Urgency signals depend on code to cloud (C2C) mapping; the traceability chain that connects source code repositories through CI/CD pipelines and IaC resources to deployed cloud workloads.
Signals that require code to cloud traceability:
Is Deployed: Requires knowledge of whether the code artifact is deployed as a cloud asset
Internet Exposed: Requires knowledge of the network configuration of the deployed asset
Affected Assets: Requires knowledge of how many deployed assets contain the vulnerable artifact
Application Environment: Requires knowledge of which application and environment the deployed asset belongs to
Application Criticality: Requires knowledge of the application business criticality classification
Access to Sensitive Data: Requires knowledge of the deployed asset data access patterns
Leverage Privileged Capabilities: Requires knowledge of the deployed asset permission scope
How code to cloud affects Urgency
Scenario | Urgency behavior |
|---|---|
C2C trace exists | All urgency signals (common + scanner-specific) are evaluated. The Urgency engine computes a full urgency classification |
C2C trace does not exist, scanner-specific signals available | Scanner-specific signals (EPSS, KEV, secret validation, CWE Top 25) are evaluated. Deployment-related signals (Is Deployed, Internet Exposed, Affected Assets) display as Not Applicable |
C2C trace does not exist, no scanner-specific signals | Urgency is classified as Not Applicable |
Establish code to cloud traceability
To enable full urgency calculation:
Link repositories to business applications. For more information, refer to Defining Business Applications
Ensure CI/CD pipelines are integrated and active
Verify that IaC resources are mapped to deployed cloud resources
Important
Without code to cloud traceability, deployment-related urgency signals cannot be computed. Scanner-specific signals (EPSS Score, KEV Status, Reachability, Secret Validation, CWE Top 25, OWASP Top 10) are always available regardless of code to cloud traceability.
Urgency and compensating controls
Compensating controls are active protections that reduce the exploitability of a deployed vulnerability. The Urgency engine recognizes compensating controls and lowers the Urgency classification when active protections exist.
How compensating controls affect Urgency: Compensating controls do not eliminate the underlying vulnerability, compensating controls reduce the *exploitability* of the vulnerability by adding defensive layers. The Urgency engine treats compensating controls as risk-reducing factors that can lower the classification from Top Urgent to Urgent, or from Urgent to Not Urgent, depending on the coverage and effectiveness of the controls.
XDR Agent coverage: The Runtime Agent Protection metric measures the percentage of affected deployed assets with runtime protection, either directly or via a host-level agent. Only active agents are counted. When a high percentage of affected assets have runtime agent protection, the Urgency engine lowers the classification because the XDR agent can detect and terminate exploitation attempts before the attacker achieves persistence.
Manual security controls: User-defined compensating controls that reduce Urgency when active protections exist for the affected assets. Manual security controls allow organizations to account for protections that are not automatically detected by the platform (for example, WAF rules, network segmentation, or application-level input validation).