| name | securin-zero-day-exposure-analysis |
| description | Use this skill when the user asks to "analyze zero-day exposure", "am I exposed to zero-days", "show me my zero-day risk", "what zero-days affect my environment", "check if we're exposed to [named zero-day like Regresshell or Citrix Bleed]", or needs a report of zero-day vulnerabilities correlated to the user's assets/exposures. Requires the Securin Platform MCP server.
|
Zero-Day Exposure Analysis
Purpose
Identify the user's exposure to zero-day vulnerabilities โ CVEs that are actively exploited in the wild before a patch is widely available. Two modes:
- Broad scan โ "what zero-days am I exposed to right now?" Enumerate all open exposures whose linked vulnerability carries the
Zero Day tag.
- Named zero-day โ "am I affected by [name, e.g., Regresshell / Citrix Bleed]?" Resolve the name to CVE IDs via Core, then correlate to the user's environment.
Zero-days often lack a vendor patch at discovery time, so remediation emphasis shifts to compensating controls, detection rules, and scope containment.
When to use
- "Am I exposed to any zero-days?"
- "Show me my open zero-day exposures"
- "Am I affected by [named zero-day]?"
- "List zero-day vulnerabilities in my environment"
- "Zero-day risk report for my account"
Pre-flight
Step 0 โ Account preflight (CC-1)
See _shared/account-preflight.md. Required โ exposure matches are scoped to the resolved account-id.
Step 0.5 โ Composite vs source (if asset pivot is needed)
See _shared/composite-vs-source.md. Only matters when the report includes affected-asset context.
Suggested tools
Pre-flight
getUserProfile, getEffectiveAccess, getEffectiveAccessWorkspaces
Core intelligence
searchVulnerabilityData โ Core index; filter by tags = 'Zero Day' or name/aliassearchThreatActorData โ threat actors behind the zero-day (pass fields: ['threatActor'])
Environment correlation
searchExposureData / aggregateExposureData / hybridExposureData โ match CVEs to open exposuressearchAssetData / hybridAssetData (or composite variants) โ pivot to affected assetssearchComponentData โ component-level matches
Field discovery
getApiFields(entityType=['VULNERABILITY'], searchText='tag') โ confirm tag field pathgetTopValues(field='vulnerabilities.tags', entityType='VULNERABILITY') โ see what tags exist in this account's Core index
Deep links (CC-2)
filterToChipPost โ convert FQL filter โ chip form for a platform URL (default, Strategy A).createDeepLink โ only if the user explicitly asks to save/share the view (Strategy B; write op, needs x-user-id + shareWith).getDeepLink / aggregateByDeepLink โ retrieve a saved short-code.- See _shared/deep-links.md.
Outside
- Web search โ resolve named zero-days (e.g., "Regresshell", "Citrix Bleed", "MOVEit") to CVE IDs when Core doesn't match on alias.
Mode A โ Broad zero-day scan
User asks "am I exposed to any zero-day?" / "show me my zero-day risk".
Step A.1 โ Inventory your environment's zero-day exposures
hybridExposureData
filter: exposure.status = 'Open'
AND vulnerabilities.tags = 'Zero Day'
groupByField: exposure.scores.scoreLevel
aggs: [{function: TERMS, field: exposure.scores.scoreLevel, name: 'bySeverity', size: 10}]
sort: "exposures.scores.score:desc,exposure.remediationTarget.dueDate:asc"
limit: 100
page: 1
The vulnerabilities.tags = 'Zero Day' cross-entity join pulls from the vulnerability index (bare path tags = 'Zero Day' in Core).
Step A.2 โ Enrich with CVE-level signals
Collect distinct CVE IDs from Step A.1 results. For each (or batched):
searchVulnerabilityData
filter: vulnerabilityId in ['CVE-โฆ','CVE-โฆ']
fields: ['vulnerability']
sort: "riskIndex.index:desc"
Capture: KEV status, exploitation status, risk index, published date, affected products.
Step A.3 โ Pivot to affected assets
searchAssetData # or searchCompositeAssetData
filter: asset.assetId in [<ids from A.1>]
sort: "asset.scores.overallScore:desc,asset.criticality:desc"
fields: ['asset']
limit: 50
Step A.4 โ Emit report
## Zero-Day Exposure Assessment โ <account>
**Verdict:** <N open zero-day exposures across M assets; K CVEs; J KEV-tagged>
### Zero-day CVEs in your environment
| CVE | Risk Index | KEV | Exploited | # Exposures | # Assets | Platform link |
|---|---|---|---|---|---|---|
| โฆ | โฆ | โ/โ | โ/โ | โฆ | โฆ | <url> |
### Open zero-day exposures โ by severity
- Critical: <count> โ <platform filter url>
- High: <count> โ <url>
- Medium: <count> โ <url>
- Low: <count> โ <url>
### Top affected assets
| Asset | Criticality | Reachability | Workspace | # Zero-day exposures | Platform link |
|---|---|---|---|---|---|
| โฆ | โฆ | โฆ | โฆ | โฆ | <url> |
### Recommended next steps
- Remediation planning: `securin-remediation-guidance` for each CVE โ zero-days often have no patch yet, so expect compensating-control emphasis.
