Remediation
Threat Radar
Threat Radar is your security team's morning newspaper. It answers the first question anyone asks — "Am I safe today?" — then shows the exploited and zero-day slice of your vulnerabilities, ranked by live intelligence, with your own blast radius on every item. It's a prioritization lens; the full per-asset findings still live in Vulnerabilities.
What it's for
- Get the day's answer first — a single line at the top tells you whether anything needs action right now.
- Watch the threat world — a chronological feed of new advisories, each one tagged with how many of your assets it affects.
- Focus on what touches you — the threats confirmed on your systems or predicted from your installed software, worst first.
- Act on one threat — open any item for the full story, and drive an action without leaving the screen.
The Today hero and threat counters
The banner at the top is the Today hero. It turns calm green when you're clear and warm red when something needs attention, and it states your posture in plain language — for example how many threats need action now and how many new advisories in the last 24 hours affect you. It also shows how many of your assets are exposed (confirmed by a scan, or predicted from software), and when the data was last refreshed.
To the right are four tier counters. Each is a filter — click one to narrow the current view to that tier:
| Counter | What it means |
|---|---|
| Act Now | Exploited in the wild with no fix available — the most urgent. |
| Patch Now | Serious and actionable — a fix exists, apply it. |
| Watch | Emerging and worth monitoring. |
| FYI | For awareness. |
Two more controls sit alongside the counters:
- Report — opens the Zero-Day Alert report.
- Settings — (administrators only.) Opens Threat Radar settings (see below).
Refreshing the data
Next to the posture line, the Updated… control both tells you how fresh the data is and, when clicked, pulls the latest intelligence and recomputes your exposure. Click the small arrow beside it to expand a read-only Data freshness panel showing when your exposure was last recomputed, when your confirmed counts were last proven by a scan, and each intelligence source's last sync. When scanless matching is in play, the panel also shows a Software inventory (scanless matching) section — per source, how many assets and packages were matched and when that inventory was last collected.
Search and filter chips
Below the hero (on every tab except Overview) is a search box and a row of filter chips. Search by CVE or title; if you type a full CVE identifier that isn't in the current list, Threat Radar offers to look it up across the global advisory corpus and answer "am I exposed?".
Each chip shows a live count and toggles a filter:
| Chip | What it shows |
|---|---|
| Affects me | Only threats present in your environment. |
| Exploited | Threats being exploited in the wild. |
| Ransomware | Threats with known ransomware-campaign use. |
| No fix yet | Threats with no vendor fix available. |
| Fix available | Threats a fix already exists for. |
| New today | Advisories published in the last day (on the Intelligence Feed). |
| PoC released | Threats with a public proof-of-concept exploit. |
A chip that doesn't apply to the current tab is greyed out.
The tabs
A row of tabs sits under the search bar:
Overview
An executive at-a-glance read of your zero-day posture: how exposed you are, the worst threats, and whether fixes exist. It also offers an on-demand AI summary — what to fix first: click Generate brief for a grounded, prioritized read of your open threats, with a short list of top priorities (each linking straight to the threat) and a watch list. If no default AI model is configured for the tenant, this (and other AI actions on this page) fails with "No AI model configured. Set a default in AI Labs settings."
Intelligence Feed
What's new in the threat world over roughly the last week, grouped by day (Today, Yesterday, and dated days before). Every card carries your blast radius — how many of your assets are confirmed or predicted affected, or "Not in your environment" — plus severity, scores, and fix status. Click any card to open its detail.
Threats
Every threat Threat Radar tracks, worst first. This tab has its own controls:
| Control | What it does |
|---|---|
| Only what affects me | Toggles between just your exposure and every tracked threat. |
| Evidence | Filters to All, Confirmed (scan-proven), or Predicted (inferred from installed software). |
| AI triage | (Administrators only.) Asks the AI to suggest an action and priority for each open threat — a suggestion that never changes a status on its own. |
| Zero-Day report | Opens the Zero-Day Alert report. |
| Export CSV | Downloads the current filtered list. |
| View dismissed | Reviews previously dismissed threats, where you can restore one. |
Software
Software in your environment ranked by threat pressure. Toggle By software (real products) versus By plugin (raw scan checks), and click any row to see the threats tied to that software.
