Phoenix Security FAQ

They are used to track workflow. Once created for a vulnerability, a ticket will automatically be added to any workflow account linked to the applications/environments associated with that vulnerability.

In cybersecurity, a vulnerability is a weakness that can be exploited by cybercriminals to gain unauthorized access to a computer system. Every organization has multiple security measures that keeps intruders out and important data in. We can think of such security measures as the fence that circumvents your yard. Vulnerabilities are cracks and openings in this fence. After exploiting a vulnerability, a cyberattack can run malicious code, install malware and even steal sensitive data. 

According to the CWE/SANS Top 25 list, there are three main types of security vulnerabilities:
– Faulty defences
– Poor resource management
– Insecure connection between elements

A website vulnerability is a weakness or misconfiguration in a website or web application code that allows an attacker to gain some level of control of the site, and possibly the host server. Most vulnerabilities are exploited through automated means, such as vulnerability scanners and botnets. Most Common Website Security Vulnerabilities include SQL Injections, Cross-Site Scripting (XSS), Broken Authentication & Session Management, Insecure Direct Object References, Security Misconfiguration, Cross-Site Request Forgery (CSRF).

CVSS is an industry-standard vulnerability metric. You can learn more about this at FIRST.org.
– Critical: vulnerabilities that score in the critical range usually allow root-level compromise of servers or infrastructure devices, are easy to exploit. 
– High: vulnerabilities that are difficult to exploit but could result in elevated privileges or significant data loss or downtime. 
– Medium: vulnerabilities that require the attacker to manipulate individual victims via social engineering, are harder to set up, or may result only in limited access. 
– Low: vulnerabilities with very little impact on an organisation’s business; exploitation usually requires local or physical system access.

An asset is the thing that contains the vulnerability. That could be infrastructure like a VM, a piece of code like a repo or file, a build artifact, a cloud service, or a container image. Assets are what we’re protecting — and findings are how vulnerabilities show up on them.

A finding is how a vulnerability shows up in a specific place. Think of a finding as the instance of a vulnerability — where it actually exists in your environment. That might be a specific line of code, a library, a container image, a running service, or even a cloud asset. One vulnerability can have many findings across different systems. And depending on where a finding is — and how exposed it is — the risk level can change significantly.

Static application security testing (SAST) is a testing methodology that analyses source code to find security vulnerabilities that make the organisation’s applications susceptible to attack. SAST scans an application before the code is compiled. It’s also known as white box testing.

SCA (Software Composition Analysis) describes an automated process to identify open-source components in a codebase. Once a component is identified, it becomes possible to map that component to known security disclosures and determine whether multiple versions are present within an application. SCA also helps identify whether the age of the component might present maintenance issues. While not strictly a security consideration, SCA also facilitates legal compliance related to those open source components.

The term Risk Appetite (also called Risk Tolerance or Risk Threshold) refers to the organisational threshold or the minimum value the global risk tolerance level needs to reach to raise the overall risk level for your organisation to critical.

The total risk magnitude is the compounded risk of all findings within your organisation (i.e., the sum of all risk values for every finding). For teams, the risk magnitude represents the sum of the risk of all findings assigned to that team. The relative risk magnitude is the risk magnitude divided by the number of assets within your organisation or team. This allows comparison between which teams have the highest total risk and which have the highest risk per asset (i.e., concentration) so you can focus appropriately. 

Baseline Imports and Updates are both types of Full reports.
– Update – This method will leave unchanged those vulnerabilities in the file that were already imported, add any new ones present in the file, and delete any previously imported vulnerabilities that are not part of the new import.
– Baseline Import – This methods removes any vulnerabilities previously imported for this Assessment before uploading the new file. Only use this method if you wish to discard all vulnerabilities in this Assessment or if it is the first upload under this Assessment.

Accountable users (usually security leaders) assigned to Applications/Environments will receive reports and alerts relating to the Application/Environment they are assigned to. The Responsible user feature is usually used by smaller organisations to link Apps/Environments to teams. For bigger Organisations automatic asset linking is best done via Tags.

Risk is commonly defined with the following formula: threat x vulnerability x impact.
To better understand the risk formula and how it applies to cybersecurity risk, we must first break down its component parts.

Threat
There are many threat actors out there, including nation states, criminal syndicates and enterprises, hacktivists, insiders, and lone wolf actors. These threat actors play on a variety of motivations, including financial gain, political statements, corporate or government espionage, and military advantage.

Vulnerability
Threat actors are able to launch cyber attacks through the exploitation of vulnerabilities. In cybersecurity, these vulnerabilities are fixed with a process, procedure, or technology.
For example, an employee may choose to exploit their familiarity with internal processes, procedures, or technology, such as their knowledge of the following:
Everyone in their company uses the password “12345”
User names consist of an employee’s first and last name
Their organisation is very lax on additional security controls like multifactor authentication
Failures in both process and technology could then be exploited by said insider. And of course, there are also a number of vulnerabilities in both hardware and software that can be exploited from the outside, such as unpatched software, unsecured access points, misconfigured systems, and so on.

