something we haven’t catalogued deeply, expect gaps in the asset-to-exposure cross-walk.
What to do this week
If you’re landing here for the first time, three surfaces are worth looking at this week, every week:
- The Daily CVE Tracker — the live read on which CVEs deserve attention right now. Sort by composite Risk Priority; the top of the list is always today’s answer to "what should I look at first."
- The Threat Actor view — who is operating, what they’re using, and which CVEs they’re attributed to. A new actor entry or a new CVE attribution to an existing actor changes which exposures in your environment are now also threats.
- The Controls panel — what’s in the catalogues you’re mapping against, with cross-walk chips into the other frameworks. The chip surface is how a finding under one framework lands somewhere actionable under another.
And bookmark /whatsnew.html. That’s where every new article, primer, research piece, and feature shipped to the site shows up — daily.
Last updated 04 June 2026. Companion to the cross-walk article and the CVE → control coverage methodology page.