← Home

Methodology

How the tracker turns Microsoft's public sources into an operational change log. Public data only — no tenant data.

Sources

• Roadmap — Microsoft 365 Roadmap API
• Security — MSRC Security Update Guide CVEs, enriched with CISA KEV + FIRST EPSS
• Defender XDR / Entra — official "What's new" docs
• API changes — Microsoft Graph changelog

Cadence

Polled every 2 hours via GitHub Actions; the homepage shows last refresh and per-source health.

Change detection

Each run is diffed against the previous snapshot. Source changes are detected from a hash of the raw upstream record; normalized content is compared separately, so presentation-only re-normalizations don't emit events. Material text edits become sentence-level diffs; cosmetic edits are flagged.

Derived vs source data

Source-provided: titles, descriptions, dates, severity, products. Derived (heuristic): impact, urgency, normalized summaries, admin-action extraction, cosmetic classification.

Urgency

Distinct from technical severity and from evidence: exploited / passed-deadline → Immediate; near deadline, breaking, retiring → Soon; critical-without-exploitation and longer-term → Monitor.

Removal detection

An item that stops appearing upstream is marked "no longer in feed" with the last-observed date. A missing record is not automatically a cancellation — Microsoft hasn't necessarily confirmed it.

Retention

The change log keeps ~2,000 recent events; older events age out, so an item's history shows only changes still in that window.