The Vulnerability & Risk Exposure Report provides a comprehensive summary of vulnerability exposure across all of your managed sites. It is designed to help you understand your overall risk posture, identify the highest-priority remediation targets, and have informed conversations with your clients about the risks they face.
The report is generated from the Monitor > Vulnerabilities > Vulnerability Insights page in OneView. Individual reports per site are also available on that page with similar details. The report is broken down into the following sections.
Your risk environment
This section opens the report with a plain-language summary of findings across your managed environment. It calls out two key figures upfront:
- The number of endpoints running software with known, actively exploited vulnerabilities
- The number of endpoints matching configurations tied to active ransomware campaigns
It also surfaces the percentage of assessed devices missing critical operating system (OS) patches, flagging this as the most common entry point for the attack vectors identified throughout the report.
Risk Level table
Below the summary text is a Risk Level table that provides a quick snapshot of the five most critical metrics across your environment:
| Metric | What it shows |
|---|---|
| Total Active Vulnerabilities | The total number of vulnerabilities currently detected across all endpoints, with the number of affected endpoints shown below. |
| Critical CVEs | The number of vulnerabilities rated Critical severity, with the number of affected endpoints shown below. |
| Critical OS Patches | The number of critical operating system patches missing across your environment, with the number of affected endpoints shown below. |
| CISA Known Exploited | The number of vulnerabilities that appear on the Cybersecurity and Infrastructure Security Agency (CISA)'s Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities are actively being exploited by threat actors in the wild. |
| Ransomware Risks | The number of vulnerabilities specifically linked to ransomware campaigns, with the number of affected endpoints shown below. |
The card also displays an overall Risk Level label based on the combined findings.
Risk landscape
This section provides a deeper breakdown of what was found and where the greatest concentration of risk sits.
It opens with the total number of endpoints and managed sites assessed, followed by an overall risk profile and the percentage of detections that are Critical or High severity.
Below that is a color-coded bar chart that shows how vulnerabilities are distributed across severity levels. This gives a fast visual sense of how much of your exposure is urgent versus lower priority.
Critical Software
A table lists the applications with CISA Known Exploited Vulnerabilities that account for the highest concentration of exploitable risk across your managed endpoints. For each application, the table shows:
| Column | Description |
|---|---|
| Application | The name of the vulnerable application. |
| Endpoints | The number of endpoints where this application is installed. |
| Critical CVEs | The number of Critical-severity CVEs affecting this application. |
| Attack Vector | The method by which the vulnerability can be exploited (for example, network, local). |
| Attack Complexity | The conditions beyond the attacker's control that must exist for the vulnerability to be exploited |
| Privileges Required | The level of privileges an attacker must have before successfully exploiting the vulnerability. |
| User Interaction | Whether exploitation requires a user other than the attacker to take some action. |
Why this exposure creates business risk
This section explains the real-world consequences of leaving the identified vulnerabilities unaddressed — particularly the CISA Known Exploited Vulnerabilities. It focuses on three areas: insurance, regulatory, and legal exposure.
Compliance framework table
A table maps the current vulnerability findings to common compliance and regulatory frameworks, showing where gaps exist:
| Column | Description |
|---|---|
| Framework | The compliance framework or requirement (HIPAA, PCI-DSS 4.0, SOC 2, Cyber Insurance). |
| Requirement | The specific patching or remediation obligation under that framework. |
| Your Status | The current state relative to that requirement. |
Your highest risk clients
This section is only available on the aggregated report. It identifies the specific sites within your managed environment that are classified as Critical or High Risk Exposure.
A table lists each high-risk site with the following columns:
| Column | Description |
|---|---|
| Site | The name of the managed site. |
| Critical CVEs | The number of Critical-severity CVEs detected at that site. |
| CISA KEVs | The number of CISA Known Exploited Vulnerabilities detected at that site. |
| Critical OS Patches | The number of critical OS patches missing at that site. |
| Ransomware | The number of vulnerabilities linked to ransomware campaigns at that site. |
| Endpoints | The total number of endpoints at that site. |