Skim for the three things that matter
The title, the affected versions, and the CVSS vector. Everything else is supporting material. In that order:
- Title — tells me the weakness class and the product in one line. "Authentication bypass in Palo Alto GlobalProtect" tells me more in seven words than a CVSS score does.
- Affected versions — tells me whether this is even relevant to the client. If they are on a version that is not in the list, the conversation shortens dramatically.
- CVSS vector — not just "how bad" but how the attack works. AV:N means network-reachable. PR:N means no auth required. UI:N means no user interaction. These three elements together define how urgently I should care.
Classify the exposure
After the skim, I label the advisory in one of three buckets:
- Patch now. Remotely reachable, no auth, high impact.
- Patch this cycle. Requires auth or user interaction, internal reachability, high impact.
- Track and schedule. Local-only, low impact, or strict preconditions.
The labels are not about CVSS score alone. They are about how exploitable this is in this client's environment today. A CVSS 9.8 that requires physical access to a locked datacenter cabinet is not the same as a CVSS 9.8 reachable from the public internet.
Map to the client's environment
CVSS is a generic severity score. It does not know your environment. Before I tell a client to drop everything, I need to know:
- Do they run the affected product at all?
- What versions are actually in production — and are those versions in the affected list?
- Is the affected interface reachable from the networks an attacker would plausibly reach?
- What does this appliance do in their business? Is it a critical control plane, or an edge case?
These four questions turn a CVSS 9.8 into either a Monday morning patch window or a Friday-night maintenance crisis. The difference between those two outcomes is usually the difference between "we patched" and "we paid ransom."
Recommend, do not describe
Clients do not need the CVE re-explained. They need a one-paragraph recommendation with three elements:
- What they should do. "Upgrade F5OS-C to 1.6.3 during this week's maintenance window."
- By when. "Within 7 days of advisory publication."
- What to watch in the meantime. "Monitor process lineage on F5 management planes for unusual shell spawns."
If you cannot compress your advisory reading into those three lines, you have not understood it yet. Keep reading until you can.
Close the loop
A recommendation without verification is a suggestion. Three weeks after the patch window, verify: did the client actually patch? Are the affected versions actually gone from their inventory? If not, reopen the ticket and escalate to leadership.
This is the part that separates consultants from message-forwarders. Anyone can forward an advisory. The value you bring is that you make sure it was acted on, and you are prepared to have an awkward conversation with the CISO when it was not.
One final thought
Every advisory is a test of your ability to translate technical facts into business-priority actions. If you get stuck in the technical layer and never surface, your clients will stop calling you. If you skip the technical layer and fly straight to recommendations, you will eventually give bad advice. The skill is doing both, fast.
It is a muscle. You build it by reading advisories every week and forcing yourself to write a one-paragraph recommendation at the end, even when nobody asked you for one.
Written by Sari Taher.