A vendor privately reveals their web app has an XSS vulnerability exploitable; app runs on servers in cloud and on-prem. Before the CVE is released, you want to look for signs of exploitation. What should you do?

Focusing on how attackers behave once a vulnerability is exploited is key to catching signs before a CVE details are public. If the web app is abused, you’ll often see an external inbound request to the app followed by the host spawning new, unseen subprocesses as payloads are executed. A YARA-L 2.0 rule designed to detect this time-ordered sequence across telemetry (network events then process creation) lets you flag suspicious activity that indicates exploitation is underway, applicable across both cloud and on-prem environments. The other options rely on known malware infrastructure, existing CVEs, or vulnerability scans that don’t reliably detect ongoing exploitation or post-exploitation activity, especially for a zero-day-type scenario.