Guides for Product Managers

These guides cover reporting, remediation tracking, risk metrics, and dashboard customization -- everything you need to communicate security posture to stakeholders and track progress.

---

Guide 1: Generating Executive Reports

Create professional PDF reports for leadership, board meetings, and audit reviews.

Time needed	10 minutes
Prerequisites	Analyst role or higher; at least one Tenable sync or completed scan
What you'll learn	How to generate, customize, and download executive reports

Available report types

Report Type	Audience	What it shows
Executive Summary	C-suite, Board	High-level posture, trends, key metrics, risk narrative.
Compliance Report	Auditors, Compliance	Control-by-control pass/fail, evidence, remediation status.
Trend Analysis	Security Leadership	How your vulnerability counts and scores have changed over time.
Detailed Findings	Security Team	Full finding list with evidence, remediation steps, and status.

Steps

1. Navigate to the dashboard. From the left sidebar, click Exposure Management to see the main dashboard.

2. Select the report type. Click Reports (or look for the Export/Download button on the dashboard). Choose your report type from the options above.

3. Customize the scope.

   • Date range: 7 days, 30 days, 90 days, or custom.
   • Targets/Assets: All, or specific applications/asset groups.
   • Severity filter: Include all severities, or only Critical+High for a concise report.

4. Generate the report. Click Generate. For large datasets, this may take a few seconds.

5. Download as PDF. Click Download PDF. The report is formatted for print and presentation, with charts, tables, and executive narrative.

Key metrics to highlight in presentations

When presenting to executives, focus on these numbers:

Metric	What it means in business terms
WeaverScore	Overall security health on a 0-100 scale. Higher is better. Trend matters more than absolute number.
Critical Vulnerability Count	Number of severe, easily exploitable issues. Should be trending toward zero.
MTTR (Mean Time to Remediate)	Average days to fix a vulnerability. Lower is better. Industry average is ~60 days for critical.
Fix Rate	Percentage of vulnerabilities fixed vs. total found. Shows team velocity.
SLA Compliance	Percentage of findings fixed within your defined SLA windows.

Use the AI Executive Summary

For a polished narrative summary, use the AI Executive Summary Generator in AI Labs. It turns raw metrics into a readable story tailored for non-technical audiences. You can export this as a PDF directly.

---

Guide 2: Tracking Remediation Progress

Use the Validated Fix Planner (VFP) to organize remediation into manageable work packages, assign them to teams, and track progress against SLAs.

Time needed	15 minutes to set up
Prerequisites	Manager role or higher
What you'll learn	How to create work packages, assign teams, track SLA compliance, and generate tickets

What is the VFP?

The Validated Fix Planner groups related vulnerabilities into work packages -- bundles of findings that can be assigned to a team and tracked as a unit.

Steps

1. Navigate to Exposure Management > Fix Planner (or VFP in the sidebar).

2. Create a work package. Click + New Work Package. Give it a descriptive name (e.g., "Q2 Critical Remediation" or "API Input Validation Fixes").

3. Add findings to the work package. From the findings list, select one or more findings and click Add to Work Package. You can group by:

   • Vulnerability type (e.g., all SQL injection findings)
   • Affected team (e.g., all findings for the backend team)
   • Application (e.g., all findings for the billing service)

4. Assign to a team. Set the responsible team or individual. They will see the work package in their dashboard.

5. Set SLA deadlines. Configure remediation deadlines based on severity:

   Severity	Typical SLA
   Critical	7 days
   High	30 days
   Medium	90 days
   Low	Best effort

6. Generate tickets (optional). Click Create Tickets to automatically generate Jira or ServiceNow tickets for each finding in the work package. The AI Ticket Writer formats them with severity, reproduction steps, and remediation advice.

7. Monitor progress. The VFP dashboard shows:

   • Open vs. Closed findings per work package
   • SLA compliance -- percentage of findings fixed within the deadline
   • Remediation velocity -- how quickly your team is closing findings
   • Overdue items -- findings past their SLA deadline (highlighted in red)

Remediation workflow

When a developer fixes a vulnerability, the next scan automatically detects the fix and marks the finding as Resolved. No manual status updates needed.

---

Guide 3: Understanding Risk Scores (WeaverScore)

WeaverScore is ThreatWeaver's composite risk metric. It combines multiple signals into a single 0-100 score that helps you prioritize what to fix first.

