Threat Intelligence
Scanner Intelligence
Scanner Intelligence takes the raw findings your scanners produce and turns them into higher-level insight: how an attacker could chain vulnerabilities into an attack path, which software is most likely to be exploited next, what your endpoint agents are detecting, how you measure against compliance frameworks, and where two scanners disagree.
What it's for
- See the bigger picture behind individual findings — chains, forecasts, and business impact rather than a flat list.
- Prioritize with real signals — exploit availability, exploitation-probability scores, known-exploited catalogs, and your own exposure.
- Check coverage and quality across scanners, and resolve conflicts between them.
The screens in it
Scanner Intelligence is a single page with a row of tabs across the top. Use Refresh in the header to reload the current tab's data. The tabs available to you depend on what your organization has turned on.
| Tab | What it shows |
|---|---|
| Attack Paths | Chains of vulnerabilities an attacker could follow from an entry point to a target. |
| Predictive | The highest-risk software packages and the threats rising fastest, plus a forward-looking forecast. |
| Business Impact | Vulnerabilities ranked by their impact on important systems. |
| EDR & FIM | Endpoint detection events and file-integrity-monitoring rules. |
| Scan Compliance | Your standing against common frameworks, with downloadable evidence. |
| SBOM | A software bill of materials (coming soon). |
| Conflicts | Findings where two scanners disagree, with ways to resolve them. |
| Auto-Remediation | Automated fixing of findings (coming soon). |
Attack Paths
This tab maps how an attacker could move through your environment. Three summary tiles show Total Paths, Critical Paths, and the average risk score.
| Control | What it does |
|---|---|
| List View / Graph View | Switch between a list of paths and a visual graph of them. |
| Compute Paths | Recalculates attack paths from your current findings. |
| A path row | Click to expand it and see the entry point, target, risk score, MITRE ATT&CK techniques, and each hop in the chain. |
| Mitigate | Marks a path as mitigated once you've broken the chain. |
| AI Analysis & Remediation Suggestions | Generates a plain-language risk assessment and the top steps to break that specific chain. |
Predictive
The Predictive tab ranks your open, exploitable vulnerabilities by exploit risk. Summary tiles show Risky Packages, Rising Threats, an average risk score, and the count of critical vulnerabilities. A freshness note tells you when the high-risk list was last updated.
- High-Risk Packages — the software in your environment carrying the most exploit risk, with open and critical counts, exploitable counts, affected assets, and how long the oldest issue has gone unpatched.
- Rising Threats — the vulnerabilities gaining exploitation momentum, with their exploitation-probability score and whether they're rising or spiking.
- Vulnerability Forecast — a forward-looking ranking of the packages most likely to be exploited next, with the reasoning behind each prediction.
Business Impact
This tab ranks vulnerabilities by how much they'd hurt if exploited. Tiles show High Impact Vulns, an average impact score, and how many are exploitable. The table lists each vulnerability with its host, impact score and level, severity, whether an exploit exists, and how long it's been open.
EDR & FIM
This tab covers what your endpoint agents watch and detect. It has two sub-tabs:
Events
A log of endpoint detection events — the type, severity, agent, details, any MITRE technique, and when it happened. Click Ack to acknowledge an event you've reviewed.
FIM Rules
File-integrity-monitoring rules that watch important files for change. Each row shows the path pattern, description, severity, and an enabled toggle. Users who can manage endpoint monitoring can add, edit, or delete rules.
Creating or editing a rule opens a form with a path pattern, a description, a severity, an optional name, and toggles for recursive (include sub-folders) and enabled.
Scan Compliance
This tab shows how you measure up against common frameworks — PCI-DSS, SOC 2, HIPAA, ISO 27001, NIST CSF, and CIS. Each framework card shows a score, a status, the number of findings, and when it was last assessed and until when it's valid.
| Control | What it does |
|---|---|
| Generate | Runs a fresh assessment for that framework and updates the card. |
| Evidence | Downloads the supporting evidence for an assessment. |
Conflicts
When two scanners disagree about a vulnerability — its severity, or whether it's present at all — the conflict appears here. Tiles show Total, Unresolved, and Resolved counts. Each row names the CVE, the two scanners and their verdicts, and the disagreement. If you can manage scanner intelligence, resolve a conflict with:
- Accept Highest — keep the higher severity of the two.
- Merge Avg — combine the findings using an averaged severity.
- Dismiss — set the conflict aside.
SBOM and Auto-Remediation (coming soon)
The SBOM and Auto-Remediation tabs are on the way. Until they arrive:
- Installed software and vulnerabilities per asset are already available on the Vulnerabilities pages.
- Prioritize and plan fixes on the Remediation.
Common workflows
Workflow: analyze an attack path
-
Open the Attack Paths tab.
Step 1 — the Attack Paths list with summary tiles -
If the list is empty, click Compute Paths to build it from your current findings.
-
Click a path to expand it and review the entry point, target, and each hop in the chain.
Step 3 — an expanded attack path with its hops and techniques -
Click AI Analysis & Remediation Suggestions for a plain-language summary and the top steps to break the chain. Once you've acted, click Mitigate.
Workflow: produce a compliance attestation
- Open the Scan Compliance tab.
- Find the framework you need and click Generate. The card updates with a fresh score and status.
- Click Evidence to download the supporting evidence to attach to an audit.
Workflow: add a file-integrity rule
- Open EDR & FIM and select the FIM Rules sub-tab.
- Click New FIM Rule.
- Enter the path pattern to watch, a description, and a severity, then choose whether it applies recursively.
- Click Create Rule. The rule appears in the list, enabled and watching.