Consequence/Impact
The consequence is the harm caused to an exploited organization by a cyberattack — from loss of sensitive data, to a disruption in a corporate network, to physical electronic damage. Consequences from a cybersecurity incident not only affect the machine or data that was breached, but also affect the company’s customer base, reputation, financial standing, and regulatory good-standing. These can be considered direct and indirect costs.

The “Act On Risk” feature provides contextual, real-time risk scoring across assets and vulnerabilities. It enables organisations to prioritise security activities by combining data such as threat intelligence, asset exposure, business criticality and vulnerability context — giving actionable risk scores rather than just raw vulnerability counts.

The risk model incorporates multiple dimensions including:
– Locality: whether the asset is exposed externally or resides internally. 
– Impact (Criticality): how important the asset or service is to the business operation.
– Density: the concentration of vulnerabilities on an asset or within a group of assets, to avoid diluting true risk when aggregating.
– Threat intelligence & exploit probability: data from the clear and dark web, EPSS and other sources to assess likelihood of exploitation.

Factors such as locality and probability of exploitation (PoE) are considered in the risk calculation. The formula used to calculate risk can be edited by changing the weighting between three different factors: Impact, Locality and PoE. This is done in the configuration page (Settings > Organisation > Configuration > Risk Configuration > Show Advanced Findings Configuration). Note: the findings displayed in this section are fictional and exist solely to illustrate the effects of changes to the risk formula.

Phoenix Security allows you to specify your annualised value and divide it by the number of business applications that you run or specify the value an application generates annually.

Phoenix Security does that for you. We apply FAIR principles to derive the direct damage (current damage you could incur if an attack happens and brings down your application or renders it unavailable) and indirect damage (remaining value of the application plus financial damage derived by brand damage, cost of the record sold on dark web, financial damage derived from Finex (e.g. GDPR).

Yes — the “Act On Risk” model is designed to cover a full attack surface including application (AppSec), infrastructure (InfraSec) and cloud posture (CSPM/ASPM). It uses deployment, runtime and environment metadata to map vulnerabilities across code-to-cloud, and prioritises based on exposure and business context.

The platform combines severity, exploitability, business impact, asset value, and custom organisational logic to identify the vulnerabilities that pose the highest risk.
Instead of dozens of “critical” findings, teams get a small, actionable list of what to fix first.

Application configuration and scanner configuration are available at the separate knowledge-base link: https://www.kb.appsecphoenix.com

You will be able to place a threshold in the dashboard. As you interact with the visual data, you will be given an option to set your threshold in each of the graphs (such as in the risk-progression line graph etc.). With your newly appointed threshold, you will be able to see if your application falls above or below that threshold, as well as identifying where the problem areas are that are keeping that application above the threshold.

As you place your initial threshold and view the progression of the application’s risk over time, you will be able to adjust (override) the previous threshold to reflect any new changes in the company. Perhaps the new industry threshold is lower now. 

The Phoenix Security team can help you calculate the assets required with a free, unlimited asset assessment. By the end of the assessment, you’ll know how many assets you require.

Scanners are used in cybersecurity to detect vulnerable versions of a system’s software that is at risk of being exploited by attackers. Phoenix Security integrates a wide range of scanners such as Acunetix, Dome9/CloudGuard, Fortify Scanner, Netsparker, SNYK, just to name a few. These scanners look at every area of the system such as Web Facing App Risk, Software composition, Code vulnerabilities, Cloud vulnerabilities, Dark web exposure, and 3rd Party Supply Chain vulnerabilities. The Phoenix Security scanners enable an accurate look at a company’s risk and using this pivotal knowledge, facilitate the necessary steps to be taken to fix the vulnerabilities and get everything back in shape.

Yes. Phoenix Security helps organisations align with major regulatory and security frameworks by:
– Providing risk scoring
– Mapping assets to business functions
– Tracking remediation SLAs and due dates
– Offering audit-ready reports

Phoenix Security connects to your security scanners to retrieve vulnerability data. 
Phoenix Security enriches the data with threat intel locality and offers a single asset register across Cloud, Container, software, infrastructure and applications.
Phoenix Security also offers scanning packages for web, API, SCA and Cloud. 
Phoenix Security looks at every area of the system such as web facing app risk, software composition, code vulnerabilities, Cloud vulnerabilities, dark web exposure, and 3rd Party supply chain vulnerabilities.

No. Accessing, modifying, or disclosing Phoenix Security or customer data is strictly prohibited. All research must be ethical, legal, and non-intrusive.