Browse documentation
Investigating a CVE
Once you've spotted a finding, the next step is understanding it and deciding what to do. This article covers what each finding tells you and the actions available.
What a finding shows
Each finding brings together the CVE and where it applies:
- CVE ID — links to the full write-up on the NVD website.
- Severity and CVSS score — how serious it is.
- Product and installed version — the software on the host that matched.
- Host — which server, endpoint, or device is affected (links to its detail page).
- Confidence — High / Medium / Low, reflecting how precisely the version matched.
- First seen — when the finding first appeared.
To see every host affected by one CVE, use the Flat view and search the CVE ID, or check the most widespread CVEs panel for its host count.
Acting on a finding
- Create a remediation task — turns the finding into a task (Remediate {CVE} on {host}), with priority and due date set from severity (Critical is most urgent). Use Create tasks for all to do this in bulk for the filtered list.
- Suppress — hide the finding with a durable rule when it's an accepted risk or a false positive. You can scope suppression to this host, this product everywhere, or the whole CVE across the org. Suppressed findings return only if you remove the rule.
Per-host view
Every server, endpoint, and device has its own Vulnerabilities tab showing just that host's open findings, grouped by package. It's the same data filtered to one machine — handy when working through a single host.
Fixing it
The remediation itself is usually a patch. Cross-reference the Patches page: an available update that fixes the CVE lists it in its Fixes column, so you can find the exact update to apply.
Notes & tips
- A finding resolves automatically once you patch or remove the affected software — you don't need to close it by hand.
- Use confidence to prioritise: High-confidence Critical findings are the clearest, most urgent calls to action.