The following table outlines Urgency metrics by scanner, detailing each metric's description, values, and evidence.
Scanner type | Metric (runtime/non-runtime) | Description | Values | Evidence |
Vulnerabilities | Business Application criticality (non-runtime) | The highest criticality level among all applications linked to an issue’s affected assets. If no application is attached, the value is None. | Critical, High, Medium, Low, Info, None + Name | The Application Name + ID (only one) |
Access to sensitive data (non-runtime) | At least one deployed asset affected by this issue has access to sensitive data | True, False + Finding ID | Finding ID (only one) | |
Leverage privileged capabilities (non-runtime) | At least one deployed asset affected by this issue has the ability to leverage privileged capabilities. | True, False + Finding ID | Finding ID (only one) | |
Used in image (runtime) | Indicates whether the vulnerable package present in the code is also included in the built image | True, False | — | |
Is deployed (runtime) | At least one deployed asset is affected by this issue | True, False | — | |
Internet exposed (runtime) | At least one affected deployed asset is accessible from the internet | True, False | — | |
Loaded into memory (runtime) | The vulnerable package is actively loaded into memory in at least one deployed asset | True, False, Unknown | — | |
Runtime agent protection (runtime) | Percentage of affected deployed assets with runtime protection enabled. | 0–100% | — | |
Compensating control | Indicates whether compensating controls are effective across the affected deployed assets. | ENUM | Effective/ Partially Effective | |
Grace period | The time remaining to resolve this issue before enforcement actions begin. | Text | X days left/ Expired X days ago | |
Publish date | The date when the vulnerability was first publicly disclosed | Date | — | |
Fix date | The date a patch or update was released | Date | — | |
EPSS score (non-runtime) | Estimated probability that this CVE will be exploited | 0–100% | — | |
CISA KEV (non-runtime) | Indicates whether this CVE is listed in CISA’s catalog | True, False | — | |
CVSS score (non-runtime) | Industry-standard severity score | 0–10 | — | |
Exploit maturity (non-runtime) | Level of confidence in the existence of a known exploit | POC, Active, None | — | |
Exploit availability (non-runtime) | Indicates whether an exploit is available to attackers | Public, Private | — | |
Package Operational Risk (non-runtime) | Risk level based on low maintenance or limited popularity | High, Medium, Low | — | |
Fixable (non-runtime) | Indicates whether a known fix is available | True, False | — | |
Secrets | Business Application criticality (non-runtime) | The highest criticality level among all applications linked to an issue. | Critical, High, Medium, Low, Info, None + Name | The Application Name + ID (only one) |
Access sensitive data (non-runtime) | Indicates whether the secret provides access to sensitive data | True, False + Finding ID | Finding ID (only one) | |
Leverage privileged capabilities (non-runtime) | Indicates whether the secret can be used for privileged operations | True, False + Finding ID | Finding ID (only one) | |
Visibility (runtime) | Indicates if the repository where the secret was found is public | Private, Public | — | |
Validation (runtime) | Indicates whether the exposed secret is valid | Privileged, Valid, Invalid, Unavailable | — | |
Found in history (non-runtime) | Indicates if the secret was found in the version history | True, False | — | |
IaC Misconfigurations | Business application criticality (non-runtime) | The highest criticality level among all applications linked. | Critical, High, Medium, Low, Info, None + Name | The Application Name + ID (only one) |
Access sensitive data (non-runtime) | At least one affected asset has access to sensitive data | True, False + Finding ID | Finding ID (only one) | |
Leverage privileged capabilities (non-runtime) | At least one affected asset has privileged capabilities. | True, False + Finding ID | Finding ID (only one) | |
Severity (non-runtime) | The issue's inherent severity rating | Critical, High, Medium, Low, Info, None | — | |
Internet exposed (runtime) | At least one affected asset is accessible from the internet | True, False | — | |
Is deployed (runtime) | At least one deployed asset is affected | True, False | — | |
Code Weaknesses | Business application criticality (non-runtime) | Highest criticality among linked applications. | Critical, High, Medium, Low, Info, None + Name | The Application Name + ID (only one) |
Access sensitive data (non-runtime) | Affected assets have access to sensitive data | True, False + Finding ID | Finding ID (only one) | |
Leverage privileged capabilities (non-runtime) | Affected assets have privileged capabilities. | True, False + Finding ID | Finding ID (only one) | |
Is deployed (runtime) | At least one deployed asset is affected | True, False | Asset ID (only one) | |
Severity (non-runtime) | The issue's inherent severity rating | Critical, High, Medium, Low, Info, None | — | |
Internet exposed (runtime) | Asset is accessible from the internet | True, False | — | |
Runtime agent protection (runtime) | Percentage of deployed assets with runtime protection. | 0–100% | — | |
CWE Top 25 (non-runtime) | Maps to CWE Top 25 Most Dangerous Weaknesses | True, False | — | |
OWASP Top 10 (non-runtime) | Maps to OWASP Top 10 Security Risks | True, False | — | |
CI/CD | Business application criticality (non-runtime) | Highest criticality among linked applications. | Critical, High, Medium, Low, Info, None + Name | The Application Name + ID (only one) |
Access sensitive data (non-runtime) | Affected assets have access to sensitive data | True, False + Finding ID | Finding ID (only one) | |
Leverage privileged capabilities (non-runtime) | Affected assets have privileged capabilities. | True, False + Finding ID | Finding ID (only one) | |
Is deployed (runtime) | At least one deployed asset is affected | True, False | Asset ID (only one) | |
Severity (non-runtime) | The issue's inherent severity rating | Critical, High, Medium, Low, Info, None | — | |
Internet exposed (runtime) | Asset is accessible from the internet | True, False | — | |
Malicious package | Business Application criticality (non-runtime) | Highest criticality level among linked applications. | Critical, High, Medium, Low, Info, None + Name | The Application Name + ID (only one) |
Access to sensitive data (non-runtime) | At least one affected asset has access to sensitive data | True, False + Finding ID | Finding ID (only one) | |
Leverage privileged capabilities (non-runtime) | At least one affected asset has privileged capabilities. | True, False + Finding ID | Finding ID (only one) | |
Used in image (runtime) | Vulnerable package is included in built image | True, False | — | |
Is deployed (runtime) | At least one deployed asset is affected | True, False | — | |
Internet exposed (runtime) | At least one affected asset is accessible from internet | True, False | — | |
Loaded into memory (runtime) | Package is actively loaded into memory | True, False, Unknown | — | |
Runtime agent protection (runtime) | Percentage of deployed assets with runtime protection. | 0–100% | — | |
Archived repository | Issue originates from an archived repository | True, False | — | |
EPSS score (non-runtime) | Probability that this CVE will be exploited | 0–100% | — | |
CISA KEV (non-runtime) | Indicates whether this CVE is listed in CISA’s catalog | True, False | — | |
CVSS score (non-runtime) | Industry-standard severity score | 0–10 | — | |
Exploit maturity (non-runtime) | Confidence in known exploit existence | POC, Active, None | — | |
Exploit availability (non-runtime) | Exploit availability to attackers | Public, Private | — | |
Package Operational Risk (non-runtime) | Risk based on low maintenance/outdated support | High, Medium, Low | — | |
Fixable (non-runtime) | Indicates whether a known fix is available | True, False | — | |
Publish date (non-runtime) | The date when the vulnerability was first disclosed | Date | — | |
Fix date (non-runtime) | The date a patch was released | Date | — |