Am I reading the correct user guide?
Am I reading the correct user guide?
Some connectors on the Vulcan help center offer multiple user guides tailored to different setups and versions.
To open the correct user guide for your setup and version, go to the connector's setup page and click How to connect.
Connector details
About NodeZero
The NodeZero platform empowers organizations to reduce their security risk by autonomously finding exploitable weaknesses in their network, giving detailed guidance about how to prioritize and fix them, and helping to verify that your fixes are effective immediately.
Support scope
Supported products | NodeZero |
Category | Vulnerability Assessment |
Ingestion type | Assets and vulnerabilities |
Ingested asset type(s) | Hosts |
Integration type | UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction) |
Supported version and type | SaaS (latest) |
Connector Setup
Prerequisites and user permissions
Before you begin configuring the Connector, make sure you have the following:
API token with the relevant permissions:
The user generating the API Key must have read permissions, and the API Key Permissions Level is Read-only.
Generating API token
Go to NodeZero platform > Settings > My Settings.
Go to API Keys and click Generate API Key.
Make sure the permission level is Read-only.
Copy the generated API key to somewhere safe.
Configuring the NodeZero connector
Login to the Vulcan ExposureOS platform and go to Connectors > Add a Connector.
Click on the NodeZero icon.
Set up the Connector as follows:
If a gateway is required, refer to the Vulcan Gateway guide to configure the gateway before proceeding. If not, continue following the steps in this guide.
Enter the API Key you generated earlier.
Data pulling configuration:
This configuration has dynamic settings tailored to the specific connector and integration type. Below are the configurations relevant to this connector.
Set the fetching configuration of the penetration templates. You can check to fetch all templates or select several pentests.
Asset Retention: Configure the retention period for inactive assets based on their last seen date. If an asset has not been detected or updated in a scan within the specified days, it will be automatically removed from the Vulcan ExposureOS platform. This ensures your asset inventory stays current and relevant.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your NodeZero instance.
Notes:
A successful connectivity test confirms that the platform can connect to the NodeZero instance. However, it does not guarantee that the synchronization process will succeed, as additional syncing or processing issues may arise.
Example:
If the connectivity test fails, an error message with details about the issue will appear. Click the arrow next to the error message for more information about the exact error.
Example:
Connector scheduling: Set the connector's sync time and days. By default, all days are selected.
Click Create to start syncing the new connector, or Save Changes if editing an existing connector.
Allow some time for the sync to complete. Then, you can review the sync status on the Connectors main page or underConnector sync logs on the connector's specific setup page.
To confirm the sync is complete, navigate to the Connectors page. The sync is complete once the NodeZero connector icon shows Connected.
Example:
NodeZero in the Vulcan platform
Viewing findings
To view findings (instances) ingested by the NodeZero connector:
Go to the Findings page.
Click on Filter and set the condition to Vulnerability > Source > is > NodeZero.
Example:
You can also:
Filter by Business Group and add more filters to narrow your search further.
Filter by Connector-specific parameters (also known as Native Parameters) if available.
Click on a finding for more details.
Viewing vulnerabilities
To view vulnerabilities ingested by the NodeZero connector:
Go to the Vulnerabilities page.
Click on Filter and set the condition to Vulnerability > Source > is > NodeZero.
Example:
You can also:
Filter by Business Group and add more filters to narrow your search further.
Filter by Connector-specific parameters (also known as Native Parameters) if available.
Click on a vulnerability for more details.
Viewing assets
To view assets ingested by the NodeZero connector:
Go to the Assets page.
Click on Filter and set the condition to Asset > Source > is > NodeZero.
Example:
You can also:
Filter by Business Group and add more filters to narrow your search further.
Filter by Connector-specific parameters (also known as Native Parameters) if available.
Click on an asset for more details.
Taking action on vulnerabilities and assets
To take remediation action on vulnerabilities and assets ingested by NodeZero connector:
Go to the Vulnerabilities or Assets Page.
Use the Filter to view the assets/vulnerabilities by source. You can always filter by Business Group and add more filters to narrow your search.
Select the relevant vulnerabilities/assets from the results list.
Click on Take Action to proceed with remediation or further actions.
Example:
Automating remediation actions on vulnerabilities
Use Vulcan Playbooks to create automation and remediate vulnerabilities at scale.
Data Mapping
The Vulcan Platform integrates with NodeZero through an API that pulls relevant vulnerability and asset data and maps it to the platform's pages and fields. The vulnerabilities and/or assets data is ingested from the vendor platform and mapped into the Vulcan ExposureOs platform.
