There is too much security news. NVD publishes thousands of CVEs per year. LinkedIn fills with CVE-of-the-day hot takes. Vendor marketing teams push "the next SolarWinds" every six weeks. Trade press runs the same breach three ways. By honest estimate, 95% of what crosses an IT leader's inbox and feeds in a given week has no effect on what they should do next Monday.
Filtering is a core skill. Here is a working model.
The Three Buckets
Bucket 1: Act today. A CVE was added to CISA KEV and it affects your stack. A peer in your sector was named on a ransomware leak site. Your IdP vendor issued an urgent advisory. Anomalous volume of infostealer logs for your domain appears on a tracker. You stop what you were doing and you respond.
Bucket 2: Digest this week. Vendor threat-report drops (Mandiant M-Trends, Verizon DBIR, CrowdStrike GTR, IBM X-Force Index, ENISA landscape). Detailed campaign writeups (Unit 42, Talos, Microsoft Threat Intelligence, The DFIR Report). New legislation or regulatory guidance (SEC disclosure, NIS2, DORA). Trend reporting where the delta matters but the urgency doesn't.
Bucket 3: Ignore or lightly skim. CVE announcements without evidence of exploitation. Zero-day "warnings" that turn out to be routine vendor patches rebranded by marketing. Vendor-funded survey "studies" (usually a Ponemon report). Conference keynote speculation. Every article using the phrase "alarming new threat."
Most people's news consumption is inverted — they spend the most time on Bucket 3 because it is loudest, and miss Bucket 1 because it arrives quietly in a CISA mailing list.
The Zero-Day Fear Cycle
Zero-day coverage follows a predictable hype curve. Day 0: "critical RCE in widely deployed product." Day 1: proof-of-concept released, patch available, media frenzy. Day 3–7: retrospective articles about "how serious this is." Week 2: actual exploitation telemetry quietly shows limited, targeted use against specific victims. Week 4: crickets.
The decision-useful question is almost never "is this zero-day scary?" It is "is this in my environment, and is there evidence of exploitation in my sector?" KEV answers the second part with government confidence. Your CMDB answers the first. If both are yes, Bucket 1. If only the first, Bucket 2. If neither, you can stop reading.
CVE Bulletin Exhaustion
NVD has been backlogged for large stretches of 2024–2025, the CVSS-centric model routinely mis-scores real-world risk, and supplementary sources (VulnCheck, CISA SSVC, EPSS, GitHub Advisories, OSV) have taken on more of the load. Reading every CVE is not a coherent intake strategy. The practical approach:
- Subscribe to vendor advisories for every product in your CMDB (Microsoft, Cisco, Fortinet, Palo Alto, Ivanti, Citrix, VMware, major Linux distros, the specific SaaS vendors you use).
- Subscribe to CISA KEV.
- Wire EPSS into your vulnerability management to prioritize what is likely to be exploited.
- Ignore CVE-of-the-day Twitter unless it shows up in one of the above within 48 hours.
The Base-Rate Discipline
The DBIR and Mandiant M-Trends both tell the same story, year after year: the median incident starts with a commodity phish, a vulnerable edge appliance, or stolen credentials — not a novel zero-day or an exotic APT. If you let the news cycle set your priorities, you over-invest in the exciting and under-invest in the boring. Patching, MFA on everything, edge-device hygiene, email filtering, IdP hardening, backup integrity. The base rates haven't changed in years. Neither should your spending priorities.
Briefing Executives Without Being Alarmist
How you relay the firehose to leadership is itself a filtering problem. A few disciplines:
Lead with relevance, not severity. "This affects our Fortinet fleet; we have patched 60% as of this morning" is better than "critical vulnerability is being actively exploited."
Say what you are doing, not what could happen. Executives don't need your vendor's FUD copy. They need to know the action and the ETA.
Use consistent risk language. If you called last month's event "high severity," be prepared to explain how this one compares. Inflation erodes credibility fast.
Stay boring when possible. If your weekly CISO update is dramatic, it is either a bad week or bad filtering. Over time, people will calibrate to you; aim for a reputation where "Raj is worried" means something.
The One-Question Filter
Before consuming any piece of security news, ask: "what decision will this change?" If the answer is none, skip or skim. If the answer is a specific decision, read carefully and act. That question removes about 80% of the firehose and leaves the 20% that deserves your attention — which, coincidentally, is roughly the ratio DBIR, M-Trends, and your own incident history all suggest you should be operating at.