Skip to main content

Remediation

Threat Radar

Threat Radar is your security team's morning newspaper. It answers the first question anyone asks — "Am I safe today?" — then shows the exploited and zero-day slice of your vulnerabilities, ranked by live intelligence, with your own blast radius on every item. It's a prioritization lens; the full per-asset findings still live in Vulnerabilities.

What it's for

  • Get the day's answer first — a single line at the top tells you whether anything needs action right now.
  • Watch the threat world — a chronological feed of new advisories, each one tagged with how many of your assets it affects.
  • Focus on what touches you — the threats confirmed on your systems or predicted from your installed software, worst first.
  • Act on one threat — open any item for the full story, and drive an action without leaving the screen.

The Today hero and threat counters

The banner at the top is the Today hero. It turns calm green when you're clear and warm red when something needs attention, and it states your posture in plain language — for example how many threats need action now and how many new advisories in the last 24 hours affect you. It also shows how many of your assets are exposed (confirmed by a scan, or predicted from software), and when the data was last refreshed.

Threat Radar — the Today hero, the tier counters, and the intelligence feed

To the right are four tier counters. Each is a filter — click one to narrow the current view to that tier:

CounterWhat it means
Act NowExploited in the wild with no fix available — the most urgent.
Patch NowSerious and actionable — a fix exists, apply it.
WatchEmerging and worth monitoring.
FYIFor awareness.

Two more controls sit alongside the counters:

  • Report — opens the Zero-Day Alert report.
  • Settings(administrators only.) Opens Threat Radar settings (see below).

Refreshing the data

Next to the posture line, the Updated… control both tells you how fresh the data is and, when clicked, pulls the latest intelligence and recomputes your exposure. Click the small arrow beside it to expand a read-only Data freshness panel showing when your exposure was last recomputed, when your confirmed counts were last proven by a scan, and each intelligence source's last sync. When scanless matching is in play, the panel also shows a Software inventory (scanless matching) section — per source, how many assets and packages were matched and when that inventory was last collected.

Search and filter chips

Below the hero (on every tab except Overview) is a search box and a row of filter chips. Search by CVE or title; if you type a full CVE identifier that isn't in the current list, Threat Radar offers to look it up across the global advisory corpus and answer "am I exposed?".

Each chip shows a live count and toggles a filter:

ChipWhat it shows
Affects meOnly threats present in your environment.
ExploitedThreats being exploited in the wild.
RansomwareThreats with known ransomware-campaign use.
No fix yetThreats with no vendor fix available.
Fix availableThreats a fix already exists for.
New todayAdvisories published in the last day (on the Intelligence Feed).
PoC releasedThreats with a public proof-of-concept exploit.

A chip that doesn't apply to the current tab is greyed out.

The tabs

A row of tabs sits under the search bar:

Overview

An executive at-a-glance read of your zero-day posture: how exposed you are, the worst threats, and whether fixes exist. It also offers an on-demand AI summary — what to fix first: click Generate brief for a grounded, prioritized read of your open threats, with a short list of top priorities (each linking straight to the threat) and a watch list. If no default AI model is configured for the tenant, this (and other AI actions on this page) fails with "No AI model configured. Set a default in AI Labs settings."

Intelligence Feed

What's new in the threat world over roughly the last week, grouped by day (Today, Yesterday, and dated days before). Every card carries your blast radius — how many of your assets are confirmed or predicted affected, or "Not in your environment" — plus severity, scores, and fix status. Click any card to open its detail.

Threats

Every threat Threat Radar tracks, worst first. This tab has its own controls:

ControlWhat it does
Only what affects meToggles between just your exposure and every tracked threat.
EvidenceFilters to All, Confirmed (scan-proven), or Predicted (inferred from installed software).
AI triage(Administrators only.) Asks the AI to suggest an action and priority for each open threat — a suggestion that never changes a status on its own.
Zero-Day reportOpens the Zero-Day Alert report.
Export CSVDownloads the current filtered list.
View dismissedReviews previously dismissed threats, where you can restore one.

