Exposure Management
Finding and filtering vulnerabilities
The vulnerabilities list is the full inventory of findings your scanners have brought in. It can hold thousands of rows, so most of your time here is spent narrowing it: to a severity, a system type, a CVE, an exploit status, or a business-critical asset. This page explains every control that helps you do that, then walks through the common workflows end to end.
What it's for
- Narrow a huge list to what matters using severity counts, system-type tabs, quick filters, and an advanced query builder.
- Group and sort the same findings different ways — one row per unique vulnerability, one row per affected host, or one row per finding instance.
- Act on a selection — export it, rescan the affected hosts, or open a single finding to investigate.
The screens in it
When you open the list you see, top to bottom:
- System-type tabs — switch the whole list between groups of systems.
- Severity count cards — headline totals that double as one-click filters.
- A plain-language search box — describe what you want in words.
- The Filters panel — quick filters, an advanced query builder, and saved views.
- The Vulnerability Inventory table — your findings, with column, export, and selection controls.
System-type tabs
A row of tabs across the top switches the entire list to one group of systems: All Systems, Windows Servers, Windows Workstations, Linux, Network Devices, and Other. Selecting a tab filters every card and the table to that group.
Severity count cards
Beneath the tabs sits a row of count cards. Each shows a live total and acts as a one-click filter — click a card to filter the table to it, click it again to clear.
| Card | What it counts | Clicking it |
|---|---|---|
| Total Findings | Every finding instance (each occurrence on each asset). | Switches the table to one row per finding instance. |
| Unique Vulns | Distinct vulnerabilities, regardless of how many assets they touch. | Switches the table to one row per unique vulnerability. |
| Critical Unique | Distinct critical-severity vulnerabilities. | Filters to critical findings. |
| High Unique | Distinct high-severity vulnerabilities. | Filters to high findings. |
| Medium Unique | Distinct medium-severity vulnerabilities. | Filters to medium findings. |
| Low Unique | Distinct low-severity vulnerabilities. | Filters to low findings. |
When any filter is active, a Filtered Results strip appears below the cards summarizing the current view — rows in view, unique vulnerabilities, finding instances, and critical and high counts — so you can see the effect of your filters at a glance.
Plain-language search
The search box marked "Ask anything…" lets you describe what you're looking for in ordinary words — for example "critical vulns on Linux with exploits", "CVE-2024-1234 across all assets", or "unpatched high severity last 30 days". Type your request and press Enter or click Search. ThreatWeaver turns it into filters and shows an Interpreted as row of chips so you can confirm how it read your request. Click Clear to drop the interpretation and reset.
The Filters panel
Click Filters to expand the panel. The header shows how many filters are active and Showing N of M rows. The panel has two modes — Quick Filters and Advanced Query Builder — plus Saved views on the right.
Quick Filters
| Filter | What it narrows to |
|---|---|
| Severity | Critical, High, Medium, Low, or Info findings. |
| State | The finding's lifecycle stage — New, Active, Resurfaced, or Fixed. |
| System type | The same system groups as the tabs above. |
| Exploit | Findings that do or don't have a known exploit available. |
| CISA KEV | Findings listed (or not listed) in the CISA Known Exploited Vulnerabilities catalog. |
| Threat Radar | Findings tied to an active zero-day / emerging-threat alert, by alert tier. |
| Patch | Findings that do or don't have a patch available. |
| Agent | Findings on assets With Agent or Without Agent. |
| Layer | Whether the finding belongs to the Operating System, an Application, or is Unclassified. |
| As Of | A historical snapshot — the findings that were open as of the end of a chosen date. |
| Last Seen | A date range covering when a scan last touched the finding. |
| Search | A keyword match on vulnerability name, CVE, or description. |
| Sort by / order | The column the table is ordered by, ascending or descending. |
| Group By | How rows are aggregated (see below). |
Group By changes what one row represents: Plugin (Unique) — one row per unique vulnerability (the default); All Instances (none) — one row per finding on each asset; CVE — one row per CVE; Hostname or IP Address — one row per affected host; Finding Layer — grouped by OS vs application.
After changing quick filters, click Apply Filters to run them. An Unapplied changes note appears until you do. Clear Filters resets everything.
Advanced Query Builder
Switch to Advanced Query Builder to build precise conditions field by field. Each condition is a field, an operator, and a value; combine them with AND or OR, and nest them into groups for complex logic. Quick Filters and the Advanced Query Builder are mutually exclusive — applying one clears the other, so a single query never mixes the two.
Filter on a list of CVEs and, if some of them don't appear anywhere in your environment, an amber banner above the table names exactly which ones weren't found — so you can tell "zero results because nothing matched" apart from "wrong CVE ID."
