Exposure Detection & Evidence Certainty

Exposure detection and evidence certainty describes how conclusively evidence shows that a company is exposed to or has mitigated a vulnerability.

		Detection
		Exposure	Mitigation
Certainty	Possible	Exposure Possible The evidence generally indicates that the company in question is unprotected from a threat. Evidence Example: Relationship indicates software provider in use	Mitigation Possible The evidence generally indicates that the company in question is protected from a threat. Evidence Example: Non-vulnerable records found
	Likely	Exposure Likely The evidence specifically indicates that the company in question is unprotected from a threat. Evidence Example: Specific software and unverified version in use	Mitigation Likely The evidence specifically indicates that the company in question is protected from a threat. Evidence Example: Long time since detection
	Confirmed	Exposure Confirmed The evidence confirms that the company is unprotected from a threat. Evidence Examples: Direct verification of vulnerability Validated version in use with vulnerable configuration	Mitigation Confirmed The evidence confirms that the company is protected from a threat. Evidence Example: Patching records found

Exposure Detection

Exposure detection indicates a company’s current status to being exposed to a vulnerability. Use this to assess immediate risk and prioritize your remediation efforts.

Exposure

Vulnerabilities were detected within the last 60 days and may actively be impacting the company.

Slug name: currently or EXPOSED

Mitigation

Vulnerabilities were detected more than 60 days ago. There’s evidence of mitigation or there’s no evidence of exposure in the past 60 days.

Slug name: previously

Evidence Certainty

A measure of how certain we are about a company's detection status.

Possible

The evidence generally indicates that the company in question is or is not protected from a threat.

Slug name: POSSIBLE

Likely

The evidence specifically indicates that the company in question is or is not protected from a threat.

Slug name: LIKELY

Confirmed

The evidence confirms that the company is or is not protected from a threat.

Slug name: CONFIRMED

Vulnerability Certainty FAQ

Bitsight categorizes the likelihood that a CVE is present and unprotected within an organization’s environment into three distinct levels. These are based on the type and completeness of evidence gathered through non-intrusive, external scanning methods.

(That’s why the “Evidence available” data is key to understanding the level of certainty.)

Certainty = Possible is the lowest level of confidence that exists at bitsight.

This level indicates that Bitsight has detected some relationship or usage of a product known to have CVEs, but cannot determine whether the specific vulnerability is present or exposed in the environment.

Evidence Characteristics:

• Bitsight has observed indicators such as a connection to a provider or technology known to be vulnerable.
• However, no technical details such as version numbers or configurations tied to the CVE are visible.
• There is no way to determine whether the product is configured or patched in a way that prevents exposure.

Examples of Evidence:

• Third-party relationship with a vendor using vulnerable software.
• Detection of a software name only, without specific version or deployment information.

Practical Example: Bitsight detects that Company A uses Product B, which has known vulnerabilities. However, no version or configuration data is available. Therefore, we cannot assess whether Company A is exposed to any specific CVE.

Findings/Rating:

• These CVEs only appear in the Vulnerability Detection tab.
• They do not appear in the Findings tab.
• They do not impact the company’s Risk Vector Grades or overall Rating.

Certainty = Likely

This level indicates that Bitsight has observed more specific technical evidence, such as product name and version details, that match known vulnerable versions. However, Bitsight cannot determine whether security mitigations are present that would prevent exploitation, as Bitsight does not conduct intrusive penetration tests.

Evidence Characteristics:

• Product and version are explicitly identified.

• The version aligns with those referenced in CVE disclosures.

• However, Bitsight is unable to evaluate internal controls (e.g., WAF, compensating controls, patched libraries behind proxies) due to the non-intrusive nature of scanning.

Examples of Evidence:

• Product + Software Name + Version observed.

• That version is publicly known to be vulnerable.

Practical Example: Bitsight observes Company A is using Product B, version 3.2.1. This version is documented as affected by CVE-XXXX-YYYY. While Bitsight sees that version is in use, it cannot observe whether Company A has applied compensating controls that neutralize the CVE.

Findings/Rating:

• These CVEs only appear in the Vulnerability Detection tab.

• They do not appear in the Findings tab.

• They do not influence Risk Vector Grades or the Company Rating.

Certainty = Confirmed is the highest level of certainty of exposure to the CVE.

This level means that Bitsight has observed all necessary technical evidence to determine that the CVE is not only present but also unprotected or unmitigated in the company’s environment.

Evidence Characteristics:

• Product, software, and vulnerable version are identified.

• No evidence suggests the presence of mitigation (e.g., patching, protected config).

• CVE cannot be avoided without applying a known patch or update.

Examples of Evidence:

• Vulnerable version confirmed as running.

• No observed controls or configuration changes that would neutralize the vulnerability.

• Default or misconfigured settings known to expose the CVE.

Practical Example: Bitsight observes that Company A is using Product B, version 2.0.0. CVE-XXXX-ZZZZ applies to this version, and there is no evidence that any patch, workaround, or compensating control has been applied. In this case, the CVE is considered Confirmed.

Findings/Rating:

• These CVEs appear in the Findings tab.

• They directly affect the company’s Risk Vector Grades and overall Security Rating.

Q: What level of certainty is needed for a CVE to appear in the Findings tab?

Only CVEs with a certainty level of Confirmed appear in the Findings tab.

To qualify as a Finding, the following must be observed:

• A product or software associated with a known CVE is confirmed to be in use.

• The version observed matches a publicly disclosed vulnerable version.

• There is no observable evidence of any mitigation or protection in place.

Q: Why don’t all vulnerabilities from the Vulnerability Detection tab appear as Findings?

Because the Vulnerability Detection tab is designed to provide situational awareness, even when there is uncertainty or incomplete evidence:

• CVEs shown there may reflect early signals or partial detection.

• These entries help organizations triage potential risk and decide if further investigation is needed.

• However, until Bitsight sees sufficient evidence to determine that a vulnerability is truly exposed, it does not promote the detection to a Finding.