Host data mapping
Asset data
NodeZero UI field | NodeZero API field | Vulcan field |
IP | Hostname / IP | Asset Uniqueness criteria |
- | OS | Cloud ID cloud_instance_id |
Hostname | OS | Host Name (hostname) |
Operating system | IP | Host OS (os) |
version and build | - | Host OS Version (os_version) |
IP | - | Host IP (ip ) |
- | - | Host external IP (ip ) |
- | - | Host FQDN (fqdn, if list fqdns) |
- | - | Host MAC addresses (mac_address) |
- | Subnet RiskScore Hardware Device | Host first Seen (first_seen) |
- | - | Host Last report (last_seen) |
Subnet Score | - | Host details(added_data)
|
Unique vulnerability data
NodeZero UI field | NodeZero API field | Vulcan field |
WEAKNESS ID | WeaknessID | Unique Vulnerability uniqueness criteria |
WEAKNESS ID + NAME | WEAKNESS ID + NAME
| Vulnerability title (title) |
Weakness: Score | ContextScore
| Vulnerability score (cvss_score) |
Weakness description | Description | Vulnerability description (description) |
References Name | References RootCause Impact | Vulnerability details (added_data) |
Weakness ID (CVE/ H3) | WeaknessID | CVE/S (report_item_cve) |
Finding data (asset-instance connection)
NodeZero UI field | NodeZero API field | Vulcan field |
WEAKNESS ID + AFFECTED ASSET + IP +PORT + Protocol
| IP, | Vulnerability instance uniqueness criteria |
severity AFFECTED ASSET HOST
| Severity Name RootCause Description Hostname AssetID IP OS Service ServiceType Protocol Port | Vulnerability instance details (added_data) |
port | Port | Vulnerability instance port (port) |
protocol | Protocol | Vulnerability instance port (protocol) |
Solution data
NodeZero UI field | NodeZero API field | Vulcan field |
Mitigations | Mitigations | Solution uniqueness criteria |
Fix actions from NodeZero | Fix actions from NodeZero | Fix - Title (title) |
Fix Actions (mitigations) | Mitigations | Fix - Description (description) |
References | References [list of URLs] | Fix - References (reference + reference_link) |
Vulnerability status mapping
Findings (instances) ingested from connectors are mapped into the Vulcan platform by status.
NodeZero status | Vulcan status |
Any weakness ingested is considered vulnerable | Vulnerable |
- | Fixed |
- | Acknowledged |
The statuses are mapped into the Findings page > Show <status> view:
Vulnerability score mapping
Risk scores ingested from connectors are converted into numeric scores and mapped into the Vulcan platform risk score field, which eventually impacts the contextualized risk calculation.
NodeZero score | Vulcan score |
Critical | 10 |
High | 7 |
Medium | 5 |
Low | 3 |
INFO | 0 |
The scores are mapped into the Score field of the Vulnerability details:
Status update Mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones.
The table below lists how the status update mechanism works in the NodeZero connector for the vulnerabilities and assets in the Vulcan Platform.
Status change | When? |
The asset is archived | - Asset not found on the connector's last sync |
The vulnerability instance status changes to "Fixed" | - If the vulnerability no longer appears in the scan findings |
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).
Support limitations and expected behavior
This section outlines any irregularities, expected behaviors, or limitations related to integrating the Vulcan Cyber ExposureOS platform and NodeZero. It also highlights details about ingested and non-ingested data to clarify data handling and functionality within this integration.
NodeZero performs penetration tests on asset groups such as domains, IP addresses, Git accounts, and AWS accounts. Each external or internal test identifies weaknesses, credentials, and impacts, which collectively form a set of attack vectors.
Vulnerabilities (Weaknesses):
Each vulnerability (weakness) is unique to the specific test.
If the same vulnerability is found in a different test, it is treated as a separate instance, with no correlation or historical tracking (last-seen information is not retained).
Scoring Mechanism:
The unique vulnerability score is based on the Base Score.
Vulcan fetches the finding score, corresponding to the Context Score in NodeZero.
Handling Duplicate Assets and Findings:
Multiple scans may identify the same asset. It will be treated as a single asset if it shares the same IP address in Vulcan.
The same finding may appear in multiple scans. To distinguish between instances, Vulcan appends the Scheduled Template UUID (provided by the user on the configuration page) to the finding’s unique identifier.
