- March 3, 2023: Added Duration field; Filter on Remediated findings.
- October 12, 2022: Included all available details; Page Title & Request URL fields now available in Vulnerability Details.
- April 26, 2021: Added vulnerability duration information for the “Remediated?” field.
The Patching Cadence risk vector measures how long, on average, known vulnerabilities existed in an organization unpatched. Software vulnerabilities are holes or bugs in software, hardware, or encryption methods that can be used by attackers to gain unauthorized access to systems and their data.
View findings from Findings, Rating Details, or the Bitsight API.
Rating Details Page
The Rating Details page includes a graph that shows the number of vulnerabilities experienced per month, along with the average resolution time for the month.
1 Year Summary of Patching Cadence Observations
- A higher bubble indicates a longer average resolution timespan for that month.
- Larger bubbles indicate there were more unpatched vulnerabilities observed during that time period.
Findings Page
❖ This field can be included in the table from the Customize Columns option.
| Field | Description | Filters | ||
|---|---|---|---|---|
| Assets |
The Assets section in the Details tab of the findings sheet. Select the |
No | ||
| Asset | The IP address or domain that identifies the asset. | Text search. | ||
| Asset Importance/ Calculated Importance (Details tab of findings sheet) |
Asset importance is either user-assigned or is estimated based on the amount of system usage, ability to submit information, and the presence of special certificates. | Yes | ||
| Assigned To | The user assigned to remediate the finding. | Yes | ||
| Attributed To | The subsidiary or subsidiaries in the Ratings Tree that are attributed to the finding. | Yes | ||
| Comments | The Comments section of the Details tab in the finding sheet contains finding comments, which can be used for discussions, providing a way to describe the status of resolution or validity of findings to external stakeholders and other interested parties. | No | ||
| Country | The country where IP addresses attributed to the finding are hosted. | No | ||
| Details |
The name of the vulnerability. Click on the finding to get a description. More details are available in the Details section [Findings Sheet ➔ Details Tab ➔ Details Section]. |
No | ||
| Confirmed Vulnerabilities | A card [Findings Sheet ➔ Details Tab ➔ Details Section] containing the names, severities, and descriptions of confirmed vulnerabilities. | No | ||
| Description | A description of the vulnerability. | No | ||
| Name | The name of the vulnerability. | Vulnerability | ||
| Severity | The vulnerability severity. | Vulnerability Severity:
|
||
| Dates Observed |
A card [Findings Sheet ➔ Details Tab ➔ Details Section] containing observation date details. The National Vulnerability Database (NVD) has a “Published Date,” which is when the vulnerability was officially announced. This is different from the “First Seen” and “Last Seen” fields of Patching Cadence findings. |
No | ||
| First Seen | The earliest observation date when a system in the company's infrastructure was observed to be affected by the vulnerability. |
|
||
| Last Seen | The most recent date that the vulnerability was observed to affect the system in question. |
|
||
| Duration❖ | Number of days beginning when the compromised system or patching cadence finding was first observed and ending on the latest observation date or date of remediation (patching cadence only). |
|
||
| Remediation Status❖ | Indicates if a vulnerability is remediated. See vulnerability duration for more information. | Yes | ||
| Vulnerability❖ | The vulnerability name, as logged in the National Vulnerability Database (NVD). |
|
||
| Vulnerability Details | A card [Findings Sheet ➔ Details Tab ➔ Details Section] containing vulnerability details. | No | ||
| CDN Script Source Paths | No | |||
| HTML Sample | A sample of the HTML content. | No | ||
| Page Title | The title of the web page. | No | ||
| Request URL | The web page URL. | No | ||
| Software Version | The software version. | No | ||
| Finding Identifier | The IP address or domain that identifies the asset. | Yes | ||
| Finding Severity | Finding severity is the measured risk that the finding introduces. |
|
||
| Grade | The finding grade. This is not applicable to Patching Cadence. | Yes | ||
| Impacts Risk Vector Grade | Indicates if the finding currently impacts the letter grade. The amount of time a finding impacts the letter grade depends upon the risk vector. See when risk vectors are impacted. | Yes | ||
| IP Attributions | The IP Attributions section [Findings Sheet ➔ Details Tab ➔ IP Attributions Section] containing attribution reasons. | No | ||
| Attribution Info | The reason for attribution. | No | ||
| CIDR | The associated CIDR. | No | ||
| DNS Hostname | The associated hostname. | No | ||
| Refresh | The finding refresh status. | Refresh status. | ||
| Remaining Lifetime | The projected number of days that a finding will continue to impact risk vector grading (finding lifetime). This is a projection that assumes nothing changes in the future and a finding is not updated with new information. It may change if a finding is updated. | The # of days. | ||
| Remediations | The Remediations section [Findings Sheet ➔ Details Tab ➔ Remediations Section] containing remediation details. | No | ||
| Details | The name of the finding. | No | ||
| Issue |
A description of the finding. You can also click on the vulnerability name in the Details column to quickly see the issue. |
No | ||
| Remediation Instructions❖ (Remediation Tip) |
How to resolve a negative finding. See Verifying That a Finding Is Remediated. | No | ||
| Remediation Status | The remediation status. | Patching Cadence: Remediated? | ||
| Risk Vector | The risk vector. | Yes | ||
| Status Updated | The date when the “Remediation Status” or “Assigned To” fields were last changed. |
|
||
Additional Findings Page Filters
| Filter | Values |
|---|---|
| File Sharing Category | Not applicable for Patching Cadence. |
| Infection Family | Not applicable for Patching Cadence. |
| Pass / Fail Test | Not applicable for Patching Cadence. |
| Tag |
|