View analytics for orgs, groups and portfolios | Fluid Attacks Help

View analytics common to orgs, groups and portfolios

Info on required roleRole required: User, Vulnerability Manager or User Manager
Fluid Attacks' platform offers charts and figures related to the status of vulnerabilities and your remediation practices. The kinds described below are shared  across the Analytics sections at the organization, group, and portfolio levels.
Advice on chart options
Hover over charts and figures to see available options.

Exposure management over time

See exposure management over time on the Fluid Attacks platform

This chart presents the history of reported risk exposure (in CVSSF units), along with that of your actions addressing it. As this risk exposure is caused by the detected software vulnerabilities, the status of the latter, be it closed (remediated) or accepted, is by extension the status of risk exposure. With the help of this chart, you can identify gaps between known risk and managed risk.

You can interact with the chart as follows:
  1. Hover over a data point to see the exact values
  2. Hover over a chart legend to highlight the corresponding line
  3. Click on a chart legend to hide the corresponding information from the visual comparison
Advice on Exposure management over time filters
This chart has multiple filters accessible through the Use the filter on the Fluid Attacks platform analytics icon:
  • Exposure: Default view
  • Vulns: See the number of vulnerabilities instead of risk exposure units
  • 30: See data of the last 30 days
  • 90: See data of the last 90 days
  • All: See data since the creation of the organization

Sprint exposure increment

See sprint exposure increment on the Fluid Attacks platform

This figure is the percentage increase in risk exposure in the current sprint (i.e., the newly reported exposure value relative to the initial exposure value). The value is zero when no vulnerability has been reported in the period.

Sprint exposure decrement

See sprint exposure increment on the Fluid Attacks platform

This figure is the percentage decrease in risk exposure in the current sprint (i.e., the newly remediated exposure value relative to the initial exposure value). The value is zero when no vulnerability has been remediated in the period.

Sprint exposure change overall

See sprint exposure change overall on the Fluid Attacks platform

This figure is the resulting percentage change in risk exposure in the current sprint (i.e., the exposure decrement minus the exposure increment). A positive value means that more exposure was reported than remediated. A negative value means that more exposure was remediated than reported. A zero value means that as much exposure was remediated as reported.

Exposure management over time (%)

See exposure management over time percentage on the Fluid Attacks platform

This chart shows how you have dealt with risk exposure (in CVSSF units) over time by correspondence with the statuses of vulnerabilities that cause it. Open vulnerabilities are those still present and unaccepted; whereas closed ones are those remediated. The information in this chart allows you to visualize the trends in your vulnerability management efforts, helping you identify areas where you are making progress and those that require more attention.

You can interact with the chart as follows:
  1. Hover over a bar to see all the complete percentages information
  2. Hover over a chart legend to highlight the corresponding portion in the chart
  3. Click on a chart legend to hide the corresponding information from the visual comparison
Advice on Exposure management over time percentage filters
This chart has a filter accessible through the  icon:
  • Exposure: Default view
  • Vulns: See the percentages for number of vulnerabilities instead of risk exposure units

Exposure benchmark

See exposure benchmark on the Fluid Attacks platform

This chart shows your risk exposure level (CVSSF) and allows you to compare it with that of other organizations, groups, or portfolios. Specifically, you can see how the best-performing and worse-performing at risk management are doing, as well as how many CVSSF units is the average. This benchmarking enables you to gauge your performance relative to your peers to ultimately set goals for reducing your risk exposure.

Note on Exposure benchmarkNote: The benchmark for organizations excludes the ones with low activity (less than 100 reattacks on vulnerabilities within their groups) to ensure a fair comparison.

Exposure Trends Categories

This chart shows you how risk exposure (in CVSSF unitshas changed over time across the nine categories that group the types of vulnerabilities in Fluid Attacks' classification. This information helps you with an overview of the kinds of issues related to changes in your risk exposure.

Hover over a bar to see the precise value.
Notes on vulnerability categories
Notes:
  1. Types of vulnerabilities are categories into which detected security issues most likely fall. The chart shows a categorization at a higher level.
  2. This chart uses a logarithmic scale to effectively display exponential differences in a compact format.
Advice on exposure trends
You can switch to the timeframe of which you need to see the data by clicking on the Filter exposure trends on the Fluid Attacks platform icon and then on a suitable option (30, 60, 90 or 180 days).

Days since last remediation

This figure is the number of days since a code fix successfully remediated a vulnerability. This information may provide insight into the promptness with which your team addresses security issues.

Mean time to request reattacks

This figure is the average number of days it takes your team to request a reattack, i.e., a retest to verify the effectiveness of code fixes, after the vulnerability in question is reported. This information can serve as one factor to assess the responsiveness of your team to security issue reports.

