Vulnerability & Exposure Management
Roadmap — a single-pane management layer over the unified findings store, adding a deduplicated risk-ranked backlog, SLA policies, ownership routing, bi-directional ticketing, expiring risk exceptions, campaigns, and metrics.
Vulnerability & Exposure Management
Roadmap — not yet available. VEM is a planned capability documented here for direction. It is a management overlay on findings that ship today; the overlay itself is not yet available.
Vulnerability & Exposure Management is the single-pane orchestration layer planned over the unified findings store. It is explicitly not a scanner — it produces no findings and adds no finding types. It overlays lifecycle, SLA, ownership, ticketing, exception, and reporting workflow on the canonical (AutoTriage-deduped) findings, reusing the existing prioritization, reachability, risk score, and correlation graph rather than recomputing any of them.
Planned capabilities
| Capability | What it will do |
|---|---|
| Unified backlog | One deduplicated, risk-ranked list of remediation items across every finding type, using AutoTriage's priority score, reachability, and correlation grouping (one fix closes many) |
| SLA policies | Due dates by severity × asset criticality × finding type × environment, with at-risk and breach states and escalation |
| Ownership routing | Auto-route items to the owning team from the asset registry; manual reassignment, audited; per-owner workload views |
| Bi-directional ticketing | Jira / ServiceNow / GitHub sync — one ticket per canonical finding group, conflict-resolved and reconciled |
| Risk exceptions | Approval-gated, expiring, audited risk-acceptance that pauses the SLA clock and reliably re-opens on expiry |
| Campaigns | Bounded remediation drives over a saved filter, with burn-down tracking and auto-complete |
| Metrics & reporting | MTTR, aging, burn-down, SLA attainment, reopened-rate, and executive risk reports |
Reuse, not recompute (design principle)
The core design constraint is that VEM references shipped outputs and never re-derives them: one AutoTriage, one reachability engine, one risk score, one correlation graph, one connector stack, one findings index. Every VEM entity references a canonical finding group; none copies a finding or extends the finding model. This keeps priority and risk consistent everywhere they appear.
Malware and secrets are never suppressible
A hard guarantee carried over from AutoTriage: no VEM path — SLA de-prioritization, exception activation, or a backlog filter — can ever hide a malware or secrets finding. A shared guard is called before any suppression, and approving a risk exception on a malware group is refused and audited. An expired exception is an enforced invariant: expired-but-still-suppressed count is always zero.
When it ships
VEM will be tenant-scoped and audit-logged, gated by the ff.exposuremgmt feature flag (with sub-flags for ticket sync, campaigns, and exceptions), and surfaced through the app, GPT, CLI, and MCP. Its external-facing counterpart is CTEM & EASM.
Related
- Unified Findings & Feature Flags — the store VEM overlays.
- AutoTriage — the deduplication and the never-suppress guarantee VEM inherits.
- Reachability Analysis — the prioritization signal VEM reads.
- CTEM & EASM — the external exposure-management counterpart (roadmap).
Digital Risk Protection & Threat Intel
Roadmap — a threat-intelligence pipeline (ingest, normalize, dedup, enrich, score, age, correlate, disseminate) plus outward-facing digital risk protection for leaked credentials, look-alike domains, and brand impersonation.
Trusted Artifacts
Roadmap — a curated catalog of hardened, minimal, signed base images with SBOM and SLSA provenance, plus (later) build-from-source and FIPS/STIG variants.