0 filters active
Skip to Content
logo
  • Home
  • Quick start
      • Billing
      • Integrations
      • Platform
      • Scanner
      • Ask our pentesters to explain a vulnerability
      • Fix code with gen AI from the IDE
      • See safe dependency versions
      • Import repositories to test
      • Invite team members to sign up
      • Billing for the Advanced plan
      • Continuous Hacking free trial, plans and pricing
      • Continuous Hacking methodology
      • Continuous Hacking PoV
      • CVSSF metric
      • Glossary
      • Main website
      • Platform demo
      • Tutorial videos
      • What is DAST?
      • What is SAST?
      • Assign vulnerability remediation to a team member
      • See details of the reported security vulnerabilities
    • Sign up to Fluid Attacks
      • Break the build
      • Install CI Gate to break the build
      • Verify whether a fix was successful
  • Find and fix
    • Access to your assets
      • Cloud
      • Connector
      • Egress
      • Set up an AWS IAM role
      • Summary of mechanisms used to access assets
      • Types of authentication used
      • Fix code automatically with gen AI
      • Get AI-generated guides for remediation
      • Contribute to enhancing the scanners
      • Fluid Attacks' scanners
      • Know and reproduce the scanner’s OWASP Benchmark results
      • Pentesters' tools
    • Machine
      • Configure and use Sorts on your own
      • Introduction to Fluid Attacks' AI tool
      • Accuracy SLA
      • Availability SLA
      • False negatives
      • False positives
      • Response SLA
      • Scope
      • Service-level agreement summary
        • 2023
        • 2024
        • 2025
        • 2026
      • Documentation sections
      • Roadmap
      • Supported AI functions
      • Supported attack surfaces
      • Supported binaries
      • Supported browsers
      • Supported CI/CD
      • Supported clouds
      • Supported CVEs for reachability analysis
      • Supported evidence formats
      • Supported frameworks
      • Supported IDE functionalities
      • Supported languages
      • Supported languages for vulnerability fixes
      • Supported package managers
      • Supported remediation
      • Supported SCM systems
      • Supported secrets
      • Supported standards
      • Supported ticketing systems
      • CVSS score adjustment
      • Find reachable dependency vulnerabilities
      • Vulnerability signature update
      • What is SCA?
      • APK scanner configuration file
      • DAST scanner configuration file
      • SAST scanner configuration file
      • SCA scanner configuration file
      • Scan with a configuration file
    • Use the Platform
        • Platform sections and header items
        • Sign-up and login authentication
        • Create and delete groups
        • Create another organization
        • Know your Groups section
        • Manage a group's configuration
        • Register payment information
        • See the target of evaluation's status and SBOM
        • Sort groups into portfolios
        • Invite contributing developers
        • Manage members
        • Manage your organization's authors
        • Understand roles
        • Import repositories fast and safely with OAuth
        • Manage environments
        • Manage repositories
        • Manage your credentials
        • Resolve events impeding tests
        • See retrieved repositories not yet added to any group
        • Analyze your supply chain security
        • Assign treatments
        • Correlate your threat model to vulnerabilities
        • Examine the evidence of exploitability
        • Request a vulnerability be dismissed as Zero Risk
        • See vulnerabilities assigned to you
        • See where vulnerabilities are and more details
        • Verify fixes with reattacks
        • Ask the AI Agent
        • Ask via chat
        • Post comments
        • Send Fluid Attacks an email
        • Talk to a Pentester
        • Watch certifiable tutorial videos or get a demo
        • Access recent downloads
        • Check your compliance with standards
        • View analytics common to orgs, groups and portfolios
        • Download a report of detected vulnerabilities
        • View analytics for the group level only
        • View analytics for the portfolio level only
        • Use analytics charts options
