Exposure Management
The Exposure Management module is the core of ThreatWeaver. It syncs vulnerability and asset data from Tenable.io cloud APIs, normalizes it into a unified data model, and surfaces prioritized risk through the WeaverScore algorithm, trend analytics, and the Validated Fix Planner (VFP).
Key Capabilitiesβ
| Capability | Description |
|---|---|
| Asset Inventory | Syncs hosts from Tenable.io with filtering by agent status, license state, OS category (Windows Server, Workstation, Linux, Network), and last-seen date range. Supports text search across hostname, IP, and OS. |
| Vulnerability Tracking | Full lifecycle tracking (open, fixed, reopened, accepted) with AI-powered natural-language search. An AI parameter extractor parses queries like "critical unpatched vulnerabilities from last 30 days" into structured filters. |
| Tenable Cloud Sync | Chunk-based export API integration with progress tracking per chunk. Supports scheduled and on-demand sync with detailed sync logs. |
| WeaverScore | Composite 0--100 risk score blending CVSS base score, EPSS exploit probability, asset criticality, and environmental context. Powers priority-based remediation ordering (see scoring diagram below). |
| VFP Fix Planner | Groups related vulnerabilities into work packages, assigns teams, links to external tickets (Jira, ServiceNow), and tracks remediation against SLA-driven deadlines. 90 API endpoints. |
| Scan Management | Launches and monitors Tenable scans with rate limiting (10 launches/min, 20 creates/min per user), SLA policies, ticketing integration, and outbound webhook notifications. |
| Dashboard Analytics | 30 dashboard endpoints provide KPI cards, severity trends, MTTR tracking, risk distributions, and customizable widget configurations. |
Module Architectureβ
WeaverScore Calculationβ
The WeaverScore algorithm combines multiple risk signals into a single 0-100 priority score, enabling teams to focus remediation effort where it matters most.
Scoring factors:
- CVSS / VPR -- base vulnerability severity from industry-standard scoring
- Asset criticality -- business impact of the affected asset (crown jewels vs. test systems)
- Exploit availability (EPSS) -- probability of exploitation in the wild within 30 days
- Vulnerability age -- how long the vulnerability has been open (older = higher urgency)
- Network exposure -- internet-facing assets score higher than internal-only or isolated systems
API Surfaceβ
/api/assets-- 3 endpoints for listing, filtering, and searching the synced asset inventory/api/vulnerabilities-- 7 endpoints for querying vulnerabilities with AI-powered natural-language filters and dynamic filter conditions/api/scan-- 143 endpoints covering scan CRUD, launch, scheduling, SLA policy management, ticketing, and webhook configuration/api/dashboard-- 30 endpoints for KPI aggregation, trend data, severity breakdowns, and widget templates/api/vfp-- 90 endpoints for work packages, risk scoring, team management, policy configuration, exception handling, and audit logging
License Gatingβ
All Exposure Management routes require the vulnerability_dashboard module in the tenant license. Scan management additionally requires the scanner_management module and the scanner_scan_management_enabled feature flag to be active.
Data Flowβ
- Sync -- The Tenable sync service calls the Tenable.io export API and delivers asset and vulnerability data in chunks
- Normalize -- OS category rules classify hosts; severity mapping standardizes scores; deduplication prevents duplicates
- Aggregate -- The aggregation service (~2900 lines) computes KPIs, rolling trends, MTTR, risk distributions, and anomaly detection
- Present -- Dashboard API endpoints serve pre-computed metrics to the React frontend with caching support
- Remediate -- VFP groups findings into risk-ranked work packages with SLA-driven deadlines and ticket integration
Limitationsβ
- Tenable.io dependency -- All vulnerability and asset data originates from Tenable.io. Without a valid Tenable API connection, the module has no data source
- No agent-based scanning -- The module ingests scan results from Tenable; it does not run its own network vulnerability scans
- Sync latency -- Data freshness depends on sync frequency. Scheduled syncs introduce a delay between Tenable detecting a vulnerability and ThreatWeaver reflecting it
- WeaverScore is advisory -- The composite risk score is a prioritization aid, not a substitute for manual risk assessment in compliance-sensitive environments
- VFP requires manual team setup -- Work package assignment relies on teams being configured by an administrator; there is no automatic team inference
- No CVE enrichment beyond Tenable -- CVE details come from Tenable plugin data. External enrichment sources (NVD, CISA KEV) are not queried directly
Related Entitiesβ
| Entity / Table | Description |
|---|---|
Vulnerability | Individual vulnerability record synced from Tenable.io |
Asset | Host record with OS, IP, agent status, and criticality metadata |
SyncJob | Tracks sync operations with progress, timing, and error details |
WorkPackage | VFP grouping of related vulnerabilities for team remediation |
SlaPolicy | Defines remediation deadlines based on severity thresholds |
TicketLink | Associates vulnerabilities with external tickets (Jira, ServiceNow) |
Deep Divesβ
- Tenable Cloud Sync -- How the sync service pulls data from Tenable.io via the Export API
- WeaverScore Risk Scoring -- Detailed breakdown of the composite risk scoring algorithm
Related Pagesβ
- Admin -- System settings and user management
Coming in future releases
AppSec Scanner and AI Labs are under active development. Switch to the Dev or Local version of this KB to see their documentation.