Saved views
Use Saved views to keep a filter combination you return to often. Save the current filters under a name, then reload it in one click later.
Choosing which sources to show
A Sources toggle sits above the table: Combined (all sources together), a <source> only button for each connected scanner, and Overlap only (findings that more than one source reports). The toggle itself is always there; its individual buttons are disabled — you can't change scope — while only a single source feeds your data. Source badges on each row show which scanner reported the finding.
The Vulnerability Inventory table
The table header names the current view — for example "Unique vulnerabilities" or "All vulnerability instances." Its controls sit on the right:
| Control | What it does |
|---|---|
| Columns | Choose which columns are visible; reset to the defaults. |
| Export mode | (Multiple sources only.) Deduped export merges duplicate findings across sources; Raw per-source export keeps one row per source. |
| Export ▾ | Opens the export menu (see Exporting below). |
| Rescan Affected | (If enabled for your workspace.) Queues a fresh scan of the hosts behind your selected rows (or all visible rows if none are selected). |
Columns
Depending on your Group By and Columns choices, the table can show: ID, Plugin Name, Severity, State, Layer, CVE, Asset / Affected, First Found, Last Found, CVSS v2, CVSS v3, Plugin Family, Exploit, Threat Radar, Patch, Port, Protocol, and Business Context, plus any extra scanner fields you enable. Click a sortable column header to sort by it; click again to reverse the order.
Rows can carry badges: a scanner badge showing which source reported the finding, a Threat Radar badge when a finding is tied to an active alert (click it to open the alert), and a Business Context tag when the affected asset is flagged as critical (for example a crown jewel).
The Business Context column only shows a real tag in the All Instances (ungrouped) view. In every grouped view — including the default Plugin (Unique) grouping — it shows a placeholder dash instead, since a grouped row can roll up assets with different business-context tags.
Selecting rows
Row selection is available in the Plugin (Unique) and All Instances views. A bar above the table shows the total count and a select-all checkbox. Tick it to select every row on this page; a Select all N vulnerabilities action then lets you extend the selection to the entire filtered set. Clear drops the selection. A selection drives both Export Selected and Rescan Affected.
Grouping the list by Hostname, IP Address, CVE, or Finding Layer removes the selection bar and checkboxes entirely — those views summarize many findings per row, so there's nothing to select. Switch Group By back to Plugin (Unique) or All Instances to select rows, export a selection, or rescan affected hosts from a selection.
Exporting
The Export ▾ menu offers several routes:
- Open export builder — a guided builder for a tailored export.
- Quick export CSV — downloads the current selection (or all rows) as CSV.
- Async server-side export — start a CSV, JSON, or XLSX job that runs in the background; large exports keep processing and land in your export history, so you can keep working.
- Underlying findings — for grouped views, export the individual findings behind each group rather than the summary rows.
- View export history — jump to where finished export files are listed.
Reading the rows and paging
Each row shows the finding's headline details and its State — New (seen in a single scan), Active (seen across multiple scans), Resurfaced (returned after being fixed), or Fixed. Use the pager at the bottom to move between pages and change how many rows show at once.
Row-click behavior depends on Group By:
- Plugin (Unique) and All Instances — click a row to open its detail panel. See Understanding a vulnerability.
- Hostname, IP Address, and CVE — rows aren't clickable; each one is a rollup across many findings. Use Underlying findings export, or switch Group By, to reach the individual findings behind it.
- Finding Layer — clicking a row switches Group By back to Plugin (Unique), filtered to that layer, rather than opening a detail panel.
If nothing matches, the list says so plainly — either "No vulnerabilities match your filters" (with a nudge to adjust or clear them) or, on a fresh workspace, that findings will appear after your first scan completes.
Common workflows
Workflow: find critical, exploitable findings on Linux
-
Click the Linux system-type tab.
Step 1 — the Linux system-type tab selected -
Click the Critical Unique severity card to filter to critical findings.
Step 2 — filtered to critical findings -
Open Filters, set Exploit to findings with an exploit available, and click Apply Filters. The table now shows only critical, exploitable findings on Linux systems.
Step 3 — the Exploit quick filter applied -
Click any row to open its detail panel and plan the fix.
Workflow: export the current view for a report
-
Filter and group the list until it shows exactly what you want to share.
-
(Optional) Tick the select-all checkbox, then Select all N vulnerabilities to cover the whole filtered set.
-
Click Export ▾ and choose Quick export CSV, or start a background CSV, JSON, or XLSX job for a large set.
Step 3 — choosing an export format from the Export menu -
The file downloads when ready; large jobs appear in your export history.
Workflow: save a view you use every week
- Build the filter combination you return to often (for example critical + exploitable + production assets).
- In the Filters panel, open Saved views and choose Save current.
- Give the view a name and confirm. Next week, reload it in one click.