        • View and download logs
        • Accept vulnerabilities
        • Manage fix prioritization policies
        • Manage security gates
        • Prevent the deployment of builds with vulnerabilities
        • View details of the security of your builds
        • Enable and disable notifications
        • Explore the user menu
        • Leave group
        • Subscribe to news
      • Manage repositories
      • See vulnerabilities
      • Exclude findings from scan reports
      • Run scans locally
      • Understand the scanner output
      • Use standalone scanners
      • Use the scanners in CI/CD
  • Integrations
      • Local tools
      • Access Talk to a Pentester and help from Jira issues
      • Automate Jira issue creation
      • Create Jira issues for vulnerabilities
      • Go to vulnerability evidence and more from Jira issues
      • Install the Fluid Attacks app for Jira Cloud
      • Link vulnerabilities to Jira issues or unlink them
      • Request reattacks from Jira issues
      • Set up the Jira integration
      • Set up the Azure DevOps integration
      • Set up the GitLab integration
      • Install the VS Code extension
      • View vulnerable lines, use fix options and more
      • VS Code extension error and solution catalog
      • Identify and address vulnerabilities from IntelliJ
      • Install the IntelliJ plugin
      • Identify and address vulnerabilities from Cursor
      • Install the Cursor extension
      • AWS Marketplace integration
    • MCP server
      • Installation
      • Capabilities and use cases
      • Docker installation
      • Excluding files from analysis
      • Integrate with Azure DevOps Peer Reviewer Assistant
      • Integrate with GitLab Peer Reviewer Assistant
      • Troubleshooting
      • Introduction
      • Use the API
      • Learn the basics of the Fluid Attacks API
      • Things to know before using the API
  • Stack
      • Bash
      • Python
      • Terraform
      • TypeScript
      • Ariadne
      • Commitlint
      • Docker
      • ESLint
      • GraphQL
      • Hypercorn
      • Kubernetes
      • Labels
      • Mypy
      • Nix Flakes
      • Platform audit logs
      • Platform authentication
      • Platform authorization
      • Pydantic AI
      • React
      • Ruff
      • Sops
      • Starlette
      • Tree-sitter
      • Visual Studio Code
      • AWS
      • Batch
      • Bedrock
      • BigCodeBench
      • BugSnag
      • Checkly
      • Claude 3.5 Sonnet
      • Cloudflare
      • CloudWatch
      • Cost Management
      • Datadog
      • dbt
      • DynamoDB
      • EBS
      • EC2
      • EKS
      • ELB
      • Engineering metrics
      • ePayco
      • EventBridge
      • GitLab
      • GitLab CI
      • Google Workspace
      • IAM
      • Jamf
      • KMS
      • Lambda
      • LogRocket
      • Okta
      • OpenAI
      • OpenSearch
      • Organizations
      • QuickSight
      • S3
      • SageMaker
      • Snowflake
      • Statuspage
      • Step Functions
      • Stripe
      • Treli
      • Ubiquiti
      • Vanta
      • Voyage AI
      • VPC
      • VPN
      • Zoho One
      • Zoho Sign
  • Compliance
      • Clients
      • Password policies
      • Staff
      • Access revocation
      • Endpoint
      • Authorization for clients
      • Authorization for Fluid Attacks staff
      • Secret rotation
      • Secure employee termination
      • Session management
      • Distributed apps
      • Distributed firewall
      • Everything backed up
      • Multiple zones
      • Recovery objective
      • Device (re)enrolling
      • Direct hiring
      • Encryption at rest
      • Encryption in transit
      • No personal gain
      • Personnel NDA
      • Secure deletion
      • Awareness
      • Certification Hub
      • Certified cloud provider
      • Certified security analysts
      • Comprehensive reporting
      • Developing for integrity
      • Extensive hiring process
      • Monitoring
      • Production data not used for dev or test
      • Secure emails
      • Software Artifacts SLSA levels
      • Static website
      • Training plan
      • Everything as code
      • Extensive logs
      • Data privacy policy
      • Data policies
      • Email obfuscation
      • Employee time tracking software
      • Manual for the National Database Registry (NDR)
      • OTR messaging
      • Polygraph tests
