Exposure Management
Running & viewing scans
The Scans screen is your control room for everything a scanner does. From here you create scans, point them at targets, run them on demand or on a schedule, watch progress in real time, and open any completed run to read and export its findings.
What it's for
- See every scan at a glance — name, engine, status, when it last ran, and how many findings it produced.
- Create and configure scans — pick a template, set targets, tune options, and choose when it runs.
- Follow scans live and read results — track progress as a scan runs, then drill into hosts, findings, remediations, and compliance.
The screens in it
The Scans area has three views:
- The scan list — a folders sidebar, a toolbar, and a table of your scans.
- The New Scan wizard — an engine picker, then (for WeaverScan) a template picker, then a configuration form.
- The scan detail view — one scan's runs, progress, and results.
The folders sidebar
The sidebar on the left groups your scans. Collapse or expand it with the chevron at its top.
| Item | What it does |
|---|---|
| All Scans | Shows every scan, with the total count beside it. |
| Your folders | Folders you've created to organize scans. Hover a folder to rename or delete it; deleting a folder moves its scans back to unfiled. |
| Trash | Scans you've deleted. From here you can restore a scan or remove it permanently. |
| Smart Folders | Ready-made, automatic groupings — Running Scans, Failed Scans, Scheduled Scans, and Compliance Scans — each with a live count. Selecting one filters the list to matching scans. |
| New Folder | Creates a folder. Type a name and confirm to add it. |
The toolbar
The toolbar runs across the top of the scan table.
| Control | What it does |
|---|---|
| Search | Filters the list as you type. Press / anywhere on the page to jump to the search box. |
| Engine filter | Narrows the list to one scanner — All engines, Tenable, Qualys, Rapid7, or WeaverScan (the built-in engine). |
| Refresh | Reloads the scan list. |
| Scan Config | Opens the scan-configuration settings in Admin. |
| Trends | Opens scan analytics and trends over time. |
| Empty Trash | (Shown only in Trash.) Permanently removes everything in the Trash. |
| Keyboard shortcuts (?) | Opens a quick reference of shortcuts — new scan, refresh, focus search, close, delete, select all. |
| New Scan | Starts the New Scan wizard. |
Bulk actions
Tick the checkbox on one or more rows (or the header checkbox to select all) and a bar appears with actions that apply to your selection: Launch, Stop, Delete, and — when exactly two scans are selected — Compare. Clear deselects everything.
The scan table
Each row is one scan.
| Column | What it shows |
|---|---|
| Name | The scan's name. Click it to open the scan detail view. |
| Engine | Which scanner runs it. |
| Status | Current state — Created, Queued, Running, Paused, Completed, Failed, Canceled, or Stopped. Running scans pulse. |
| Last Run | When the scan most recently ran. |
| Findings | How many findings the latest run produced. |
| Progress | A live progress bar while the scan is running. |
| Actions | Per-row buttons (below). |
Row actions
The buttons available depend on the scan's status:
| Action | What it does |
|---|---|
| Launch | Starts the scan now. |
| Pause / Resume | Temporarily halts a running scan, or continues a paused one. |
| Stop / Cancel | Ends a running or queued scan. |
| Edit | Reopens the configuration form for the scan. |
| Clone | Creates a copy you can adjust and run separately. |
| Delete | Moves the scan to Trash. |
The New Scan wizard
Clicking New Scan opens the wizard. It always starts with a choice of scanner engine — what happens next depends on which one you pick.
Step 1 — choose a scanner engine
The wizard opens on an engine picker, not a template list. Two engines are selectable today:
| Engine | What happens next |
|---|---|
| WeaverScan (built-in) | Native ThreatWeaver scanning. Moves on to a template gallery, then a full configuration form. |
| Tenable.io | Routes the scan to Tenable Vulnerability Management. Skips the template gallery entirely and opens a Tenable-specific configuration screen. Requires a Tenable API key configured in Admin. |
Nuclei, OpenVAS, Qualys, and Rapid7 appear alongside them as disabled "Coming soon" tiles — you can't launch or create a scan on any of these four from this wizard yet. Qualys and Rapid7 already support saving API credentials and testing the connection under Admin (see Scanner connections & history), but that's a separate capability from launching a scan here.
Step 2 — pick a template (WeaverScan only)
Choosing WeaverScan brings you to a template gallery. Templates are ready-made scan definitions grouped by purpose. Search across templates, or narrow them with the filters:
| Filter | What it narrows to |
|---|---|
| Category | Vulnerability, discovery, compliance, web, cloud, or specialized templates. |
| Target type | The kind of target the template is built for — host, network, web, API, cloud, container, agent, and more. |
| Credentials | Templates that need no credentials, treat them as optional, or require them. |
| Risk | The template's intrusiveness — low, medium, or high. |
Each template card also offers Compare, Clone, and (for your own custom templates) Delete. Choosing Tenable.io in Step 1 skips this gallery — a Tenable scan isn't built from a ThreatWeaver template.