The detail drawer
Click any threat, feed card, or search result to open a drawer with the full story. It leads with the answer first — a green "You are NOT exposed" or a red "You are exposed: N confirmed (+ N predicted) assets" line — then lays out two clearly separated axes: Threat (in the world) and Your exposure.
The drawer includes:
- Why predicted — when exposure is inferred from installed software rather than a scan, the matched packages and inventory sources behind the prediction.
- Affected assets — the named systems (confirmed and predicted), each with the installed version that matched.
- Scores — severity, CVSS, EPSS, and status.
- Fix status — whether a fix exists (and its version), or a note that none is known yet and you'll be told when one releases.
- What it is — a plain-text description of the vulnerability.
- Timeline — the world's story and your story interleaved, with your own events marked YOU.
- Affected products / packages and Evidence — dated citations such as proof-of-concept repositories and the date it was added to the exploited-in-the-wild list.
- Awareness receipt — when the advisory was published, when it entered your intelligence, and when your exposure was computed.
Acting on a threat
The action row at the bottom of the drawer adapts to your exposure:
| Action | What it does |
|---|---|
| View in Vulnerabilities / View matched software | Opens the affected findings in Vulnerabilities, or — for a prediction with no scan finding yet — the matched software in your inventory. |
| Ask AI | Opens the assistant to discuss this threat. |
| AI Briefing | Generates a short briefing grounded in your exposure data. |
| Draft ticket | Drafts a remediation ticket from the threat, ready to copy. |
| AI triage | Suggests a recommended action and priority (suggestion only). |
| Check prediction | For a predicted exposure, gives an AI second opinion on whether it's a true or false positive — advisory only; a scan stays authoritative. |
| Copy summary | Copies an executive summary to your clipboard. |
| Watch | Follows this vulnerability so you're notified of changes. |
| Dismiss | Removes the threat from your open lists after you record a required, audited reason. |
Threat Radar settings (administrators)
Administrators can open Settings from the hero to tune how the Radar behaves. The panel is organized into sections:
- Intel sources — a read-only health view of each intelligence source's last sync, with a Refresh to re-pull them all now and a Manage link to the intelligence admin page.
- Intelligence refresh — the Refresh cadence: how often the Radar pulls new intelligence and recomputes your exposure.
- Classification thresholds — the Emerging window (how recent a vulnerability must be to reach the Watch and FYI tiers) and the EPSS and CVSS floors that a recent vulnerability must clear to reach the Watch tier.
- Alert notifications — turn notifications on or off, choose the minimum tier that triggers them, restrict to scan-confirmed exposure only, pick channels (in-app, email, Slack, Microsoft Teams, webhook), add extra recipients, and Send a test alert to confirm delivery end to end.
- Morning digest — an opt-in daily email of new alerts, fix releases, and urgent exposure, scheduled in your chosen time zone and sent only when there's something to report.
Choosing Slack or Microsoft Teams as a channel also requires your administrator to turn on delivery for those services. Intelligence-source keys are managed centrally, not from this panel.
Common workflows
Workflow: check whether a new headline vulnerability affects you
-
Open Threat Radar and read the Today hero — it tells you at a glance whether anything needs action now.
Step 1 — the Today hero answering "am I safe today?" -
Type the CVE into the search box. If it isn't already listed, click the offer to open its intelligence.
Step 2 — searching for a specific CVE -
Read the drawer's verdict line — exposed or not exposed — and, if you're exposed, click View in Vulnerabilities to see the affected systems, or Draft ticket to start the fix.
Step 3 — the drawer's answer-first verdict and action buttons
Workflow: triage today's exposure
- Open the Threats tab and turn on Only what affects me.
- Click the Act Now counter to surface the most urgent threats first.
- Open a threat, review the story and evidence, then Draft ticket or Dismiss it with a reason.