      • Project pseudonymization
      • Retention
      • Secure delivery of sensitive data
      • Transparent use of cookies
      • Unsubscribe email
      • Continuity and recovery
      • Equipment and telecommuting
      • Everything is decentralized
      • Redundant roles
      • Complaint management
      • Data leakage policy
      • Ethics hotline
      • Help channel
      • Incident management
      • Information security responsibility
      • Open source
      • Quality policy
      • Status page
      • Testing our technology
      • Vulnerability releasing
  • Compare
    • 42Crunch
    • 7 Way Security
    • Aikido
    • Anvil Secure
    • Apiiro
    • AppCheck
    • Appdome
    • Appknox
    • Aqua
    • ArmorCode
    • Arnica
    • Astra
    • Base4
    • Bishop Fox
    • Black Duck
    • Black Hills
    • Breachlock
    • Bright Security
    • Burp Suite
    • Checkmarx
    • CloudGuard
    • Cobalt
    • Codacy
    • Conviso
    • Cure53
    • Cycode
    • Cyver
    • Data Theorem
    • DataDog
    • DeepSource
    • DefectDojo
    • Detectify
    • Devel
    • Dryrun Security
    • Dynatrace
    • Edgescan
    • Endor Labs
    • Escape
    • Evolve Security
    • Faraday Security
    • FortiDevSec
    • Fortify
    • GitHub Advanced Security
    • GitLab Ultimate
    • GuardRails
    • HackerOne
    • Hackmetrix
    • Hadrian
    • HCL AppScan
    • Heeler
    • Hopper Security
    • ImmuniWeb
    • Inspectiv
    • Intigriti
    • Intruder
    • Invicti
    • JFrog
    • Jit
    • Kiuwan
    • Legit Security
    • Mandiant
    • Mend
    • Mindgard
    • Moderne
    • NetSPI
    • NowSecure
    • Nucleus Security
    • Oligo Security
    • Orca Security
    • Oversecured
    • OX Security
    • Phoenix Security
    • PlexTrac
    • Praetorian
    • Prancer
    • Prisma Cloud
    • Probely
    • Prowler
    • ReversingLabs
    • RunSybil
    • Safety
    • Securitum
    • Seemplicity
    • Semgrep
    • Snyk
    • Socket
    • SonarQube
    • Sonatype
    • SOOS
    • StackHawk
    • Strike
    • Synacktiv
    • Tenable Nessus
    • ThreatModeler
    • Veracode
    • White Jaguars
    • Wiz
    • Xygeni
    • ZAP
    • ZeroPath
  • Log in to the platform 
  • Home
  • Quick start
      • Billing
      • Integrations
      • Platform
      • Scanner
      • Ask our pentesters to explain a vulnerability
      • Fix code with gen AI from the IDE
      • See safe dependency versions
      • Import repositories to test
      • Invite team members to sign up
      • Billing for the Advanced plan
      • Continuous Hacking free trial, plans and pricing
      • Continuous Hacking methodology
      • Continuous Hacking PoV
      • CVSSF metric
      • Glossary
      • Main website
      • Platform demo
      • Tutorial videos
      • What is DAST?
      • What is SAST?
      • Assign vulnerability remediation to a team member
      • See details of the reported security vulnerabilities
    • Sign up to Fluid Attacks
      • Break the build
      • Install CI Gate to break the build
      • Verify whether a fix was successful
  • Find and fix
    • Access to your assets
      • Cloud
      • Connector
      • Egress
      • Set up an AWS IAM role
      • Summary of mechanisms used to access assets
      • Types of authentication used
      • Fix code automatically with gen AI
      • Get AI-generated guides for remediation
      • Contribute to enhancing the scanners
      • Fluid Attacks' scanners
      • Know and reproduce the scanner’s OWASP Benchmark results
      • Pentesters' tools
    • Machine
      • Configure and use Sorts on your own
      • Introduction to Fluid Attacks' AI tool
      • Accuracy SLA
      • Availability SLA
      • False negatives
      • False positives
      • Response SLA
      • Scope
      • Service-level agreement summary
        • 2023
        • 2024
        • 2025
        • 2026
      • Documentation sections
      • Roadmap
      • Supported AI functions
      • Supported attack surfaces
      • Supported binaries
      • Supported browsers
      • Supported CI/CD
      • Supported clouds
      • Supported CVEs for reachability analysis
      • Supported evidence formats
      • Supported frameworks
      • Supported IDE functionalities
      • Supported languages
      • Supported languages for vulnerability fixes
      • Supported package managers
      • Supported remediation
