Menu Icon
< back to main
 • 4 min read

Adding clarity in the murky world of vulnerability risk

Cobalt will include two new severity levels to its findings: Critical and Informational

Adding clarity in the murky world of vulnerability risk
Mark Hamill
Mark Hamill

Mark is a Director of Product Management at Cobalt, and is a passionate advocate for people-centric design that focuses on experimentation and learning. When he isn't glued to a laptop, he is either drinking coffee, cooking on the BBQ, or strolling in a forest.

Want to see the platform in action?
get a demoArrow Right
Want to see the platform in action?
get a demoArrow Right

With a sea of information available to most modern security practitioners, actions need to be based on high quality data. Cobalt is on a mission to bring data to our customers that enables their programs and ultimately helps secure their assets.

Let’s start with some basics. At Cobalt, our expert pentesters work together to discover findings. These are the building blocks of a pentest, and gathering this data leverages the skills and experience of some really technical people to uncover items that are worth fixing in your network. These findings are then assessed and triaged to deliver a curated list to our customers — aka items which present a documented risk to the assets covered in the scope of the pentest. Once in a customer’s hands, these would be best described as vulnerabilities.

Until recently, we categorized findings using two foundational pieces of data (business impact and likelihood) into three criticality bands:

Old Criticality Bands

Over time, our understanding of criticality has evolved, and we’ve been paying attention to some heavyweights of the industry as they seek to help organizations understand not only the risks, but also their impact. One thing we pride ourselves in at Cobalt is humble learning and that we are always seeking to improve our awareness of customer needs.

While the High/Medium/Low scale offers simplicity and enables decision makers to take the necessary action to keep their assets safe, it lacks some of the granularity we have heard our users ask for time and time again, such as “Are there issues in the Low category I can safely ignore?” and “Are any of these issues worth waking up my CISO for?” With that in mind, we’ve moved to a model that also includes Critical and Informational as new severity levels.

“Wait, what? I thought we were talking about criticality?”

So yes; we were, but bear with us. Severity is the term best aligned with the frameworks and models for vulnerability management when classifying risk. We are working hard to adopt terminology that supports our customers, and decided this was an optimum time to align some of our key language with the security industry. Our platform will adopt this change from early November 2021, and wherever you saw Criticality, you will now see Severity.

Alongside the terminology, the vast majority of security aggregation tools follow this pattern of Severity and Critical/High/Medium/Low/Informational vulnerabilities. Aligning with this wider system enables teams to export data to 3rd party tools more easily, and offer maximum options for dividing up issues according to risk.

Now for the fun part. Let’s get to these new levels.

New Criticality Bands

The new Critical level is designed to sound the alarm bells — as in, this is the highest end of the high risk category. These are issues that are being exploited in the wild, and are an organization’s shortest route to hearing their name mentioned in the latest news and/or breach reports! Long story short, these are items you want to create an action plan for. These issues are why we do what we do, and why we leverage experts to help us secure the portfolio against a sea of attackers.

Phew. Still with us? Great. Let’s talk about Informational. These are the other end of the spectrum, and in some cases — won’t appear as a categorization for vulnerabilities. Why? Because they present no real risk. As the name suggests, they can be considered as pieces of information, rather than vulnerabilities. Are they worth knowing about? Yes. Are they worth logging and tracking to keep in line with positive security practices? Absolutely. Are they worth waking up your C-suite at 4am on a Tuesday? Only if you were already planning a change of career!

This change will roll out for all findings across the platform. Approximately 10% of findings will now fall into the Informational category, and 1% of findings will leap up into the Critical category.

Will this impact existing reports?

Yes, but we’ve given it some thought. And we are releasing a revert to High/Medium/Low toggle for any report so you can download it in the original context it was created. By default you will see the new severity levels, and as always we are keen to hear feedback on how this feature update works for you and for your security teams. Reach out to your Cobalt Customer Success Manager with your thoughts, or check out our latest product updates here.

Product Updates

Related Stories

Cobalt Platform Deep Dive: Customize Your Pentest Reports per Your Needs
Cobalt Platform Deep Dive: Customize Your Pentest Reports per Your Needs
Cobalt introduces more options to configure pentest reports and adjust their layout on a granular level.
Read moreArrow Right
Cobalt Launches Public API to Further Modernize Pentesting
Cobalt Launches Public API to Further Modernize Pentesting
Learn how our latest feature can give you more flexibility with your pentest data.
Read moreArrow Right
Cobalt Platform Deep Dive:  Scoping Pentests Based on Asset Size and Coverage
Cobalt Platform Deep Dive: Scoping Pentests Based on Asset Size and Coverage
Asset Scoping is a huge step towards enabling our customers to automatically calculate credits based on the size of the asset to be tested and the level of coverage needed for the test.
Read moreArrow Right
Bi-Directional Integration With Jira
Bi-Directional Integration With Jira
What is bi-directional integration? Click here to find how to sync between Jira tickets and Cobalt findings and save tremendous time.
Read moreArrow Right

Never miss a story

Stay updated about Cobalt news as it happens