Appearance
Understanding Vulnerabilities
AttackLens automatically detects known vulnerabilities in your infrastructure by correlating software inventory data with vulnerability databases. This page explains how vulnerability detection works, what data sources are used, and how vulnerabilities are scored and prioritized.
What Is Vulnerability Correlation?
Vulnerability correlation is the process of matching the software installed on your assets against known vulnerability databases to identify which packages have published security flaws.
AttackLens collects software inventory from two sources:
- Sensors: Agents installed on endpoints that report installed packages, versions, and ecosystems
- Discovery adapters: Cloud provider connections that retrieve resource configurations
This inventory data is then compared against vulnerability feeds to identify matches. When a match is found, a vulnerability finding is created that links the CVE to the specific asset and package.
Data Sources
AttackLens uses multiple data sources to provide comprehensive vulnerability coverage:
OSV (Open Source Vulnerabilities)
OSV.dev is the primary vulnerability data source. OSV aggregates vulnerability information from multiple ecosystems and provides precise version range data for affected packages.
OSV covers:
- Linux distributions (Debian, Ubuntu, Alpine, RHEL, SUSE)
- Programming language packages (npm, PyPI, Maven, Go, Rust, RubyGems)
- Operating system packages (Windows, macOS)
CVSS (Common Vulnerability Scoring System)
Each vulnerability includes a CVSS score and CVSS vector when available. AttackLens uses CVSS v3.1 scores to assess the technical severity of vulnerabilities.
CVSS scores range from 0.0 to 10.0:
| Range | Severity | Description |
|---|---|---|
| 9.0 -- 10.0 | Critical | Easily exploitable, severe impact, often no authentication required |
| 7.0 -- 8.9 | High | Significant risk, may require some conditions to exploit |
| 4.0 -- 6.9 | Medium | Moderate risk, may require local access or user interaction |
| 0.1 -- 3.9 | Low | Limited impact, difficult to exploit |
EPSS (Exploit Prediction Scoring System)
EPSS provides a probability score (0-100%) estimating the likelihood that a vulnerability will be exploited in the wild within the next 30 days. See EPSS and KEV for details.
CISA KEV (Known Exploited Vulnerabilities)
The CISA KEV catalog lists vulnerabilities that are known to be actively exploited. AttackLens flags vulnerabilities that appear in the KEV catalog. See EPSS and KEV for details.
How Vulnerability Detection Works
The detection pipeline follows this process:
- Inventory collection: Sensors and adapters collect software package information from assets (package name, version, ecosystem)
- Feed sync: AttackLens periodically synchronizes vulnerability data from OSV, EPSS, and CISA KEV through the feed system
- Correlation: The vulnerability correlation engine matches installed packages against known vulnerable version ranges
- Scoring: Each match is scored using CVSS, EPSS, and a composite Risk Score
- Finding creation: A vulnerability finding is created linking the CVE to the specific asset and package
INFO
The vulnerability correlation engine runs automatically whenever new inventory data is collected or new vulnerability data is synced from the feed. There is no manual step required.
Risk Score
AttackLens calculates a composite Risk Score (0.0 -- 10.0) for each vulnerability finding that combines multiple factors:
- CVSS score: Technical severity
- EPSS score: Likelihood of exploitation
- CISA KEV status: Whether active exploitation is known
The risk score provides a single prioritization metric that accounts for both the severity and the real-world exploitability of a vulnerability.
Vulnerability Status
| Status | Description |
|---|---|
| Open | The vulnerability is currently present on the asset (vulnerable version is still installed) |
| Resolved | The vulnerability has been remediated (the package was updated to a fixed version) |
Severity Levels
Vulnerabilities are classified into severity levels based on their CVSS score:
| Severity | CVSS Range | Color |
|---|---|---|
| Critical | 9.0 -- 10.0 | Red |
| High | 7.0 -- 8.9 | Orange |
| Medium | 4.0 -- 6.9 | Yellow |
| Low | 0.1 -- 3.9 | Blue |
Integration with Attack Graph
Vulnerability findings feed into the Attack Graph, where they appear as properties on software nodes. Vulnerabilities with high EPSS scores, CISA KEV status, or remote code execution potential increase the risk profile of the affected nodes and may contribute to identified attack paths.
Related Pages
- View Vulnerabilities: Browse and filter the vulnerability list
- Vulnerability Detail: Deep dive into a specific vulnerability
- EPSS and KEV: Understand exploitation probability and known exploits
- Understanding Inventory: How software inventory is collected