# Exposure Findings - best practices guide

{% hint style="info" %}
**Please Note:**

Exposure Findings is currently in private preview and is only available for RUX deployments. If you are interested in participating in the private preview, please contact your Vectra account team.

Following the private preview will be a public preview and then General Availability (GA).

Vectra plans to support QUX deployments later this year.

**New Left Navigation**

Asset Inventory private preview enables a new left navigation layout in the UI. Please refer to [Navigation updates in the Vectra UI](/configuration/navigation-updates-rux.md) for more details.
{% endhint %}

## Overview <a href="#overview" id="overview"></a>

What is Exposure Findings?

Vectra Exposure Findings helps you identify, prioritize, and reduce your organization’s attack surface by highlighting exposed assets, risky communications, and potential entry points attackers could exploit.

## Why It Matters <a href="#why-it-matters" id="why-it-matters"></a>

Modern attacks begin with exposed assets, not alerts. Without visibility, critical systems can be unintentionally accessible, misconfigurations go undetected, and attack paths remain open. This feature helps you proactively reduce risk, identify high-risk exposures early, and prioritize what to fix based on real impact.

## Quick Start: Get Value in 10 Minutes <a href="#quick-start-get-value-in-10-minutes" id="quick-start-get-value-in-10-minutes"></a>

1. Go to [*Exposure → Findings*](http://portal.vectra.ai/exposure) (this is a [generic portal link](/operations/general/using-generic-portal-links-rux.md) that can link to your tenant).
2. Filter:
   * Status = **Active**
   * Score = **High**
3. Review top 5 findings:
   * Expand details
   * Understand impacted assets
4. Take action:
   * Set Review State (Monitor / Risk Accept)

This gives you immediate visibility into your highest-risk exposures.

## Getting Started <a href="#getting-started" id="getting-started"></a>

{% stepper %}
{% step %}

#### Validate Feature Activation in UI

* After the private preview is enabled for your tenant, a new **Exposure** title appears in the left UI panel.
* Go to **Findings** by clicking on [*Exposure → Findings*](http://portal.vectra.ai/exposure).
  {% endstep %}

{% step %}

#### Understand Your Current Risk Posture

<figure><img src="/files/lX7aVrowGX0deXLLGP3f" alt=""><figcaption></figcaption></figure>

**Use the top widgets to quickly assess:**

* Total active exposure
* What’s already being worked on
* What has been resolved

**Start with high-risk findings**

* Go to filter and select Status **Active** and Finding Score **HIGH** to display all the Active and High Risk Findings in the environment. Start by prioritizing riskiest findings and take action.
* Expand each Findings Type to get more Details, Remediation and Compliance Frameworks.
* Use the Context panel to identify impacted assets and exposure paths.
* Findings pull asset context like Asset details, Importance and Urgency score for security team to click and explore more details of the involved asset.

<figure><img src="/files/CW69FKqhEcUelgLVxFWj" alt=""><figcaption></figcaption></figure>

**Triage Top Findings**

* The reviewed Findings could be further actioned upon by security team by selecting the **Review State**. Selecting a right review state helps with continuation and others in the team understand the risks that are currently being worked on. The review state is retained and can only be changed manually.

**Track resolved and monitored Findings**

* **Monitored and Recently Resolved** widget helps track overall mitigated and currently monitored risks that is no longer active
* If a risk resurfaces, the Finding Status is marked as Active and widget count is updated.
  {% endstep %}
  {% endstepper %}

## Understanding Key Fields <a href="#understanding-key-fields" id="understanding-key-fields"></a>

<table><thead><tr><th width="297.48828125">Field Name</th><th width="452.08203125">Details</th></tr></thead><tbody><tr><td>Status(Active or Inactive)</td><td><ul><li><strong>ACTIVE</strong>: Findings for which activity is currently seen in the environment.</li><li><strong>INACTIVE</strong>: Findings which are either mitigated or no activity seen.</li></ul></td></tr><tr><td>Active Open Findings</td><td>Widget showing total count of Active Findings discovered in the environment for review.</td></tr><tr><td>Active and Monitored</td><td>Widget showing total count of Active Findings that are currently being reviewed.</td></tr><tr><td>Monitored and Recently Resolved</td><td>Widget showing total count of Findings that are no longer seen in the environment or mitigated. Any Findings that re-occurs, automatically marked as Active.</td></tr><tr><td>Findings Score(High, Medium, Low)</td><td>Vectra calculated score that signifies the severity of a Finding.</td></tr><tr><td>Review State</td><td><p>Actionable field to track mitigation strategy:</p><ul><li><strong>Open</strong>: Default state of all the new discovered Findings</li><li><strong>Monitor</strong>: Findings that are currently being investigated</li><li><strong>Risk Accept:</strong> Findings that is known and expected in the environment. Vectra will forget the particular Finding when selected and will not show it in future.</li></ul></td></tr></tbody></table>

