[dfjdejulio]

I once used it to do a security audit.

I got a list of security advisories from CERT. First I broke them up by application (like "Tomcat" or "Apache"). Then I broke them up by whether and how a fix was available, like "no fix", "fixed via a patch", "fixed in SVN", "fix requires a version upgrade", that sort of thing. That formed the structure of the outline.

Then I added a column for "severity", and a column for each of the services we ran that used each application. The service columns were of type "checkbox".

Then for each individual advisory, I evaluated whether that advisory applied to a particular service we provide. (For example, a vulnerability in the bundled Tomcat "manager" app doesn't hit us on systems where we already have that app disabled.)

Once done, I could collapse the "whether or how a fix is available" headings and get a quick overview of what we were vulnerable to and what our mitigation options were, which helped us plan. Like, if everything a given service is vulnerable to is in the "fixed if you upgrade" category, you know you can upgrade that app and don't have to worry about applying patches or pulling source from svn.

(I swear my favorite usage pattern for OO is to have a bunch of checkbox or "pop-up list" columns, for checking a set of things against something hierarchically organized. I even use this pattern when playing games, like for tracking XBox achievements or an RPG's quest chains.)