Step 3 — configure the scan
The configuration form opens with a row of tabs. For a Tenable scan, only the Basic tab applies — the other tabs are WeaverScan-only and have no effect on a Tenable scan.
| Tab | What you set |
|---|---|
| Basic | Scan name, targets (IPs, CIDR ranges, or hostnames), the schedule, completion notifications, and whether to launch immediately. On a Tenable scan this tab also carries the Tenable-specific section described below. |
| Discovery | The port range to scan, plus host-discovery methods: ICMP Ping, ARP Discovery, TCP SYN Probe, and UDP Discovery. |
| Assessment | Thorough Mode (exhaustive but slower checks), Web Application Scanning (SQL injection, XSS, CSRF, and similar checks), Brute Force Testing (tests for default/weak credentials — this can trigger account lockouts on your targets, so use it deliberately), and Safe Checks Only (skips checks that could crash a service or device). |
| Advanced | Performance tuning (Max Concurrent Hosts, Max Checks/Host, Network Timeout) and AI-Assisted Analysis — see below. |
| Credentials | Informational only in this wizard. It explains why authenticated scanning matters and links to Admin to manage credentials — there's no credential picker here, so you can't attach a credential to the scan from this tab. |
Tenable.io: a different Basic tab
A Tenable scan's Basic tab isn't the same form as WeaverScan's. It adds a Tenable Vulnerability Management section above the usual name/targets/ schedule fields, with two modes:
- Run an existing Tenable scan — pick one of your existing Tenable scans from a list. It's read-only and launches as-is; its targets and template are owned by Tenable, not ThreatWeaver.
- Create a new Tenable scan — pick a Tenable scan template, a Tenable scanner, an optional Tenable folder, and optionally attach one or more managed credentials from Tenable. The name, targets, and options from this wizard are sent to Tenable to create the scan.
AI-Assisted Analysis (Advanced tab)
Turning on Enable AI Enrichment reveals four sub-toggles that run after the scan completes: Risk Context (explains why each finding matters), Remediation Guidance (prioritized, step-by-step fix instructions), Attack Path Analysis (how findings chain together into exploit paths), and Executive Summary (a high-level risk narrative for leadership reporting). Enrichment requires an AI provider configured in Admin.
The schedule builder
On the Basic tab, the Schedule control sets how often the scan runs:
| Choice | What happens |
|---|---|
| Manual (On Demand) | The scan runs only when you launch it. |
| Once | Runs a single time at a date and time you pick. |
| Hourly | Runs every hour, starting at a time you set. |
| Daily | Runs once a day at a chosen time. |
| Weekly | Runs on the days of the week you select, at a chosen time. |
| Monthly | Runs on a chosen day of the month, at a chosen time. |
| Continuous | Repeats on a fixed interval you set in minutes. |
For any recurring choice you also pick a timezone so the scan runs at the right local time. Tick Notify on completion to email a result summary, and Launch immediately after creation to run the scan as soon as you save it.
Save with Create Scan (or Create & Launch if you chose to launch immediately). When editing an existing scan, the button reads Save Changes.
The scan detail view
Clicking a scan opens its detail view.
- Header — the scan's name and status, with the same action buttons as the list. While a scan runs, a progress bar shows percent complete, hosts finished, a running severity tally, and elapsed time.
- Run selector — a scan can run many times; pick which run to view. When a scan has two or more runs, Compare Runs shows two side by side so you can see what changed.
- Export — saves the selected run as a report (see below).
- Compliance Report — appears when a run has compliance results, and opens a formatted compliance summary.
Result tabs
Beneath the header, tabs break the selected run down. Which tabs appear depends on what the scan produced:
| Tab | What it shows |
|---|---|
| Summary | Severity breakdown, scan information, and top vulnerabilities and hosts. |
| Live | (While a scan is running.) Findings streaming in as they're discovered. |
| Hosts | Every host the run touched, with its IP, hostname, OS, findings, and risk score. |
| Findings | The full list of findings, which you can group by root cause, remediation, system, or risk theme. |
| Remediations | Recommended fixes, prioritized. |
| Activity Log | A timeline of what happened during the run. |
| Compliance / Web Scan / Discovery / Container / Cloud Posture | Specialized results, shown only when the run produced that kind of finding. |
Export formats
The Export menu on a run offers:
- Export as CSV — the findings as a spreadsheet.
- Export as JSON — the findings as structured data.
- Executive Summary (HTML) — a leadership-friendly overview, opened in a new tab.
- Technical Report (HTML) — the full technical detail, opened in a new tab.
Which sections appear in the HTML exports — and the company name and logo they carry — are controlled by Report Settings, configured under Admin; see Scanner settings for what it covers.
Common workflows
Workflow: create and launch a scan
-
Click New Scan.
Step 1 — the New Scan wizard's engine picker -
Choose the WeaverScan (built-in) tile, then pick a template that matches what you want to scan. The configuration form opens.
-
On the Basic tab, give the scan a name and enter your targets — IP addresses, CIDR ranges, or hostnames, one per line.
Step 3 — naming the scan and entering targets -
Leave the schedule on Manual, tick Launch immediately after creation, and click Create & Launch.
-
The scan opens in the detail view and begins running. Watch the progress bar and the Live tab as findings arrive.
Step 5 — a scan running, with live progress and findings
Workflow: schedule a recurring scan
- Start a New Scan (or Edit an existing one) and open the Basic tab.
- Set the Schedule to Weekly, choose the days and time of day, and pick your timezone.
- Tick Notify on completion and enter an email address to be told each time the scan finishes.
- Click Create Scan. The scan now appears under the Scheduled Scans smart folder and runs on its own.
Workflow: read and export a run
- Click a completed scan to open its detail view.
- In the Run selector, choose the run you want to review.
- Open the Findings tab and, if you like, group the findings by remediation to see the fixes that clear the most at once.
- Click Export and choose a format — for example Executive Summary (HTML) to share with leadership, or CSV for further analysis.