Vulnerabilities being re-attacked

This figure is the number of vulnerabilities for which currently a reattack has been requested and a response by Fluid Attacks is in the works. This may be one factor to assess your team's productivity.

Days until zero exposure

This figure is an estimated timeframe to remediate all vulnerabilities reported to date. This information may help you set goals for your remediation efforts.

Mean time to remediate (MTTR) benchmark

See mean remediation time benchmark on the Fluid Attacks platform

This chart displays the average number of days it takes your team to remediate a vulnerability weighted by risk exposure as measured using the CVSSF metric. Further, it allows comparing your performance against that of the best and worst performing organizations, groups or portfolios, as well as against the average value. This benchmark helps you to evaluate the efficiency of your remediation process compared to your peers and set goals.

Advice on MTTR
This chart has multiple filters accessible through the Filter MTTR on the Fluid Attacks platform icon:
  1. All: Default view (all vulnerabilities are included)
  2. Non treated: See only data for vulnerabilities whose Status was set to Safe as they were Untreated
  3. 30: See data of the last 30 days
  4. 90: See data of the last 90 days
  5. All: See data since the creation of the organization

Mean time to remediate (MTTR) by CVSS severity

See mean remediation time by CVSS on the Fluid Attacks platform

This chart shows the average time to remediate vulnerabilities weighted by risk exposure, differentiating by the qualitative severity rating. The qualitative rating groups CVSS scores as follows: Low = 0.1 - 3.9; medium = 4.0 - 6.9; high = 7.0 - 8.9; critical = 9.0 - 10.0. The information in this chart helps you understand how the severity of vulnerabilities impacts your remediation time.

Advice on MTTR by severity filters
This chart has multiple filters accessible through the Filter MTTR by severity chart on the Fluid Attacks platform icon:
  • Days per exposure: Default view
  • Days: See the unwei mean time to remediate vulnerabilities
  • Non treated (CVSSF): See only data of remediation of risk exposure related to vulnerabilities whose Status was set to Safe as they were Untreated
  • Non treated days: See only data for vulnerabilities whose Status was set to Safe as they were Untreated
  • 30: See data of the last 30 days
  • 90: See data of the last 90 days
  • All: See data since the creation of the organization

Accepted vulnerabilities by CVSS severity

See accepted vulnerabilities by CVSS on the Fluid Attacks platform

This chart displays the shares of accepted versus open vulnerabilities, categorized by qualitative severity rating (low, medium, high, and critical). Open vulnerabilities are those that have not been remediated nor accepted. This information helps you understand the risks you have chosen to accept.

You can interact with the chart as follows:
  1. Hover over a bar to see all the complete percentages information
  2. Hover over a chart legend to highlight the corresponding portion in the chart
  3. Click on a chart legend to hide the corresponding information from the visual comparison

Vulnerabilities by assignment

See vulnerabilities by assignment on the Fluid Attacks platform

This chart shows the percentage of vulnerabilities not yet remediated that have been assigned to your team members for fixing versus those still unassigned. This chart provides a quick overview of your vulnerability assignment.

You can interact with the chart as follows:
  1. Hover over a slice to see it highlighted along with the name of the assignment status and corresponding percentage
  2. Hover over a chart legend to highlight the corresponding slice
  3. Click on a chart legend to exclude the corresponding status from the percentage calculation

Status of assigned vulnerabilities

See status of assigned vulnerabilities on the Fluid Attacks platform

This figure presents, of all vulnerabilities that were assigned for remediation, what percentage is open (pending to be fixed) and what percentage is closed (already fixed). This information allows you to track the progress of your team in addressing assigned vulnerabilities.

You can interact with the chart as follows:
  1. Hover over a slice to see it highlighted along with the name of the vulnerability status and corresponding percentage
  2. Hover over a chart legend to highlight the corresponding slice
  3. Click on a chart legend to exclude the corresponding status from the percentage calculation

Exposure by type

See exposure by type on the Fluid Attacks platform

This chart shows the detected types of vulnerabilities that represent the most risk exposure (measured in CVSSF units). This information helps you identify the security issues in your systems whose remediation you may need to prioritize.

Hover over a bar to see the precise CVSSF units.
Advice on Exposure by type
This chart has multiple filters accessible through the Filter exposure by type on the Fluid Attacks platform icon:
  • Exposure: Default view
  • Vulns: See ranking in number of vulnerabilities instead of risk exposure 
  • Code: See ranking in risk exposure caused only by vulnerabilities found in source code
  • Infra: See ranking in risk exposure caused only by vulnerabilities found in infrastructure
  • App: See ranking in risk exposure caused only by vulnerabilities found in the running application

Vulnerabilities treatment

See vulnerabilities treatment on the Fluid Attacks platform

This chart displays the distribution of detected vulnerabilities still present in your systems by their current treatment:

  1. Permanently accepted: Vulnerabilities you do not intend to fix, accepting the risks permanently (you can, nonetheless, fix them at any given moment without the platform causing any complication)
  2. Temporarily accepted: Vulnerabilities you intend to fix later, accepting the risks until a specific date
  3. In progress: Acknowledged vulnerabilities assigned to one of your team members for remediation
  4. Untreated: Newly reported vulnerabilities awaiting treatment assignment
This information helps you to analyze your risk acceptance strategy.

