Vulnerability policies - A vulnerability policy defines the action you want to take for a specific set of vulnerability findings. - Administrator Guide - Cortex CLOUD

Cortex Cloud Posture Management Documentation
Product
Cortex Cloud Application Security > Cortex CLOUD
License
Cloud Posture Management
Creation date
2025-01-22
Last date published
2026-06-04
Category
Administrator Guide
Abstract

A vulnerability policy defines the action you want to take for a specific set of vulnerability findings.

A vulnerability policy defines the action you want to take for a specific set of vulnerability findings that match your policy criteria. Cortex Cloud provides a set of predefined vulnerability policies based on CVSS severity, EPSS severity, and vulnerabilities confirmed through Attack Surface Testing. You can also create custom policies based on your unique business requirements. Custom policies allow you to focus on the risks that matter most to your organization. Some examples of custom vulnerability policies include the following:

  • A policy that creates issues with a severity of critical for findings that have a CVSS score of 9 or more

  • A policy that creates issues with a severity of low for findings that appear on dev servers

  • A policy that specifies not to create issues for findings on assets in the asset group Leased to customers

  • A policy which creates issues with a severity of critical for vulnerabilities that appear on the CISA KEV list and are in the asset group called Production Servers, regardless of CVSS score.

  • A policy that prevents an image that contains code with a CVE with an EPSS score greater than 90% from being deployed to the Kubernetes cluster

Each time a new vulnerability finding is discovered, the system compares that finding to your vulnerability policies to determine whether one of the policies is a match. Vulnerability policies have an evaluation order, which means the system starts by evaluating the finding against the first policy. If it does not match, the second policy is evaluated for a match. As soon as a finding matches a policy, no further policies are evaluated for that finding.

The following sections describe the elements that make up a vulnerability policy:

Policy conditions and scope

Vulnerability policy conditions and scope define the specific set of findings that a policy applies to. You define the conditions by configuring a filter with criteria for including and excluding findings. You define scope by creating one or more Asset Groups and adding assets to those groups in the Assets view. Once the Asset Groups are created you may select one or more of them in the policy creation process, this will limit the scope of that policy to only the assets in the chosen asset groups.

Policy actions

Policy actions are the actions the policy will perform automatically on vulnerability findings that match the policy conditions and scope. There are two types of policy actions, issue creation and prevention.

Policy order

The order of policies in the policy list is important. Policies are executed in order from top to bottom, and the first policy that matches a finding determines the action on that finding. After that first match, no other policies are evaluated. We recommend placing your most important and most specific policies toward the top of the list and wider-reaching, more generic policies towards the bottom of the policy list.

Policy 0 is the Globally Ignored CVEs, Assets, and Asset Groups policy. It includes a list of CVEs and assets for which Cortex Cloud will not create vulnerability issues. You can update the Globally Ignored CVEs, Assets, and Asset Groups policy by adding or removing CVEs, asset groups, and assets, but you cannot move the policy down list to change order.