Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Patching Cadence Findings

Ingrid

View Patching Cadence findings from the Findings Table or Rating Details.

Findings Table

SPM App: menu-findings-spm.png Findings ➔ Findings Table

CM App:

  1. Select a company from your Companies List.
  2. Go to menu-vendor-risk.png Vendor Risk ➔ Findings

Insurance App:

  1. Select a company from your Companies List.
  2. Go to menu-client-risk.png Client Risk ➔ Findings

Bitsight API: GET /v1/companies/entity_guid/findings?risk_vector=patching_cadence

The Findings Table provides the following finding details:

❖ This field can be included in the table from the columns.png Customize Columns option.

Field Description Filters
Assets

The Assets section in the Details tab of the findings sheet.

Select the next-assets.png View findings icon to filter findings by the asset.

 No
  Asset The IP address or domain that identifies the asset. Text search.
Asset Importance/
Calculated Importance (Details tab of findings sheet)		 Asset importance is either user-assigned or is estimated based on the amount of system usage, ability to submit information, and the presence of special certificates. Yes
Assigned To The user assigned to remediate the finding. Yes
Attributed To The subsidiary or subsidiaries in the Ratings Tree that are attributed to the finding. Yes
Comments The Comments section of the Details tab in the finding sheet contains finding comments, which can be used for discussions, providing a way to describe the status of resolution or validity of findings to external stakeholders and other interested parties. No
Country The country where IP addresses attributed to the finding are hosted. No
Details

The name of the vulnerability. Click on the finding to get a description.

More details are available in the Details section [Findings Sheet ➔ Details Tab ➔ Details Section].

 No
  Confirmed Vulnerabilities A card [Findings Sheet ➔ Details Tab ➔ Details Section] containing the names, severities, and descriptions of confirmed vulnerabilities. No
  Description A description of the vulnerability. No
Name The name of the vulnerability. Vulnerability
Severity The vulnerability severity. Vulnerability Severity:
  • Severe
  • Material
  • Moderate
  • Minor
Dates Observed

A card [Findings Sheet ➔ Details Tab ➔ Details Section] containing observation date details.

The National Vulnerability Database (NVD) has a “Published Date,” which is when the vulnerability was officially announced. This is different from the “First Seen” and “Last Seen” fields of Patching Cadence findings.

 No
  First Seen The earliest observation date when a system in the company's infrastructure was observed to be affected by the vulnerability.
  • 7 Days
  • 1 Month
  • 3 Months
  • Custom
Last Seen The most recent date that the vulnerability was observed to affect the system in question.
  • 7 Days
  • 1 Month
  • 3 Months
  • Custom
Duration❖ Number of days beginning when the compromised system or patching cadence finding was first observed and ending on the latest observation date or date of remediation (patching cadence only).
  • Minimum days
  • Maximum days
Remediation Status❖ Indicates if a vulnerability is remediated. See vulnerability duration for more information. Yes
Vulnerability❖ The vulnerability name, as logged in the National Vulnerability Database (NVD).
Vulnerability Details A card [Findings Sheet ➔ Details Tab ➔ Details Section] containing vulnerability details. No
  CDN Script Source Paths   No
HTML Sample A sample of the HTML content. No
Page Title The title of the web page. No
Request URL The web page URL. No
Software Version The software version. No
Finding Identifier The IP address or domain that identifies the asset. Yes
Finding Severity Finding severity is the measured risk that the finding introduces.
  • Minor
  • Moderate
  • Material
  • Severe
Grade The finding grade. This is not applicable to Patching Cadence and is displayed as N/A. Yes
Impacts Risk Vector Grade Indicates if the finding influences the risk vector grade. See values.
IP Attributions The IP Attributions section [Findings Sheet ➔ Details Tab ➔ IP Attributions Section] containing attribution reasons. No
  Attribution Info The reason for attribution. No
CIDR The associated CIDR. No
DNS Hostname The associated hostname. No
Rescan The finding rescan status. Rescan status.
Remaining Lifetime The projected number of days that a finding will continue to impact risk vector grading (finding lifetime). This is a projection that assumes nothing changes in the future and a finding is not updated with new information. It may change if a finding is updated. The # of days.
Remediations The Remediations section [Findings Sheet ➔ Details Tab ➔ Remediations Section] containing remediation details. No
  Details The name of the finding. No
Issue

A description of the finding.

You can also click on the vulnerability name in the Details column to quickly see the issue.

 No
Remediation Instructions❖
(Remediation Tip)		 How to resolve a negative finding. See Verifying That a Finding Is Remediated. No
Remediation Status The remediation status. Patching Cadence: Remediated?
Risk Vector The risk vector. Yes
Status Updated The date when the “Remediation Status” or “Assigned To” fields were last changed.
  • 7 Days
  • 1 Month
  • 3 Months
  • Custom

Additional Findings Table Filters

Filter Values
File Sharing Category Not applicable for Patching Cadence.
Infection Family Not applicable for Patching Cadence.
Pass / Fail Test Not applicable for Patching Cadence.
Tag
  • Visibility:
    • Public
    • Private
  • Tag Name

Rating Details Page

The Rating Details page includes a graph that shows the number of vulnerabilities experienced per month, along with the average resolution time for the month.

Navigation Options

SPM App: menu-organization.png Organization ➔ Rating Details

CM App: menu-vendor-risk.png Vendor Risk ➔ Rating Details

Insurance App: menu-client-risk.png Client Risk ➔ Rating Details

1 Year Summary of Patching Cadence Observations

1 Year Summary of Patching Cadence Observations

  • A higher bubble indicates a longer average resolution timespan for that month.
  • Larger bubbles indicate there were more unpatched vulnerabilities observed during that time period.
  • January 15, 2025: N/A clarification.
  • October 29, 2024: Findings Table navigation instructions moved from Risks to a new Findings section in the menu; Rating Details navigation instructions for the SPM app moved from Risks to Organization.
  • January 19, 2024: Navigation instructions by application.

Related articles

Feedback

0 comments

Please sign in to leave a comment.