      • Supported SCM systems
      • Supported secrets
      • Supported standards
      • Supported ticketing systems
      • CVSS score adjustment
      • Find reachable dependency vulnerabilities
      • Vulnerability signature update
      • What is SCA?
      • APK scanner configuration file
      • DAST scanner configuration file
      • SAST scanner configuration file
      • SCA scanner configuration file
      • Scan with a configuration file
    • Use the Platform
        • Platform sections and header items
        • Sign-up and login authentication
        • Create and delete groups
        • Create another organization
        • Know your Groups section
        • Manage a group's configuration
        • Register payment information
        • See the target of evaluation's status and SBOM
        • Sort groups into portfolios
        • Invite contributing developers
        • Manage members
        • Manage your organization's authors
        • Understand roles
        • Import repositories fast and safely with OAuth
        • Manage environments
        • Manage repositories
        • Manage your credentials
        • Resolve events impeding tests
        • See retrieved repositories not yet added to any group
        • Analyze your supply chain security
        • Assign treatments
        • Correlate your threat model to vulnerabilities
        • Examine the evidence of exploitability
        • Request a vulnerability be dismissed as Zero Risk
        • See vulnerabilities assigned to you
        • See where vulnerabilities are and more details
        • Verify fixes with reattacks
        • Ask the AI Agent
        • Ask via chat
        • Post comments
        • Send Fluid Attacks an email
        • Talk to a Pentester
        • Watch certifiable tutorial videos or get a demo
        • Access recent downloads
        • Check your compliance with standards
        • View analytics common to orgs, groups and portfolios
        • Download a report of detected vulnerabilities
        • View analytics for the group level only
        • View analytics for the portfolio level only
        • Use analytics charts options
        • View and download logs
        • Accept vulnerabilities
        • Manage fix prioritization policies
        • Manage security gates
        • Prevent the deployment of builds with vulnerabilities
        • View details of the security of your builds
        • Enable and disable notifications
        • Explore the user menu
        • Leave group
        • Subscribe to news
      • Manage repositories
      • See vulnerabilities
      • Exclude findings from scan reports
      • Run scans locally
      • Understand the scanner output
      • Use standalone scanners
      • Use the scanners in CI/CD
  • Integrations
      • Local tools
      • Access Talk to a Pentester and help from Jira issues
      • Automate Jira issue creation
      • Create Jira issues for vulnerabilities
      • Go to vulnerability evidence and more from Jira issues
      • Install the Fluid Attacks app for Jira Cloud
      • Link vulnerabilities to Jira issues or unlink them
      • Request reattacks from Jira issues
      • Set up the Jira integration
      • Set up the Azure DevOps integration
      • Set up the GitLab integration
      • Install the VS Code extension
      • View vulnerable lines, use fix options and more
      • VS Code extension error and solution catalog
      • Identify and address vulnerabilities from IntelliJ
      • Install the IntelliJ plugin
      • Identify and address vulnerabilities from Cursor
      • Install the Cursor extension
      • AWS Marketplace integration
    • MCP server
      • Installation
      • Capabilities and use cases
      • Docker installation
      • Excluding files from analysis
      • Integrate with Azure DevOps Peer Reviewer Assistant
      • Integrate with GitLab Peer Reviewer Assistant
      • Troubleshooting
      • Introduction
      • Use the API
      • Learn the basics of the Fluid Attacks API
      • Things to know before using the API
  • Stack
      • Bash
      • Python
      • Terraform
      • TypeScript
      • Ariadne
      • Commitlint
      • Docker
      • ESLint
      • GraphQL
      • Hypercorn
      • Kubernetes
      • Labels
      • Mypy
      • Nix Flakes
      • Platform audit logs
      • Platform authentication
