Documentation Index

Fetch the complete documentation index at: https://help.nucleussec.com/llms.txt

Use this file to discover all available pages before exploring further.

Finding severities

  • 3 minute(s) read
Prev Next

This article provides an overview of how finding severities work Nucleus and where to find them. If you are unfamiliar with what a finding is, we recommend reading the article Findings and their properties for an overview of the finding entity.

Finding severities

Finding severities are a normalized criticality rating for a finding from a security scanning tool. The finding severity model in Nucleus allows for five levels (Critical, High, Medium, Low and Informational), exists at the finding instance level, and is present for all finding types. When scan data is downloaded from a security scanning tool, findings are normalized to match this model. As this model is commonly used across security vendors, often this is a one to one map from the security scanning tool to Nucleus. When there is not a one to one map, an algorithm is devised specifically for that tool to normalize the reported severity into the Nucleus finding severity model.

After ingestion, findings can be optionally adjusted automatically by leveraging Finding Processing Rules.

Finding severities are located throughout the product on various pages. For example, one of the most common locations that you will see the severities represented in the platform are on the Vulnerabilities > Active page, which represents all your currently active vulnerabilities in your environment across all scan tools in use.

To view this page, navigate to Global Dashboard > Select your project > Vulnerabilities > Active.

Adjusting finding severities

Nucleus enables you to track qualitative risk scores for every vulnerability and compliance finding in within your environment. Whereas in traditional vulnerability management tools severities represent a criticality rating for a finding devoid of asset context, within Nucleus severities can be adjusted as part of a broader approach in a risk-based prioritization, optionally including asset context as part of your severity rating and risk scoring.

Adjusting an individual finding instance’s severity will impact that finding instances risk score, and is applicable to different use cases within your vulnerability management program.

Individual Team Prioritization

As finding severities are at at the instance level, when you assign vulnerabilities to teams for remediation, they have the ability to adjust the severity and prioritize remediation actions within their teams without impacting the priorities of other teams

  • This means that every team can truly manage their own risk scores while still keeping the data centralized and prioritized globally across the entre business.

  • You can delegate severity adjustments without worrying about that adjustment affecting other teams and their workflows.

CSPM Cloud Compliance Findings

CSPM tools like Wiz, Orca, and PrismaCloud report findings with varying severities. As a cloud-native platform, Nucleus supports severity mapping when these upstream systems report findings with different technical severity levels across different assets and cloud accounts to better support high quality data inside Nucleus.

  • This means that prioritization on the Active vulnerabilities page is improved due to more precise tracking of severity values.

  • This also is supported for findings that are not vulnerabilities, such as compliance findings, configuration management findings, and more.

Implement SSVC

SSVC allows you to map attributes of vulnerabilities to outcomes and actions. With instance-level severity tracking, the severity field is available inside Nucleus for you to easily implement the SSVC framework. You can map risk levels on instances of vulnerabilities to outcomes instead of using custom logic inside of automation rules.

You can implement the below example (and any adjustments you make to it) using the Nucleus Automation Framework to map severities to any outcome you'd like according to SSVC.

Compensating controls

In Nucleus, you have the ability to connect the severity rating to compensating controls within your environment. Using just technical severity, where the severity is the same across all instances of a single finding does not allow for users to incorporate asset context into the risk score. The individualized severity scores now allow you to leverage any business context you want in the prioritization of a vulnerability.