Exposure Findings - best practices guide
Best practices guide for Exposure Findings which help you identify, prioritize, and reduce your attack surface by highlighting exposed assets, risky communications and potential attacker entry points.
Please Note:
Exposure Findings is currently in private preview and is only available for RUX deployments. If you are interested in participating in the private preview, please contact your Vectra account team.
Following the private preview will be a public preview and then General Availability (GA).
Vectra plans to support QUX deployments later this year.
Overview
What is Exposure Findings?
Vectra Exposure Findings helps you identify, prioritize, and reduce your organization’s attack surface by highlighting exposed assets, risky communications, and potential entry points attackers could exploit.
Why It Matters
Modern attacks begin with exposed assets, not alerts. Without visibility, critical systems can be unintentionally accessible, misconfigurations go undetected, and attack paths remain open. This feature helps you proactively reduce risk, identify high-risk exposures early, and prioritize what to fix based on real impact.
Quick Start: Get Value in 10 Minutes
Go to Exposure → Findings (this is a generic portal link that can link to your tenant).
Filter:
Status = Active
Score = High
Review top 5 findings:
Expand details
Understand impacted assets
Take action:
Set Review State (Monitor / Risk Accept)
This gives you immediate visibility into your highest-risk exposures.
Getting Started
Validate Feature Activation in UI
After the private preview is enabled for your tenant, a new Exposure title appears in the left UI panel.
Go to Findings by clicking on Exposure → Findings.
Understand Your Current Risk Posture
Use the top widgets to quickly assess:
Total active exposure
What’s already being worked on
What has been resolved
Start with high-risk findings
Go to filter and select Status Active and Finding Score HIGH to display all the Active and High Risk Findings in the environment. Start by prioritizing riskiest findings and take action.
Expand each Findings Type to get more Details, Remediation and Compliance Frameworks.
Use the Context panel to identify impacted assets and exposure paths.
Findings pull asset context like Asset details, Importance and Urgency score for security team to click and explore more details of the involved asset.
Triage Top Findings
The reviewed Findings could be further actioned upon by security team by selecting the Review State. Selecting a right review state helps with continuation and others in the team understand the risks that are currently being worked on. The review state is retained and can only be changed manually.
Track resolved and monitored Findings
Monitored and Recently Resolved widget helps track overall mitigated and currently monitored risks that is no longer active
If a risk resurfaces, the Finding Status is marked as Active and widget count is updated.
Understanding Key Fields
Status(Active or Inactive)
ACTIVE: Findings for which activity is currently seen in the environment.
INACTIVE: Findings which are either mitigated or no activity seen.
Active Open Findings
Widget showing total count of Active Findings discovered in the environment for review.
Active and Monitored
Widget showing total count of Active Findings that are currently being reviewed.
Monitored and Recently Resolved
Widget showing total count of Findings that are no longer seen in the environment or mitigated. Any Findings that re-occurs, automatically marked as Active.
Findings Score(High, Medium, Low)
Vectra calculated score that signifies the severity of a Finding.
Review State
Actionable field to track mitigation strategy:
Open: Default state of all the new discovered Findings
Monitor: Findings that are currently being investigated
Risk Accept: Findings that is known and expected in the environment. Vectra will forget the particular Finding when selected and will not show it in future.
Explore Different Findings Types
Please Note:
Additional finding types may be added in future releases. These represent what is available in the preview.
Passwords in Cleartext over HTTP
Cleartext credentials detected in traffic.
Weak TLS Cipher Version
TLS session uses outdated or weak encryption.
Weak TLS Version
TLS session uses outdated or weak version.
Unmanaged Device
Expected EDR absent on device.
Unsupported OS
Device runs OS beyond vendor support.
New Device with New Type
Device type not previously observed in 90+ days.
New Device with New Vendor
Asset belongs to vendor not seen before in past 90+ days.
New Device
Asset not seen in past 90+ days.
Credential File in SMB
Credential file discovered on SMB share.
Certificate Expiring
Certificates expiring in 90 days.
Certificate Expired
Certificates expired.
SMBv1 (Client/Server)
Devices communicating with deprecated SMBv1.
NetBIOS or LLMNR Usage
Legacy name resolution protocols in use.
IPMI Usage
Open management protocol detected.
FTP/Telnet Usage
Cleartext credentials observed in traffic.
Exposed RDP/SMB
Device exposed externally via risky services.
What Good Looks Like
Majority of High findings are reviewed
Critical assets have minimal exposure
No unnecessary external services exposed like RDP
Findings regularly triaged and updated
Common Use-cases
Reduce External Attack Surface
Filter: Active + High
Look for: Exposed RDP, SMB, FTP
Action: Monitor → Validate necessity → restrict access → Resolved
Protecting Crown Jewels
Support Compliance and Audit Readiness
Assessing Risk During Change (Cloud, M&A, Transformation)
What’s Coming Next (4-6 weeks)?
There are several updates planned for Findings
Please Note:
Timelines could change depending on shift in priorities and should not be considered absolute.
Investigate: Ability to pivot to Investigate for each Findings in UI and get deeper insights in a single click.
CSV download: Ability to export all the Findings in csv outside of GUI and share it with team for further investigation.
Rest API integration: This will help customers integrate Vectra Findings into their existing workflows like ingesting it to SIEM tools.
FAQ
Q: Can I integrate this in my existing workflows?
Yes, we are actively working to support RestAPI for Findings that can be used for this integration.
Q: Does this replace vulnerability scanning?
No, Vectra uses network metadata to understand the traffic behavior and discover the security gaps in the environment.
Q: How often should I review Findings? Vectra Exposure continuously monitors the environment for new Findings so it is recommended to monitor it daily for any new High severity Findings.
Q: What licenses do I need?
Vectra Exposure Findings require at least a 14 days metadata license to support this feature.
Q: What reporting options are available?
As part of the initial private preview release, reporting option is not available but it’s actively prioritized for the future releases.
Q. Who can we reach out for any questions or feedback?
Please reach out to Product Management - Prince Prakash [email protected]
Last updated
Was this helpful?