      • Platform authorization
      • Pydantic AI
      • React
      • Ruff
      • Sops
      • Starlette
      • Tree-sitter
      • Visual Studio Code
      • AWS
      • Batch
      • Bedrock
      • BigCodeBench
      • BugSnag
      • Checkly
      • Claude 3.5 Sonnet
      • Cloudflare
      • CloudWatch
      • Cost Management
      • Datadog
      • dbt
      • DynamoDB
      • EBS
      • EC2
      • EKS
      • ELB
      • Engineering metrics
      • ePayco
      • EventBridge
      • GitLab
      • GitLab CI
      • Google Workspace
      • IAM
      • Jamf
      • KMS
      • Lambda
      • LogRocket
      • Okta
      • OpenAI
      • OpenSearch
      • Organizations
      • QuickSight
      • S3
      • SageMaker
      • Snowflake
      • Statuspage
      • Step Functions
      • Stripe
      • Treli
      • Ubiquiti
      • Vanta
      • Voyage AI
      • VPC
      • VPN
      • Zoho One
      • Zoho Sign
  • Compliance
      • Clients
      • Password policies
      • Staff
      • Access revocation
      • Endpoint
      • Authorization for clients
      • Authorization for Fluid Attacks staff
      • Secret rotation
      • Secure employee termination
      • Session management
      • Distributed apps
      • Distributed firewall
      • Everything backed up
      • Multiple zones
      • Recovery objective
      • Device (re)enrolling
      • Direct hiring
      • Encryption at rest
      • Encryption in transit
      • No personal gain
      • Personnel NDA
      • Secure deletion
      • Awareness
      • Certification Hub
      • Certified cloud provider
      • Certified security analysts
      • Comprehensive reporting
      • Developing for integrity
      • Extensive hiring process
      • Monitoring
      • Production data not used for dev or test
      • Secure emails
      • Software Artifacts SLSA levels
      • Static website
      • Training plan
      • Everything as code
      • Extensive logs
      • Data privacy policy
      • Data policies
      • Email obfuscation
      • Employee time tracking software
      • Manual for the National Database Registry (NDR)
      • OTR messaging
      • Polygraph tests
      • Project pseudonymization
      • Retention
      • Secure delivery of sensitive data
      • Transparent use of cookies
      • Unsubscribe email
      • Continuity and recovery
      • Equipment and telecommuting
      • Everything is decentralized
      • Redundant roles
      • Complaint management
      • Data leakage policy
      • Ethics hotline
      • Help channel
      • Incident management
      • Information security responsibility
      • Open source
      • Quality policy
      • Status page
      • Testing our technology
      • Vulnerability releasing
  • Compare
    • 42Crunch
    • 7 Way Security
    • Aikido
    • Anvil Secure
    • Apiiro
    • AppCheck
    • Appdome
    • Appknox
    • Aqua
    • ArmorCode
    • Arnica
    • Astra
    • Base4
    • Bishop Fox
    • Black Duck
    • Black Hills
    • Breachlock
    • Bright Security
    • Burp Suite
    • Checkmarx
    • CloudGuard
    • Cobalt
    • Codacy
    • Conviso
    • Cure53
    • Cycode
    • Cyver
    • Data Theorem
    • DataDog
    • DeepSource
    • DefectDojo
    • Detectify
    • Devel
    • Dryrun Security
    • Dynatrace
    • Edgescan
    • Endor Labs
    • Escape
    • Evolve Security
    • Faraday Security
    • FortiDevSec
    • Fortify
    • GitHub Advanced Security
    • GitLab Ultimate
    • GuardRails
    • HackerOne
    • Hackmetrix
    • Hadrian
    • HCL AppScan
    • Heeler
    • Hopper Security
    • ImmuniWeb
    • Inspectiv
    • Intigriti
    • Intruder
    • Invicti
    • JFrog
    • Jit
    • Kiuwan
    • Legit Security
    • Mandiant
    • Mend
    • Mindgard
    • Moderne
    • NetSPI
    • NowSecure
    • Nucleus Security
    • Oligo Security
    • Orca Security
    • Oversecured
    • OX Security
    • Phoenix Security
    • PlexTrac
    • Praetorian
    • Prancer
    • Prisma Cloud
    • Probely
    • Prowler
    • ReversingLabs
    • RunSybil
    • Safety
    • Securitum
    • Seemplicity
    • Semgrep
    • Snyk
    • Socket
    • SonarQube
    • Sonatype
    • SOOS
    • StackHawk
    • Strike
    • Synacktiv
    • Tenable Nessus
    • ThreatModeler
    • Veracode
    • White Jaguars
    • Wiz
    • Xygeni
    • ZAP
    • ZeroPath
  • Log in to the platform 