API endpoints in use
API version: 1.0
API | Use in Vulcan | Permissions required |
Authentication | API Key | |
Get scheduled pentest names query getScheduledPentests($pageInput: PageInput) { count: schedules_count schedulesPage: schedules_page(page_input: $pageInput) { schedules { id: uuid name is_disabled state last_op_tab { id: uuid portal_op_state op_template_name op_template_uuid } pentests_count: ops_count } } } VARIABLES { "pageInput": { "page_num": 1, "page_size": 100 } | Generic Option Loader - Scheduled Pentest Names | Berear Token |
Get latest pentest results query op_tabs_page( $page_input: PageInput, $exclude_sample_ops: Boolean ) { op_tabs_page( page_input: $page_input, exclude_sample_ops: $exclude_sample_ops ) { page_info { page_num, page_size } op_tabs { uuid op_state op_name completed_at schedule_uuid schedule_name scheduled_at scheduled_at_date op_template_uuid op_template_name } } } VARIABLES { "page_input": { "page_num": 1, "page_size": 1, "sort_inputs": [ { "order_by": "completed_at", "sort_order": "DESC", "nulls_first": false } ], "filter_by_inputs": [ { "field_name": "op_state", "values": ["done"] }, { "field_name": "schedule_uuid", "values": ["{{schedule_uuid}}"] } ] }, "exclude_sample_ops": true } | Get all relevant pentest uuids | Berear Token |
Get Hosts CSV query hosts_csv_url($input: OpInput!) { hosts_csv_url(input: $input) } GRAPHQL VARIABLES { "input": { "op_id": "{{op_id}}" } } | Assets(Hosts) | Berear Token |
Get Hosts detailes | Assets(Hosts) | Berear Token |
Get Weaknesses CSV query weaknesses_csv_url($input: OpInput!) { weaknesses_csv_url(input: $input) } GRAPHQL VARIABLES { "input": { "op_id": "{{op_id}}" } } | -Vulnerability Instance | Berear Token |
Get weaknesses details | Assets(Hosts) | Berear Token |
Data Validation
This section shows how to validate and compare data between Vulcan ExposureOS and the NodeZero platform.
Matching Asset Count
Objective: Ensure that the total number of assets (endpoints) in Nodezero matches the number of assets ingested into Vulcan.
In NodeZero:
Go to the Pentest screen in Nodezero.
Select Group By Scheduled.
Review all Scheduled Pentests you have chosen to integrate.
For each Scheduled Pentest, choose the first occurrence (typically the latest one).
For each selected Scheduled Pentest, count the number of hosts.
Sum these counts across all desired pentests.
In Vulcan:
Go to Assets
Apply a filter:
Where → Asset → Connector is [Nodezero].Verify that the number of assets displayed matches the total host count obtained from Nodezero.
Validations if an asset is not present in Vulcan:
Archive by date: Ensure the asset is not archived in Vulcan based on an outdated last-seen date.
Data pulling configuration: Verify that the relevant data-pulling configurations are correctly set on the connectors setup page. Make sure to click Save Changes if you modify the connector's setup.
Host Presence: Confirm that the asset in Nodezero has an IP and is visible in the Hosts tab.
Matching vulnerabilities count
Objective: Ensure that the number of unique vulnerabilities (as reported by Nodezero) matches the vulnerabilities displayed in Vulcan.
In NodeZero:
Go to the Pentest screen in Nodezero.
Select Group By Scheduled.
Review all Scheduled Pentests you have chosen to integrate.
For each integrated Scheduled Pentest, choose the first occurrence.
Go to the Weaknesses tab and click Export to CSV.
Open the CSV and filter out rows where the IP column is empty.
Remove duplicate rows based on WeaknessID (using Excel’s "Remove Duplicates" feature):
Select the Entire Table:
Highlight your data range (including the WeaknessID column).
Use the “Remove Duplicates” Tool:
Go to the Data tab → Table tools.
Click Remove Duplicates.
In the popup window:
Select only the WeaknessID column (uncheck all other columns).
Click OK to remove duplicate rows, keeping the first occurrence of each unique WeaknessID.
Sum the unique WeaknessIDs; this total represents the number of vulnerabilities in Nodezero.
In Vulcan:
Go to Vulnerabilities.
Apply a filter:
Where → Asset → Connector is [Nodezero].
The total unique vulnerability count in Vulcan should match the sum obtained from the CSV export.
Validations if vulnerability is not present in Vulcan:
Data pulling configuration: The Scheduled Pentest on which the vulnerability was found might not have been integrated.
Data pulling configuration: The asset on which the vulnerability was found might have been archived (based on asset retention settings).
Matching findings (instances) count
Objective: Ensure that the total number of asset-vulnerability connections (findings) in Nodezero matches the findings count in Vulcan.
In NodeZero:
Go to the Pentest screen in Nodezero.
Select Group By Scheduled.
Go through all Scheduled Pentest you have chosen to integrate.
For each integrated Scheduled Pentest, choose the first occurrence.
Go to the Weaknesses tab and click Export to CSV.
Filter out rows with empty IP columns.
Sum the filtered weaknesses; this sum represents the total number of asset-vulnerability connections in Nodezero.
In Vulcan:
Go to Findings.
Apply the filter:
Where → Asset → Connector is [Nodezero].The total findings count in Vulcan should equal the summed count from Nodezero.
Validations if a connection is not present in Vulcan:
The Pentest on which the vulnerability was found might not have been selected for integration.
The asset might have been archived due to exceeding the asset retention period.