Software

Software in your environment ranked by threat pressure. Toggle By software (real products) versus By plugin (raw scan checks), and click any row to see the threats tied to that software.

The detail drawer

Click any threat, feed card, or search result to open a drawer with the full story. It leads with the answer first — a green "You are NOT exposed" or a red "You are exposed: N confirmed (+ N predicted) assets" line — then lays out two clearly separated axes: Threat (in the world) and Your exposure.

The Threat Radar detail drawer — verdict, the threat and exposure axes, and the action buttons

The drawer includes:

  • Why predicted — when exposure is inferred from installed software rather than a scan, the matched packages and inventory sources behind the prediction.
  • Affected assets — the named systems (confirmed and predicted), each with the installed version that matched.
  • Scores — severity, CVSS, EPSS, and status.
  • Fix status — whether a fix exists (and its version), or a note that none is known yet and you'll be told when one releases.
  • What it is — a plain-text description of the vulnerability.
  • Timeline — the world's story and your story interleaved, with your own events marked YOU.
  • Affected products / packages and Evidence — dated citations such as proof-of-concept repositories and the date it was added to the exploited-in-the-wild list.
  • Awareness receipt — when the advisory was published, when it entered your intelligence, and when your exposure was computed.

Acting on a threat

The action row at the bottom of the drawer adapts to your exposure:

ActionWhat it does
View in Vulnerabilities / View matched softwareOpens the affected findings in Vulnerabilities, or — for a prediction with no scan finding yet — the matched software in your inventory.
Ask AIOpens the assistant to discuss this threat.
AI BriefingGenerates a short briefing grounded in your exposure data.
Draft ticketDrafts a remediation ticket from the threat, ready to copy.
AI triageSuggests a recommended action and priority (suggestion only).
Check predictionFor a predicted exposure, gives an AI second opinion on whether it's a true or false positive — advisory only; a scan stays authoritative.
Copy summaryCopies an executive summary to your clipboard.
WatchFollows this vulnerability so you're notified of changes.
DismissRemoves the threat from your open lists after you record a required, audited reason.

Threat Radar settings (administrators)

Administrators can open Settings from the hero to tune how the Radar behaves. The panel is organized into sections:

  • Intel sources — a read-only health view of each intelligence source's last sync, with a Refresh to re-pull them all now and a Manage link to the intelligence admin page.
  • Intelligence refresh — the Refresh cadence: how often the Radar pulls new intelligence and recomputes your exposure.
  • Classification thresholds — the Emerging window (how recent a vulnerability must be to reach the Watch and FYI tiers) and the EPSS and CVSS floors that a recent vulnerability must clear to reach the Watch tier.
  • Alert notifications — turn notifications on or off, choose the minimum tier that triggers them, restrict to scan-confirmed exposure only, pick channels (in-app, email, Slack, Microsoft Teams, webhook), add extra recipients, and Send a test alert to confirm delivery end to end.
  • Morning digest — an opt-in daily email of new alerts, fix releases, and urgent exposure, scheduled in your chosen time zone and sent only when there's something to report.
Slack and Teams delivery

Choosing Slack or Microsoft Teams as a channel also requires your administrator to turn on delivery for those services. Intelligence-source keys are managed centrally, not from this panel.

Common workflows

Workflow: check whether a new headline vulnerability affects you

  1. Open Threat Radar and read the Today hero — it tells you at a glance whether anything needs action now.

    Step 1 — the Today hero answering "am I safe today?"
  2. Type the CVE into the search box. If it isn't already listed, click the offer to open its intelligence.

    Step 2 — searching for a specific CVE
  3. Read the drawer's verdict line — exposed or not exposed — and, if you're exposed, click View in Vulnerabilities to see the affected systems, or Draft ticket to start the fix.

    Step 3 — the drawer's answer-first verdict and action buttons

Workflow: triage today's exposure

  1. Open the Threats tab and turn on Only what affects me.
  2. Click the Act Now counter to surface the most urgent threats first.
  3. Open a threat, review the story and evidence, then Draft ticket or Dismiss it with a reason.