On This Page

  • Exposure management over time
  • Sprint exposure increment
  • Sprint exposure decrement
  • Sprint exposure change overall
  • Exposure management over time (%)
  • Exposure benchmark
  • Exposure trends by vulnerability category
  • Days since last remediation
  • Mean time to request reattacks
  • Vulnerabilities being reattacked
  • Days until zero exposure
  • Mean time to remediate (MTTR) benchmark
  • Mean time to remediate (MTTR) by CVSS severity
  • Accepted vulnerabilities by CVSS severity
  • Vulnerabilities by assignment
  • Status of assigned vulnerabilities
  • Top weaknesses by exposure
  • Vulnerabilities treatment
  • Reporting technique
  • Active resources distribution
  • Total weaknesses
  • Total vulnerabilities
  • Total exclusions
  • Exclusions by root
  • Vulnerabilities by tag
  • Vulnerabilities by Priority score
  • Accepted vulnerabilities by user
  • Exposure by assignee
  • Files with open vulnerabilities in the last 20 weeks
Find and fixUse the PlatformGet analytics and reportsView analytics common to orgs, groups and portfolios

View analytics common to orgs, groups and portfolios

Caution

Analytics sections are updated daily at 1:00 a.m. (UTC) from Monday to Friday. The values shown depend on preprocessed data updated Tuesdays through Saturdays at 7:00 p.m. (UTC). Please note that there may be brief periods after the Analytics update time when the section may experience a slight delay in data reflection.

Note

Role  required: User, Vulnerability Manager or Group Manager

Fluid Attacks’ platform offers charts and figures related to the status of vulnerabilities and your remediation practices. The kinds described below are shared across the Analytics sections at the organization , group , and portfolio  levels.

Tip

Hover over charts and figures to see available options .

Exposure management over time

See exposure management over time on the Fluid Attacks platform

This chart presents the history of reported risk exposure (in CVSSF units ), along with that of your actions addressing it. As this risk exposure is caused by the detected software vulnerabilities, the status of the latter, be it closed (remediated) or accepted, is by extension the status of risk exposure. With the help of this chart, you can identify gaps between known risk and managed risk.

You can interact with the chart as follows:

  1. Hover over a data point to see the exact values
  2. Hover over a chart legend to highlight the corresponding line
  3. Click on a chart legend to hide the corresponding information from the visual comparison
Tip

This chart has multiple filters accessible through the

Use the filter on the Fluid Attacks platform analytics

icon:

  • Exposure: Default view
  • Vulns: See the number of vulnerabilities instead of risk exposure units
  • 30: See data of the last 30 days
  • 90: See data of the last 90 days
  • All: See data since the creation of the organization

Sprint exposure increment

See sprint exposure increment on the Fluid Attacks platform

This figure is the percentage increase in risk exposure in the current sprint  (i.e., the newly reported exposure value relative to the initial exposure value). The value is zero when no vulnerability has been reported in the period.

Sprint exposure decrement

See sprint exposure increment on the Fluid Attacks platform

This figure is the percentage decrease in risk exposure in the current sprint (i.e., the newly remediated exposure value relative to the initial exposure value). The value is zero when no vulnerability has been remediated in the period.

Sprint exposure change overall

See sprint exposure change overall on the Fluid Attacks platform

This figure is the resulting percentage change in risk exposure in the current sprint (i.e., the exposure decrement minus the exposure increment). A positive value means that more exposure was reported than remediated. A negative value means that more exposure was remediated than reported. A zero value means that as much exposure was remediated as reported.

Tip

Note: For an organization, these last three percentage values will depend on the changes (increase, decrease, total) achieved in each of its groups.

Exposure management over time (%)

See exposure management over time percentage on the Fluid Attacks platform

This chart shows how you have dealt with risk exposure (in CVSSF  units) over time by correspondence with the statuses of vulnerabilities that cause it. Open vulnerabilities are those still present and unaccepted; whereas closed ones are those remediated. The information in this chart allows you to visualize the trends in your vulnerability management efforts, helping you identify areas where you are making progress and those that require more attention.

You can interact with the chart as follows:

  1. Hover over a bar to see all the complete percentages information
  2. Hover over a chart legend to highlight the corresponding portion in the chart
  3. Click on a chart legend to hide the corresponding information from the visual comparison
Tip

This chart has a filter accessible through the

icon:

  • Exposure: Default view
  • Vulns: See the percentages for number of vulnerabilities instead of risk exposure units

Exposure benchmark

See exposure benchmark on the Fluid Attacks platform

This chart shows your risk exposure level (CVSSF ) that has not been remediated and allows you to compare it with that of other organizations, groups, or portfolios. Specifically, you can see how the best-performing and worse-performing at risk management are doing, as well as how many CVSSF units is the average. This benchmarking enables you to gauge your performance relative to your peers to ultimately set goals for reducing your risk exposure.