Time needed	10 minutes to understand
Prerequisites	None
What you'll learn	How WeaverScore is calculated, how to interpret it, and why it is better than CVSS alone

What is WeaverScore?

WeaverScore answers the question: "Of all our vulnerabilities, which ones should we fix first?"

Unlike CVSS (which only measures how severe a vulnerability is in theory), WeaverScore considers your specific environment -- which assets matter most, whether the vulnerability is being exploited in the wild, and how long it has been open.

How it is calculated

Factor	Weight	What it measures
CVSS Score	Base	Technical severity (0-10 scale, normalized to 0-100).
EPSS Probability	High	The probability that this vulnerability will be exploited in the next 30 days, based on real-world data.
KEV (Known Exploited Vulnerability)	Critical	Whether CISA has confirmed active exploitation. Immediately boosts the score.
Asset Criticality	High	Business importance of the affected system (crown jewels vs. test servers).
Vulnerability Age	Medium	How many days the vulnerability has been open. Older = higher urgency.
Network Exposure	Medium	Internet-facing systems score higher than internal-only or isolated systems.

How to interpret WeaverScore

Score Range	Meaning	Action
80-100	Critical risk. High severity + high exploitability + important asset.	Fix immediately.
60-79	High risk. Needs attention soon.	Fix within your SLA (typically 30 days).
40-59	Medium risk. Should be addressed.	Schedule for the next sprint or maintenance window.
20-39	Low risk. Less urgent.	Track and address when convenient.
0-19	Informational. Minimal real-world risk.	Monitor only.

WeaverScore vs. CVSS

Scenario	CVSS	WeaverScore	Why they differ
Critical vuln on an isolated test server	9.8	35	Asset is not business-critical and not internet-facing.
Medium vuln on payment processing server, actively exploited	5.5	85	KEV confirmed, asset is crown-jewel, internet-facing.
High vuln open for 200 days on a customer-facing app	7.5	78	Age and exposure boost the real-world risk.

Use WeaverScore for prioritization, CVSS for communication

When deciding what to fix first, use WeaverScore. When communicating severity to developers or in tickets, use CVSS -- it is the industry standard they are familiar with.

---

Guide 4: Customizing Dashboards

Build custom dashboard views tailored to your role and the audience you present to.

Time needed	15 minutes
Prerequisites	Analyst role or higher
What you'll learn	How to add widgets, create role-specific views, and share dashboards

Dashboard builder overview

ThreatWeaver's dashboard supports 50+ widget types organized into categories:

Category	Example Widgets
KPI Cards	Total Vulnerabilities, Critical Count, WeaverScore, MTTR.
Charts	Severity trend (line), Vulnerability distribution (pie), Fix rate (bar).
Tables	Top 10 riskiest assets, Overdue findings, Recent scan results.
Maps	Geographic distribution of assets.
Status	Sync health, scanner status, SLA compliance.

Steps

1. Navigate to the main dashboard. Click Exposure Management in the sidebar.

2. Enter edit mode. Click the Customize or Edit Dashboard button (pencil icon).

3. Add a widget. Click + Add Widget. Browse the widget catalog or search by name. Click a widget to add it to your dashboard.

4. Configure the widget. Each widget has settings:

   • Data source: Which data to display (all assets, specific groups, specific time range).
   • Display options: Chart type, colors, labels.
   • Refresh interval: How often the data updates.

5. Arrange widgets. Drag and drop widgets to rearrange them. Resize by dragging the corners.

6. Save the dashboard. Click Save. Your layout is preserved for your next login.

Creating role-specific views

View	Widgets to include
Executive View	WeaverScore trend, Critical count, MTTR, Fix rate, Compliance summary.
Security Team View	Findings by severity, Top risky assets, Recent scans, SLA compliance, Overdue items.
DevOps View	Scan results by application, New findings this week, Remediation velocity.

Sharing dashboards

• Dashboards you create are private by default.
• To share, click Share and select team members or roles.
• Shared dashboards appear in the recipient's dashboard list.

Dashboard templates

ThreatWeaver comes with pre-built dashboard templates for common roles. You can use these as a starting point and customize from there.

---

Next steps

• Reading the Executive Dashboard -- present these dashboards to leadership
• Running Your First Scan -- generate data for your reports
• Configuring Tenable API Keys -- connect your vulnerability data source
• Glossary -- look up unfamiliar terms