Exposure Management
The Exposure Management module is the core of ThreatWeaver. It syncs vulnerability and asset data from Tenable.io cloud APIs, normalizes it into a unified data model, and surfaces prioritized risk through the WeaverScore algorithm, trend analytics, and the Validated Fix Planner (VFP).
Key Capabilitiesβ
| Capability | Description |
|---|---|
| Asset Inventory | Syncs hosts from Tenable.io with filtering by agent status, license state, OS category (Windows Server, Workstation, Linux, Network), and last-seen date range. Supports text search across hostname, IP, and OS. |
| Vulnerability Tracking | Full lifecycle tracking (open, fixed, reopened, accepted) with AI-powered natural-language search. An AI parameter extractor parses queries like "critical unpatched vulnerabilities from last 30 days" into structured filters. |
| Tenable Cloud Sync | Chunk-based export API integration with progress tracking per chunk. Supports scheduled and on-demand sync with detailed sync logs. |
| WeaverScore | Composite 0--100 risk score blending CVSS base score, EPSS exploit probability, asset criticality, and environmental context. Powers priority-based remediation ordering (see scoring diagram below). |
| VFP Fix Planner | Groups related vulnerabilities into work packages, assigns teams, links to external tickets (Jira, ServiceNow), and tracks remediation against SLA-driven deadlines. 90 API endpoints. |
| Scan Management | Launches and monitors Tenable scans with rate limiting (10 launches/min, 20 creates/min per user), SLA policies, ticketing integration, and outbound webhook notifications. |
| Dashboard Analytics | 30 dashboard endpoints provide KPI cards, severity trends, MTTR tracking, risk distributions, and customizable widget configurations. |
Module Architectureβ
WeaverScore Calculationβ
The WeaverScore algorithm combines multiple risk signals into a single 0-100 priority score, enabling teams to focus remediation effort where it matters most.
Scoring factors:
- CVSS / VPR -- base vulnerability severity from industry-standard scoring
- Asset criticality -- business impact of the affected asset (crown jewels vs. test systems)
- Exploit availability (EPSS) -- probability of exploitation in the wild within 30 days
- Vulnerability age -- how long the vulnerability has been open (older = higher urgency)
- Network exposure -- internet-facing assets score higher than internal-only or isolated systems
API Surfaceβ
/api/assets-- 3 endpoints for listing, filtering, and searching the synced asset inventory/api/vulnerabilities-- 7 endpoints for querying vulnerabilities with AI-powered natural-language filters and dynamic filter conditions/api/scan-- 143 endpoints covering scan CRUD, launch, scheduling, SLA policy management, ticketing, and webhook configuration/api/dashboard-- 30 endpoints for KPI aggregation, trend data, severity breakdowns, and widget templates/api/vfp-- 90 endpoints for work packages, risk scoring, team management, policy configuration, exception handling, and audit logging
License Gatingβ
All Exposure Management routes require the vulnerability_dashboard module in the tenant license. Scan management additionally requires the scanner_management module and the scanner_scan_management_enabled feature flag to be active.
Data Flowβ
- Sync -- The Tenable sync service calls the Tenable.io export API and delivers asset and vulnerability data in chunks
- Normalize -- OS category rules classify hosts; severity mapping standardizes scores; deduplication prevents duplicates
- Aggregate -- The aggregation service (~2900 lines) computes KPIs, rolling trends, MTTR, risk distributions, and anomaly detection
- Present -- Dashboard API endpoints serve pre-computed metrics to the React frontend with caching support
- Remediate -- VFP groups findings into risk-ranked work packages with SLA-driven deadlines and ticket integration
Limitationsβ
- Tenable.io dependency -- All vulnerability and asset data originates from Tenable.io. Without a valid Tenable API connection, the module has no data source
- No agent-based scanning -- The module ingests scan results from Tenable; it does not run its own network vulnerability scans
- Sync latency -- Data freshness depends on sync frequency. Scheduled syncs introduce a delay between Tenable detecting a vulnerability and ThreatWeaver reflecting it
- WeaverScore is advisory -- The composite risk score is a prioritization aid, not a substitute for manual risk assessment in compliance-sensitive environments
- VFP requires manual team setup -- Work package assignment relies on teams being configured by an administrator; there is no automatic team inference
- No CVE enrichment beyond Tenable -- CVE details come from Tenable plugin data. External enrichment sources (NVD, CISA KEV) are not queried directly
Related Entitiesβ
| Entity / Table | Description |
|---|---|
Vulnerability | Individual vulnerability record synced from Tenable.io |
Asset | Host record with OS, IP, agent status, and criticality metadata |
SyncJob | Tracks sync operations with progress, timing, and error details |
WorkPackage | VFP grouping of related vulnerabilities for team remediation |
SlaPolicy | Defines remediation deadlines based on severity thresholds |
TicketLink | Associates vulnerabilities with external tickets (Jira, ServiceNow) |
Deep Divesβ
- Tenable Cloud Sync -- How the sync service pulls data from Tenable.io via the Export API
- WeaverScore Risk Scoring -- Detailed breakdown of the composite risk scoring algorithm
Related Pagesβ
- AppSec Scanner -- Application-layer penetration testing
- AI Labs -- AI-powered fix plans and executive summaries
- Admin -- System settings and user management