Tip

Note: The benchmark for organizations excludes the ones with low activity (less than 100 reattacks  on vulnerabilities within their groups) to ensure a fair comparison.

Exposure trends by vulnerability category

Exposure Trends Categories

This chart shows you how risk exposure (in CVSSF  units) has changed over time across the nine categories  that group the types of vulnerabilities  in Fluid Attacks’ classification. This information helps you with an overview of the kinds of issues related to changes in your risk exposure.

Hover over a bar to see the precise value.

Tip

Notes:

  1. Types of vulnerabilities are categories into which detected security issues most likely fall. The chart shows a categorization at a higher level.
  2. This chart uses a logarithmic scale to effectively display exponential differences in a compact format.
Tip

You can switch to the timeframe of which you need to see the data by clicking on the

Filter exposure trends on the Fluid Attacks platform

icon and then on a suitable option (30, 60, 90 or 180 days).

Days since last remediation

This figure is the number of days since a code fix successfully remediated a vulnerability. This information may provide insight into the promptness with which your team addresses security issues.

Mean time to request reattacks

This figure is the average number of days it takes your team to request a reattack , i.e., a retest to verify the effectiveness of code fixes, after the vulnerability in question is reported. This information can serve as one factor to assess the responsiveness of your team to security issue reports.

Vulnerabilities being reattacked

This figure is the number of vulnerabilities for which currently a reattack has been requested and a response by Fluid Attacks is in the works. This may be one factor to assess your team’s productivity.

Days until zero exposure

This figure is an estimated timeframe for fixing all vulnerabilities reported to date. It is calculated using the estimated remediation times for each weakness we have recorded in our database  and the types and number of vulnerabilities reported in your groups. This information may help you set goals for your remediation efforts.

Mean time to remediate (MTTR) benchmark

See mean remediation time benchmark on the Fluid Attacks platform

This chart displays the average number of days it takes your team to remediate a vulnerability weighted by risk exposure as measured using the CVSSF metric . Further, it allows comparing your performance against that of the best and worst performing organizations, groups or portfolios, as well as against the average value. This benchmark helps you to evaluate the efficiency of your remediation process compared to your peers and set goals.

Tip

This chart has multiple filters accessible through the

Filter MTTR on the Fluid Attacks platform

icon:

  1. All: Default view (all vulnerabilities are included)
  2. No treatment: See only data for vulnerabilities whose Status  was set to Safe as they were Untreated
  3. 30: See data of the last 30 days
  4. 90: See data of the last 90 days
  5. All: See data since the creation of the organization

Mean time to remediate (MTTR) by CVSS severity

See mean remediation time by CVSS on the Fluid Attacks platform

This chart shows the average time to remediate vulnerabilities weighted by risk exposure, differentiating by the qualitative severity rating. The qualitative rating groups CVSS  scores as follows: Low = 0.1 - 3.9; medium = 4.0 - 6.9; high = 7.0 - 8.9; critical = 9.0 - 10.0. The information in this chart helps you understand how the severity of vulnerabilities impacts your remediation time.

Tip

This chart has multiple filters accessible through the

Filter MTTR by severity chart on the Fluid Attacks platform

icon:

  • Vulns weighting by exposure: Default view
  • Vulns (unweighted): See the unweighted mean time to remediate vulnerabilities
  • Vulns (no treatment, weighted): See only data of remediation of risk exposure related to vulnerabilities whose Status  was set to Safe as they were Untreated
  • Vulns (no treatment, unweighted): See only data for vulnerabilities whose Status  was set to Safe as they were Untreated
  • 30: See data of the last 30 days
  • 90: See data of the last 90 days
  • All: See data since the creation of the organization

Accepted vulnerabilities by CVSS severity

See accepted vulnerabilities by CVSS on the Fluid Attacks platform

This chart displays the shares of accepted versus open vulnerabilities, categorized by qualitative severity rating (low, medium, high, and critical). Open vulnerabilities are those that have not been remediated nor accepted. This information helps you understand the risks you have chosen to accept.

