Skip to main content

Exposure Management

Running & viewing scans

The Scans screen is your control room for everything a scanner does. From here you create scans, point them at targets, run them on demand or on a schedule, watch progress in real time, and open any completed run to read and export its findings.

What it's for

  • See every scan at a glance — name, engine, status, when it last ran, and how many findings it produced.
  • Create and configure scans — pick a template, set targets, tune options, and choose when it runs.
  • Follow scans live and read results — track progress as a scan runs, then drill into hosts, findings, remediations, and compliance.

The screens in it

The Scans area has three views:

  1. The scan list — a folders sidebar, a toolbar, and a table of your scans.
  2. The New Scan wizard — an engine picker, then (for WeaverScan) a template picker, then a configuration form.
  3. The scan detail view — one scan's runs, progress, and results.
The Scans list — sidebar, toolbar, and the scan table

The folders sidebar

The sidebar on the left groups your scans. Collapse or expand it with the chevron at its top.

ItemWhat it does
All ScansShows every scan, with the total count beside it.
Your foldersFolders you've created to organize scans. Hover a folder to rename or delete it; deleting a folder moves its scans back to unfiled.
TrashScans you've deleted. From here you can restore a scan or remove it permanently.
Smart FoldersReady-made, automatic groupings — Running Scans, Failed Scans, Scheduled Scans, and Compliance Scans — each with a live count. Selecting one filters the list to matching scans.
New FolderCreates a folder. Type a name and confirm to add it.

The toolbar

The toolbar runs across the top of the scan table.

ControlWhat it does
SearchFilters the list as you type. Press / anywhere on the page to jump to the search box.
Engine filterNarrows the list to one scanner — All engines, Tenable, Qualys, Rapid7, or WeaverScan (the built-in engine).
RefreshReloads the scan list.
Scan ConfigOpens the scan-configuration settings in Admin.
TrendsOpens scan analytics and trends over time.
Empty Trash(Shown only in Trash.) Permanently removes everything in the Trash.
Keyboard shortcuts (?)Opens a quick reference of shortcuts — new scan, refresh, focus search, close, delete, select all.
New ScanStarts the New Scan wizard.

Bulk actions

Tick the checkbox on one or more rows (or the header checkbox to select all) and a bar appears with actions that apply to your selection: Launch, Stop, Delete, and — when exactly two scans are selected — Compare. Clear deselects everything.

The scan table

Each row is one scan.

ColumnWhat it shows
NameThe scan's name. Click it to open the scan detail view.
EngineWhich scanner runs it.
StatusCurrent state — Created, Queued, Running, Paused, Completed, Failed, Canceled, or Stopped. Running scans pulse.
Last RunWhen the scan most recently ran.
FindingsHow many findings the latest run produced.
ProgressA live progress bar while the scan is running.
ActionsPer-row buttons (below).

Row actions

The buttons available depend on the scan's status:

ActionWhat it does
LaunchStarts the scan now.
Pause / ResumeTemporarily halts a running scan, or continues a paused one.
Stop / CancelEnds a running or queued scan.
EditReopens the configuration form for the scan.
CloneCreates a copy you can adjust and run separately.
DeleteMoves the scan to Trash.

The New Scan wizard

Clicking New Scan opens the wizard. It always starts with a choice of scanner engine — what happens next depends on which one you pick.

Step 1 — choose a scanner engine

The wizard opens on an engine picker, not a template list. Two engines are selectable today:

EngineWhat happens next
WeaverScan (built-in)Native ThreatWeaver scanning. Moves on to a template gallery, then a full configuration form.
Tenable.ioRoutes the scan to Tenable Vulnerability Management. Skips the template gallery entirely and opens a Tenable-specific configuration screen. Requires a Tenable API key configured in Admin.

Nuclei, OpenVAS, Qualys, and Rapid7 appear alongside them as disabled "Coming soon" tiles — you can't launch or create a scan on any of these four from this wizard yet. Qualys and Rapid7 already support saving API credentials and testing the connection under Admin (see Scanner connections & history), but that's a separate capability from launching a scan here.

Step 2 — pick a template (WeaverScan only)

Choosing WeaverScan brings you to a template gallery. Templates are ready-made scan definitions grouped by purpose. Search across templates, or narrow them with the filters:

FilterWhat it narrows to
CategoryVulnerability, discovery, compliance, web, cloud, or specialized templates.
Target typeThe kind of target the template is built for — host, network, web, API, cloud, container, agent, and more.
CredentialsTemplates that need no credentials, treat them as optional, or require them.
RiskThe template's intrusiveness — low, medium, or high.

Each template card also offers Compare, Clone, and (for your own custom templates) Delete. Choosing Tenable.io in Step 1 skips this gallery — a Tenable scan isn't built from a ThreatWeaver template.

Step 3 — configure the scan

The configuration form opens with a row of tabs. For a Tenable scan, only the Basic tab applies — the other tabs are WeaverScan-only and have no effect on a Tenable scan.

