Vulnerabilities module
The Vulnerabilities page lists every CVE finding across your VMs, container images, serverless functions, and Kubernetes pods.
Columns
| Column | Notes |
|---|---|
| Risk | 0 to 100, the default sort. |
| Severity | CRITICAL / HIGH / MEDIUM / LOW. |
| CVE | The CVE ID, links to NVD. |
| Package | Package name + version. |
| KEV | Bullet if the CVE is on CISA Known Exploited Vulnerabilities. |
| EPSS | Exploit Prediction Scoring System percentile. |
| Asset | The VM / image / function the package is on. |
| Fixed in | The version that resolves the CVE. |
| Age | Days since first seen on this asset. |
Filters
- Severity, Status.
- KEV only, the highest-priority filter.
- EPSS > 0.5, narrows to CVEs with a non-trivial probability of exploitation.
- Package: narrow to one package across all assets.
- Asset: narrow to one workload.
- Source type:
volume,image,k8s-pod,function.
Detail panel
For each CVE finding the panel shows:
- The NVD description of the CVE.
- The CVSS vector with version (3.1, 4.0, or legacy 2.0).
- EPSS score and percentile.
- KEV status with the date added to the catalogue.
- Real-world incident narrative for high-impact CVEs (Log4Shell, Heartbleed, etc.).
- Fix path: target version, distro advisory, container image rebuild guidance.
- Affected packages: which OS / language ecosystem and what
match_pattern. - Resource graph slice: the asset, its exposure, and any toxic combinations it sits on.
Tips
- KEV + Exposed is your incident list. Filter
KEV: yesandSource.is_exposed: yes. This is usually fewer than 5 findings even on a large tenant. - Group by package to see how many assets are affected by the same CVE. One package upgrade often closes dozens of findings.
- Track the Age column. A CRITICAL that is 600 days old (Heartbleed-style) is a process problem worth a retro, not just a fix.
What's next
- Vulnerability management concept
- HCR module, sibling detector for OS hardening
- Toxic combinations, how a CVE becomes a breach