You can interact with the chart as follows:
  1. Hover over a slice to see it highlighted along with the name of the treatment status and corresponding percentage
  2. Hover over a chart legend to highlight the corresponding slice
  3. Click on a chart legend to exclude the corresponding status from the percentage calculation

Report technique

See report technique on the Fluid Attacks platform

This chart shows the percentage breakdown of all reported vulnerabilities based on the security testing technique used to detect them. This information provides insights into the kind of issues more frequently present in your system. The techniques are the following:

  1. MPT: Dynamic analysis done manually
  2. SCR: Static code analysis done manually
  3. SAST: Automated static code analysis
  4. DAST: Automated dynamic analysis
  5. SCA: Automated analysis of third-party dependencies
  6. RE: Reverse engineering of your system done manually
  7. CSPM: Automated analysis of cloud environments
You can interact with the chart as follows:
  1. Hover over a slice to see it highlighted along with the technique's name and corresponding percentage
  2. Hover over a chart legend to highlight the corresponding slice
  3. Click on a chart legend to exclude the corresponding technique from the percentage calculation

Active resources distribution

See active resources distribution on the Fluid Attacks platform

This chart illustrates the composition of your assets under assessment, contrasting the share represented by source code repositories with the share comprised of URLs or IPs linked to those repositories. This information might be useful for characterizing the scope of evaluation.

You can interact with the chart as follows:
  1. Hover over a slice to see it highlighted along with the resource's category and corresponding percentage
  2. Hover over a chart legend to highlight the corresponding slice
  3. Click on a chart legend to exclude the corresponding category from the percentage calculation

Total types

See total vulnerability types on the Fluid Attacks platform

This figure is the amount of types of vulnerabilities reported to you out of all the types recognized by Fluid Attacks' categorization. These categories are the ones into which security issues found in your system most likely fall.

Total vulnerabilities

This figure is the total amount of reported security issues with a specific location within your system. This information may be of help to justify the need for additional security investments.

Total exclusions

Exclusions are vulnerabilities deliberately omitted by you. The total number of exclusions your group has is shown.

Exclusions by root

Exclusions by root

These are all your exclusions categorized by root.

Vulnerabilities by tag

See vulnerabilities by tag on the Fluid Attacks platform

This chart shows the number of vulnerabilities for each of the tags your team has categorized them into when assigning a treatment. This information allows you to analyze the security issues in your software using categories that are especially significant for your team.

Hover over a bar to see the precise number of vulnerabilities.

Vulnerabilities by level

See vulnerabilities by level on the Fluid Attacks platform

This chart shows the number of vulnerabilities for each of the priority values your team has given them when assigning a treatment. This information might help your team to understand its vulnerability prioritization strategy.

Accepted vulnerabilities by user

See accepted vulnerabilities by user on the Fluid Attacks platform

This chart shows you the number of accepted vulnerabilities grouped by the user who assigned the treatment. This information provides details about accountability for this important vulnerability management decision.

You can interact with the chart as follows:
  1. Hover over a bar to see all the complete number information
  2. Hover over a chart legend to highlight the corresponding portion in the chart
  3. Click on a chart legend to hide the corresponding information from the visual comparison

Exposure by assignee

See exposure by assignee on the Fluid Attacks platform

This chart shows how team members have managed the risk exposure (CVSSF) assigned to them, which is identified by the statuses of vulnerabilities that cause that risk exposure. Open vulnerabilities are those still present and unaccepted; whereas closed ones are those remediated. The information in this chart provides details about accountability for vulnerability remediation.

You can interact with the chart as follows:
  1. Hover over a bar to see all the complete percentage information
  2. Hover over a chart legend to highlight the corresponding portion in the chart
  3. Click on a chart legend to hide the corresponding information from the visual comparison
Advice on Exposure by assignee
You can switch to see the percentage corresponding to number of vulnerabilities instead by selecting the Vulns filter accessible through the Filter the exposure by assignee chart on the Fluid Attacks platform icon.

Files with open vulnerabilities in the last 20 weeks

See files with vulnerabilities on the Fluid Attacks platform

This chart shows the paths of files with vulnerabilities from the last 20 weeks, not yet remediated nor accepted, along with the total number of such vulnerabilities in each file. This information helps you pinpoint the files that should be prioritized in your remediation efforts.

Hover over a bar to see the precise number of vulnerabilities.
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.