update exploitation phases and diagram

Author: mazzma12

crowdsec-docs/unversioned/tracker_api/exploitation_phases.mdx

@@ -9,7 +9,7 @@ Every tracked CVE and fingerprint rule is assigned an **exploitation phase** tha
 
 The phases are determined by analyzing exploitation telemetry from the CrowdSec Network over time — they reflect real attacker behavior, not theoretical risk.
 
-## The Five Phases
+## The Phases
 
 ### Insufficient Data
 
@@ -19,6 +19,22 @@ This is the starting state for newly tracked CVEs or those affecting products wi
 
 **What to do**: Fall back to traditional risk indicators (CVSS score, public exploit availability, vendor advisory severity) until CrowdSec telemetry matures for this CVE. Check back periodically as the phase will update when sufficient data is collected.
 
+### Early Exploitation
+
+> *"Early exploitation attempts have been observed, but activity remains limited and not yet widespread."*
+
+CrowdSec is picking up the first real signals — scan traffic or small-scale exploit attempts. It's not yet a campaign. This phase often appears in the days after a public PoC drops for a CVE that hasn't been widely weaponized yet.
+
+**What to do**: Begin prioritizing this CVE for patching. The window between Early Exploitation and a broader campaign can be short — track momentum closely and reassess frequently.
+
+### Fresh and Popular
+
+> *"The vulnerability is recent and currently shows strong attacker interest with rapidly increasing exploitation activity."*
+
+This CVE is gaining rapid traction in the attacker community. Volume is growing fast and multiple actors are experimenting with it. It may be on the verge of tipping into Mass Exploitation.
+
+**What to do**: Treat this as high urgency. Patch immediately if possible. Deploy blocklists proactively — don't wait for confirmed hits on your infrastructure.
+
 ### Unpopular
 
 > *"The vulnerability is known but shows very limited attacker interest or exploitation activity."*
@@ -53,39 +69,60 @@ The vulnerability has been weaponized at scale. Multiple threat actor groups are
 
 **What to do**: Treat this as an emergency if you haven't patched yet. Verify patch status across your entire estate. Deploy blocklists immediately. Monitor for signs of compromise, as exploitation may have occurred before you acted.
 
+### Wearing Out
+
+> *"Exploitation activity is decreasing over time, likely due to patch adoption or reduced attacker interest."*
+
+The peak campaign has passed. Patch adoption is reducing the attack surface and/or attackers have moved on. Activity is still present but on a clear downward trend.
+
+**What to do**: If you haven't patched yet, do it now while the pressure is lower. This phase is a second chance — exploitation is easier to attribute and less noisy than at peak.
+
 ## Phase Transitions
 
 CVEs don't always move linearly through these phases. Common patterns include:
 
-- **Newly published CVE with public exploit**: May jump directly from *Insufficient Data* to *Targeted Exploitation* or *Mass Exploitation* if attackers weaponize it quickly.
-- **Old CVE with new exploit toolkit**: A CVE that was *Background Noise* for years can escalate to *Mass Exploitation* when it gets added to a popular exploit framework.
-- **Campaign ends**: A CVE in *Mass Exploitation* can settle back to *Background Noise* once the initial campaign runs its course and most targets are patched.
-- **Steady state**: Many CVEs stabilize in *Background Noise* indefinitely — they remain part of automated scanning toolkits long after the initial threat subsides.
+- **New PoC drops**: A CVE moves from *Insufficient Data* to *Early Exploitation* within days of a public proof-of-concept being published.
+- **Rapid weaponization**: *Early Exploitation* escalates to *Fresh and Popular* when multiple threat actors adopt the CVE simultaneously.
+- **Fresh and Popular → Mass Exploitation**: The most common escalation path for high-impact CVEs in widely deployed software when no effective mitigation is available.
+- **Fresh and Popular → Wearing Out**: Some CVEs peak quickly and decline before ever reaching mass scale — the community patches fast or the target surface is limited.
+- **Old CVE with new exploit toolkit**: A CVE in *Background Noise* for years can escalate to *Targeted Exploitation* or *Mass Exploitation* when added to a popular exploit framework.
+- **Campaign ends → Wearing Out**: After a *Mass Exploitation* or *Targeted Exploitation* campaign concludes, activity enters a decline.
+- **Wearing Out → Background Noise**: Residual automated scanning typically continues long-term, settling into steady-state low-level activity.
 
 ```mermaid
 graph TB
     ID(["Insufficient Data"]):::gray
+    EE(["Early Exploitation"]):::early
+    FP(["Fresh & Popular"]):::fresh
     UP(["Unpopular"]):::green
     BN(["Background Noise"]):::blue
     TE(["Targeted Exploitation"]):::orange
     ME(["Mass Exploitation"]):::red
+    WO(["Wearing Out"]):::fading
 
+    ID --> EE
     ID --> UP
-    ID --> BN
-    ID -->|fast escalation| TE
-    ID -->|fast escalation| ME
-    UP --> TE
-    BN --> TE
-    BN -->|new exploit toolkit| ME
+    EE --> FP
+    EE --> TE
+    EE --> BN
+    FP --> ME
+    FP --> TE
+    FP --> WO
     TE --> ME
-    TE -->|campaign ends| BN
-    ME -->|campaign ends| BN
+    TE --> WO
+    ME --> WO
+    WO --> BN
+    WO --> UP
+    BN --> TE
 
     classDef gray   fill:#C3BEF3,stroke:#5D54B0,color:#3b2f7e
+    classDef early  fill:#4C91C2,stroke:#2d6a94,color:#fff
+    classDef fresh  fill:#F17C4E,stroke:#c45a28,color:#fff
     classDef green  fill:#3EBB3E,stroke:#2d8b2d,color:#fff
     classDef blue   fill:#FFC343,stroke:#c8942a,color:#3b2f00
     classDef orange fill:#E21717,stroke:#a00f0f,color:#fff
     classDef red    fill:#9F6B04,stroke:#6b4700,color:#fff
+    classDef fading fill:#B90C85,stroke:#7d0857,color:#fff
 ```
 
 ## Phases and Scores Together
@@ -101,9 +138,12 @@ Typical ranges observed in practice:
 | Phase | Typical CrowdSec Score | Typical Opportunity Score | Typical Momentum Score |
 |-------|----------------------|--------------------------|----------------------|
 | Insufficient Data | 0–9 | 0–5 | 0–5 |
+| Early Exploitation | 2–6 | 1–3 | 2–5 |
+| Fresh and Popular | 5–9 | 2–4 | 4–5 |
 | Unpopular | 1–7 | 1–2 | 0–5 |
 | Background Noise | 1–6 | 1–2 | 0–5 |
 | Targeted Exploitation | 7–8 | 4–5 | 2–4 |
 | Mass Exploitation | 3–7 | 1–5 | 0–4 |
+| Wearing Out | 1–5 | 1–3 | 0–2 |
 
-Targeted Exploitation is the most predictable: it consistently shows high Opportunity scores (4–5) and elevated CrowdSec Scores. Other phases are more loosely correlated — Background Noise and Unpopular overlap significantly in score ranges, and Mass Exploitation spans a wide range depending on whether the campaign is ramping up or fading.
+Targeted Exploitation is the most predictable: it consistently shows high Opportunity scores (4–5) and elevated CrowdSec Scores. Fresh and Popular stands out for its high Momentum (4–5), reflecting the rapid growth in activity. Wearing Out is characterized by low and falling Momentum. Other phases are more loosely correlated — Background Noise and Unpopular overlap significantly in score ranges.