## Explore Different Findings Types <a href="#explore-different-findings-types-that-are-available-in-this-preview" id="explore-different-findings-types-that-are-available-in-this-preview"></a>

{% hint style="info" %}
**Please Note:**

Additional finding types may be added in future releases. These represent what is available in the preview.
{% endhint %}

<table><thead><tr><th width="283.59375">Finding Types</th><th width="465.49609375">Details</th></tr></thead><tbody><tr><td>Passwords in Cleartext over HTTP</td><td>Cleartext credentials detected in traffic.</td></tr><tr><td>Weak TLS Cipher Version</td><td>TLS session uses outdated or weak encryption.</td></tr><tr><td>Weak TLS Version</td><td>TLS session uses outdated or weak version.</td></tr><tr><td>Unmanaged Device</td><td>Expected EDR absent on device.</td></tr><tr><td>Unsupported OS</td><td>Device runs OS beyond vendor support.</td></tr><tr><td>New Device with New Type</td><td>Device type not previously observed in 90+ days.</td></tr><tr><td>New Device with New Vendor</td><td>Asset belongs to vendor not seen before in past 90+ days.</td></tr><tr><td>New Device</td><td>Asset not seen in past 90+ days.</td></tr><tr><td>Credential File in SMB</td><td>Credential file discovered on SMB share.</td></tr><tr><td>Certificate Expiring</td><td>Certificates expiring in 90 days.</td></tr><tr><td>Certificate Expired</td><td>Certificates expired.</td></tr><tr><td>SMBv1 (Client/Server)</td><td>Devices communicating with deprecated SMBv1.</td></tr><tr><td>NetBIOS or LLMNR Usage</td><td>Legacy name resolution protocols in use.</td></tr><tr><td>IPMI Usage</td><td>Open management protocol detected.</td></tr><tr><td>FTP/Telnet Usage</td><td>Cleartext credentials observed in traffic.</td></tr><tr><td>Exposed RDP/SMB</td><td>Device exposed externally via risky services.</td></tr></tbody></table>

### What Good Looks Like <a href="#what-good-looks-like" id="what-good-looks-like"></a>

* Majority of High findings are reviewed
* Critical assets have minimal exposure
* No unnecessary external services exposed like RDP
* Findings regularly triaged and updated

### Common Use-cases <a href="#common-use-cases" id="common-use-cases"></a>

* Reduce External Attack Surface
  * Filter: Active + High
  * Look for: Exposed RDP, SMB, FTP
  * Action: Monitor → Validate necessity → restrict access → Resolved
* Protecting Crown Jewels
* Support Compliance and Audit Readiness
* Assessing Risk During Change (Cloud, M\&A, Transformation)

### What’s Coming Next (4-6 weeks)? <a href="#whats-coming-next-4-6-weeks" id="whats-coming-next-4-6-weeks"></a>

There are several updates planned for Findings

{% hint style="info" %}
**Please Note:**

Timelines could change depending on shift in priorities and should not be considered absolute.
{% endhint %}

* **Investigate**: Ability to pivot to Investigate for each Findings in UI and get deeper insights in a single click.
* **CSV download:** Ability to export all the Findings in csv outside of GUI and share it with team for further investigation.
* **Rest API integration:** This will help customers integrate Vectra Findings into their existing workflows like ingesting it to SIEM tools.

## FAQ <a href="#faq" id="faq"></a>

**Q: Can I integrate this in my existing workflows?**

Yes, we are actively working to support RestAPI for Findings that can be used for this integration.

**Q: Does this replace vulnerability scanning?**

No, Vectra uses network metadata to understand the traffic behavior and discover the security gaps in the environment.

**Q: How often should I review Findings?**\
Vectra Exposure continuously monitors the environment for new Findings so it is recommended to monitor it daily for any new High severity Findings.

**Q: What licenses do I need?**

Vectra Exposure Findings require at least a 14 days metadata license to support this feature.

**Q: What reporting options are available?**

As part of the initial private preview release, reporting option is not available but it’s actively prioritized for the future releases.

Q. **Who can we reach out for any questions or feedback?**

Please reach out to Product Management - **Prince Prakash** [**pprakash@vectra.ai**](mailto:pprakash@vectra.ai)

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.vectra.ai/operations/analyst-guidance/exposure-findings-best-practices-guide.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.