Once your connectors are synced, and you are ready to review and manage your risk, you'll probably go to the Vulnerabilities or Assets pages. This is where you can review and filter your data to focus on what matters to you the most. Some CISOs tend to focus on the security posture state of specific assets or asset groups, while others focus on high-risk vulnerabilities all across the organization. This is why we have two pages to start from; Assets and Vulnerabilities.

There are two main approaches to evaluating and reviewing risks and vulnerabilities in the Vulcan Platform:

Both approaches present the same exact info, just from a different perspective.

On the Vulnerabilities page, your high-level view starts with vulnerabilities and breaks down to assets. In contrast, the Assets page starts with assets and breaks down to vulnerability instances. Whatever view you prefer, the risk calculation and data are the exact same.

When we have a vulnerability, we want to understand its risk and prioritization in our environment. What you should care about the most is the Max risk score of a vulnerability. But first, let's look at a single vulnerability and understand its risk calculation.

Go to the Vulnerabilities page and take a look at the presented vulnerabilities.

Each Vulnerability has a Max Risk and a Min Risk.

Max Risk of a unique vulnerability equals the highest risk found for the vulnerability instance affecting a specific asset. Min Risk is the lowest risk score of the vulnerability instance affecting a specific asset.

Now that we know what the Max Risk stands for, we need to understand how the vulnerability instance risk is calculated.

The vulnerability instance risk score ("atomic risk") stands for the individual risk associated with a single vulnerability on a single asset. All the risk calculations, SLAs, and automation are highly based on the vulnerability instance risk.

So, what is the vulnerability instance risk score comprised of?

A vulnerability instance risk score calculates 3 factors; Technical Severity, Threats, and Tags. To calculate the final and business-contextualized risk of a vulnerability instance, Vulcan uses the risk weights you defined.

Note: Threats are used in the calculation only for vulnerabilities that have CVEs. For non-CVE vulnerabilities, only Technical Severity and Tags are used in the calculation.

For example:

Let's take the "KB4551853: Windows 10 Version 1809 and Windows Server 2019 May 2020 Security Update" vulnerability instance on the "SCCM-VULCAN19" asset and analyze its risk calculation based on each of the factors.

Now let's look at the risk weights defined in the environment:

45% (0.45) for Technical Severity, 35% (0.35) for Threats, and 20% (0.2) for Tags.

The resulting calculation would be as follows:

When looking at assets in a cyber-security context, we should look at high-impact assets that are at high risk. This means that we prioritize assets we tagged as important and have a Critical/High-risk score as their max risk.

The max risk of an asset equals the highest risk found on a unique vulnerability affecting a specific asset, which equals the max risk of the vulnerability instance affecting the asset.

Go to the Assets page and take a look at the presented assets.

Each asset has a Max risk and vulnerability instances count. By glancing at any asset row, you can quickly gather how many vulnerability instances exist on each asset and the Max risk score of at least one of the vulnerability instances existing on this asset.

Enter an asset to see the full list of vulnerability instances on the asset and the Min-Max risk scores of all instances.

In the example below, the max risk score is 100, and the min is 64.