Prioritize issues using Urgency, a context-aware risk score that dynamically evaluates runtime exposure, business impact, and protection status.
Urgency Urgency transitions security teams from reactive severity-only triage to proactive context-aware prioritization. Static severity (Critical, High, Medium, Low) reflects the theoretical impact of a vulnerability but does not account for whether the vulnerability is deployed, internet-exposed, actively exploited, or affecting a business-critical application. Urgency incorporates these runtime and business signals to surface the issues that pose the greatest real-world risk.
Core achievements:
Reducing remediation noise: Urgency isolates the issues that affect deployed, internet-exposed, or business-critical assets from low-risk findings in development environments
Accelerating triage: Urgency eliminates manual risk assessment by automatically computing a prioritized remediation order based on exploit intelligence, runtime context, and business criticality
Enabling SLA compliance: Urgency tiers map directly to SLA targets, enabling governance teams to measure remediation velocity against defined risk thresholds
Incorporating compensating controls: Urgency automatically lowers scores when active protections, such as XDR Agent coverage or manual security controls, are detected, preventing over-prioritization of protected assets
Key contextual factors
Urgency is based on these high-impact factors:
Runtime exposure: Is the vulnerable asset deployed, exposed to the internet, or can be exploited to leverage privileged capabilities in case of an attack?
Business impact: Is the application critical to the business? Does the asset access sensitive data?
Exploitability: Is there a known exploit (CISA KEV, EPSS)? Is the exploit mature and available?
Protection status: Is the runtime asset protected by a Cortex XDR/XSIAM agent? High agent coverage can downgrade an issue's urgency level by mitigating the immediate risk
Urgency levels
Top Urgent: Highest risk — the issue affects a deployed, internet-exposed, or business-critical asset with active exploit intelligence or confirmed exploitability. Immediate remediation required
Urgent: Important issues to address soon, such as deployed assets with moderate risk, or high-risk issues that are effectively mitigated by runtime agents
Not Urgent: Requires attention, but can be addressed within your organization SLA (Service Level Agreement)
Not Applicable: Issues where Urgency is not calculated including PR/CI scans or pending periodic calculation
How Urgency is calculated
Urgency is calculated as a dynamic risk score derived from two dimensions: Urgency = Probability (likelihood of exploitation) × Impact (potential damage).
Probability: Incorporates signals such as EPSS score, CISA KEV status, exploit maturity, reachability, internet exposure, deployment status, and runtime agent protection coverage
Impact: Incorporates signals such as application criticality, application environment, access to sensitive data, leverage of privileged capabilities, and the number of affected assets
The following Urgency metrics are shared across all scanner types. The Urgency engine evaluates these common signals for every issue, regardless of the detection method.
Applications: Data from applications created in Cortex Cloud. Higher application criticality increases urgency. Critical and High applications receive elevated urgency classification
Runtime: Percentage of affected deployed assets with runtime protection, either directly or via a host-level agent. Only active agents are counted. Higher runtime agent protection coverage reduces urgency because the runtime agent can detect and block exploitation attempts
Code: Findings from native Cortex Cloud Application Security scanners and ingested third party sources
Risk metadata: External threat context aggregated from third-party sources
Asset metadata: Contextual information associated with the asset where the finding was detected, including any enrichments. For example, a vulnerability is a finding on a software package, and its enrichment could include related repository data
For a detailed breakdown of the specific Urgency parameters defined by each scanner type, see Urgency metrics.