- Threat actor context: `securin-threat-correlation` if you want to know who's exploiting these.
- Detailed CVE intel: `securin-cve-enrichment` for any single zero-day.
Mode B โ Named zero-day
User asks "am I affected by Regresshell / Citrix Bleed / MOVEit / ?"
Step B.1 โ Resolve the name to CVE IDs
Try Core first:
searchVulnerabilityData
filter: tags = 'Zero Day' AND (aliases like '<name>' OR title like '<name>')
fields: ['vulnerability']
limit: 10
If Core matches โ use the returned vulnerabilityIds.
If Core doesn't match (very new or informal name):
- Web search for the event + "CVE".
- Present the resolved CVE list to the user: "I found for ''. Confirm before I correlate to your environment."
- Only correlate after confirmation.
Step B.2 โ Correlate to environment
hybridExposureData
filter: exposure.mappedAttributes.vulnerabilityIds in [<cve list>]
AND exposure.status = 'Open'
groupByField: asset.workspaceId
aggs: [{function: TERMS, field: asset.workspaceId, name: 'byWorkspace', size: 20},
{function: COUNT, field: exposure.exposureId, name: 'totalExposures'}]
limit: 100
page: 1
sort: "exposures.scores.score:desc"
Step B.3 โ Enrich and report
Run the affected-assets pivot as in Mode A.3, then emit a named-zero-day report:
## Zero-Day Exposure โ <Named Event>
**Mapped CVEs:** <list>
**Verdict:** AFFECTED / NOT AFFECTED / PARTIAL โ <N exposures, M assets>
### Matched exposures
| CVE | Severity | Asset | Workspace | SLA | Platform link |
|---|---|---|---|---|---|
### Recommended next steps
- Remediation (likely compensating controls): `securin-remediation-guidance`
- Global intel on the event: `securin-cve-enrichment` for each CVE
FQL patterns
Zero-day tag filter in exposure context
exposure.status = 'Open' AND vulnerabilities.tags = 'Zero Day'
Zero-day filter in Core (bare path โ no vulnerabilities. prefix)
tags = 'Zero Day'
Zero-day + KEV (most urgent subset)
exposure.status = 'Open'
AND vulnerabilities.tags = 'Zero Day'
AND vulnerabilities.exploitation.isCisaKev = true
Zero-day on exposed-to-internet prod assets (compound)
exposure.status = 'Open'
AND vulnerabilities.tags = 'Zero Day'
AND asset.reachability = 'Exposed' # source-model
AND asset.workspaceId in [<prod-ws-ids>]
Substitute compositeAsset.* in composite-data accounts โ see _shared/composite-vs-source.md.
Sorting
Default: exposures.scores.score:desc, exposure.remediationTarget.dueDate:asc โ worst first, SLA tiebreaker.
Alternative for "worst externally-facing first":
asset.reachability:desc, exposures.scores.score:desc (if the platform supports ordinal sort on reachability; confirm via getSortFields=true ๐งช).
Scope guard (CC-3)
- Single-CVE deep dive with no environment angle โ
securin-cve-enrichment.
- Broad exposure triage beyond zero-days โ
securin-exposure-triage.
- Remediation plan for a specific zero-day โ
securin-remediation-guidance.
- Threat actor attribution for a zero-day โ
securin-threat-correlation.
Edge cases
- No zero-day tag in the account โ Core may tag these differently (
"0-day", "zero day"). Call getTopValues(field='vulnerabilities.tags') to enumerate actual values and adjust the filter.
- User's named event has no CVE yet โ tell them; offer to set up a follow-up check once a CVE is published.
- Zero-day with patch now available โ still tagged zero-day in Core; route remediation normally.
- False positives โ some scanners over-detect; surface the scanner source in the report so the user can filter.
Visual output (CC-4)
When this skill produces aggregated or multi-row data (counts, trends, distributions, comparisons, single-CVE reports), emit a chart/graph/infographic in the Securin brand palette (#712880 / #453983 / #542ade / #987bf7 / #d7cbfb), Lato font, light theme, with the Securin logo. Default colormap uses the monotone gradient defined in _shared/brand.md. Offer customization after delivery; never default to a different brand.
References