TabWhat you set
BasicScan name, targets (IPs, CIDR ranges, or hostnames), the schedule, completion notifications, and whether to launch immediately. On a Tenable scan this tab also carries the Tenable-specific section described below.
DiscoveryThe port range to scan, plus host-discovery methods: ICMP Ping, ARP Discovery, TCP SYN Probe, and UDP Discovery.
AssessmentThorough Mode (exhaustive but slower checks), Web Application Scanning (SQL injection, XSS, CSRF, and similar checks), Brute Force Testing (tests for default/weak credentials — this can trigger account lockouts on your targets, so use it deliberately), and Safe Checks Only (skips checks that could crash a service or device).
AdvancedPerformance tuning (Max Concurrent Hosts, Max Checks/Host, Network Timeout) and AI-Assisted Analysis — see below.
CredentialsInformational only in this wizard. It explains why authenticated scanning matters and links to Admin to manage credentials — there's no credential picker here, so you can't attach a credential to the scan from this tab.

Tenable.io: a different Basic tab

A Tenable scan's Basic tab isn't the same form as WeaverScan's. It adds a Tenable Vulnerability Management section above the usual name/targets/ schedule fields, with two modes:

  • Run an existing Tenable scan — pick one of your existing Tenable scans from a list. It's read-only and launches as-is; its targets and template are owned by Tenable, not ThreatWeaver.
  • Create a new Tenable scan — pick a Tenable scan template, a Tenable scanner, an optional Tenable folder, and optionally attach one or more managed credentials from Tenable. The name, targets, and options from this wizard are sent to Tenable to create the scan.

AI-Assisted Analysis (Advanced tab)

Turning on Enable AI Enrichment reveals four sub-toggles that run after the scan completes: Risk Context (explains why each finding matters), Remediation Guidance (prioritized, step-by-step fix instructions), Attack Path Analysis (how findings chain together into exploit paths), and Executive Summary (a high-level risk narrative for leadership reporting). Enrichment requires an AI provider configured in Admin.

The schedule builder

On the Basic tab, the Schedule control sets how often the scan runs:

ChoiceWhat happens
Manual (On Demand)The scan runs only when you launch it.
OnceRuns a single time at a date and time you pick.
HourlyRuns every hour, starting at a time you set.
DailyRuns once a day at a chosen time.
WeeklyRuns on the days of the week you select, at a chosen time.
MonthlyRuns on a chosen day of the month, at a chosen time.
ContinuousRepeats on a fixed interval you set in minutes.

For any recurring choice you also pick a timezone so the scan runs at the right local time. Tick Notify on completion to email a result summary, and Launch immediately after creation to run the scan as soon as you save it.

Save with Create Scan (or Create & Launch if you chose to launch immediately). When editing an existing scan, the button reads Save Changes.

The scan detail view

Clicking a scan opens its detail view.

  • Header — the scan's name and status, with the same action buttons as the list. While a scan runs, a progress bar shows percent complete, hosts finished, a running severity tally, and elapsed time.
  • Run selector — a scan can run many times; pick which run to view. When a scan has two or more runs, Compare Runs shows two side by side so you can see what changed.
  • Export — saves the selected run as a report (see below).
  • Compliance Report — appears when a run has compliance results, and opens a formatted compliance summary.

Result tabs

Beneath the header, tabs break the selected run down. Which tabs appear depends on what the scan produced:

TabWhat it shows
SummarySeverity breakdown, scan information, and top vulnerabilities and hosts.
Live(While a scan is running.) Findings streaming in as they're discovered.
HostsEvery host the run touched, with its IP, hostname, OS, findings, and risk score.
FindingsThe full list of findings, which you can group by root cause, remediation, system, or risk theme.
RemediationsRecommended fixes, prioritized.
Activity LogA timeline of what happened during the run.
Compliance / Web Scan / Discovery / Container / Cloud PostureSpecialized results, shown only when the run produced that kind of finding.

Export formats

The Export menu on a run offers:

  • Export as CSV — the findings as a spreadsheet.
  • Export as JSON — the findings as structured data.
  • Executive Summary (HTML) — a leadership-friendly overview, opened in a new tab.
  • Technical Report (HTML) — the full technical detail, opened in a new tab.

Which sections appear in the HTML exports — and the company name and logo they carry — are controlled by Report Settings, configured under Admin; see Scanner settings for what it covers.

Common workflows

Workflow: create and launch a scan

  1. Click New Scan.

    Step 1 — the New Scan wizard's engine picker
  2. Choose the WeaverScan (built-in) tile, then pick a template that matches what you want to scan. The configuration form opens.

  3. On the Basic tab, give the scan a name and enter your targets — IP addresses, CIDR ranges, or hostnames, one per line.

    Step 3 — naming the scan and entering targets
  4. Leave the schedule on Manual, tick Launch immediately after creation, and click Create & Launch.

  5. The scan opens in the detail view and begins running. Watch the progress bar and the Live tab as findings arrive.

    Step 5 — a scan running, with live progress and findings

Workflow: schedule a recurring scan

  1. Start a New Scan (or Edit an existing one) and open the Basic tab.
  2. Set the Schedule to Weekly, choose the days and time of day, and pick your timezone.
  3. Tick Notify on completion and enter an email address to be told each time the scan finishes.
  4. Click Create Scan. The scan now appears under the Scheduled Scans smart folder and runs on its own.

Workflow: read and export a run

  1. Click a completed scan to open its detail view.
  2. In the Run selector, choose the run you want to review.
  3. Open the Findings tab and, if you like, group the findings by remediation to see the fixes that clear the most at once.
  4. Click Export and choose a format — for example Executive Summary (HTML) to share with leadership, or CSV for further analysis.