You can interact with the chart as follows:

  1. Hover over a bar to see all the complete percentages information
  2. Hover over a chart legend to highlight the corresponding portion in the chart
  3. Click on a chart legend to hide the corresponding information from the visual comparison

Vulnerabilities by assignment

See vulnerabilities by assignment on the Fluid Attacks platform

This chart shows the percentage of vulnerabilities not yet remediated that have been assigned to your team members  for fixing versus those still unassigned. This chart provides a quick overview of your vulnerability assignment.

You can interact with the chart as follows:

  1. Hover over a slice to see it highlighted along with the name of the assignment status and corresponding percentage
  2. Hover over a chart legend to highlight the corresponding slice
  3. Click on a chart legend to exclude the corresponding status from the percentage calculation

Status of assigned vulnerabilities

See status of assigned vulnerabilities on the Fluid Attacks platform

This figure presents, of all vulnerabilities that were assigned for remediation, what percentage is open (pending to be fixed) and what percentage is closed (already fixed). This information allows you to track the progress of your team in addressing assigned vulnerabilities.

You can interact with the chart as follows:

  1. Hover over a slice to see it highlighted along with the name of the vulnerability status and corresponding percentage
  2. Hover over a chart legend to highlight the corresponding slice
  3. Click on a chart legend to exclude the corresponding status from the percentage calculation

Top weaknesses by exposure

See top types by exposure on the Fluid Attacks platform

This chart shows the detected types of vulnerabilities  that have represented the most risk exposure (measured in CVSSF units ) over time. The chart includes the risk exposure of open and closed vulnerabilities. This information helps you identify the security issues in your systems whose remediation you may need to prioritize.

Hover over a bar to see the precise CVSSF units.

Tip

This chart has multiple filters accessible through the

Filter exposure by type on the Fluid Attacks platform

icon:

  • Exposure: Default view
  • Vulns: See ranking in number of vulnerabilities instead of risk exposure
  • Code: See ranking in risk exposure caused only by vulnerabilities found in source code
  • Infra: See ranking in risk exposure caused only by vulnerabilities found in infrastructure
  • App: See ranking in risk exposure caused only by vulnerabilities found in the running application

Vulnerabilities treatment

See vulnerabilities treatment on the Fluid Attacks platform

This chart displays the distribution of detected vulnerabilities still present in your systems by their current treatment :

  1. Permanently accepted: Vulnerabilities you do not intend to fix, accepting the risks permanently (you can, nonetheless, fix them at any given moment without the platform causing any complication)
  2. Temporarily accepted: Vulnerabilities you intend to fix later, accepting the risks until a specific date
  3. In progress: Acknowledged vulnerabilities assigned to one of your team members for remediation
  4. Untreated: Newly reported vulnerabilities awaiting treatment assignment

This information helps you to analyze your risk acceptance strategy.

You can interact with the chart as follows:

  1. Hover over a slice to see it highlighted along with the name of the treatment status and the corresponding percentage
  2. Hover over a chart legend to highlight the corresponding slice
  3. Click on a chart legend to exclude the corresponding status from the percentage calculation

Reporting technique

See reporting technique on the Fluid Attacks platform

This chart shows the percentage breakdown of all reported vulnerabilities based on the security testing  technique used to detect them. This information provides insights into the kind of issues more frequently present in your system. The techniques are the following:

  1. PTaaS: Dynamic analysis done manually
  2. SCR: Static code analysis done manually
  3. SAST: Automated static code analysis
  4. DAST: Automated dynamic analysis
  5. SCA: Automated analysis of third-party dependencies
  6. RE: Reverse engineering of your system done manually
  7. AI SAST: AI-powered static code analysis

You can interact with the chart as follows:

  1. Hover over a slice to see it highlighted along with the technique’s name and corresponding percentage
  2. Hover over a chart legend to highlight the corresponding slice
  3. Click on a chart legend to exclude the corresponding technique from the percentage calculation

Active resources distribution

See active resources distribution on the Fluid Attacks platform

This chart illustrates the composition of your assets under assessment, contrasting the share represented by source code repositories with the share comprised of URLs or IPs linked to those repositories. This information might be useful for characterizing the scope  of evaluation.

You can interact with the chart as follows:

  1. Hover over a slice to see it highlighted along with the resource’s category and corresponding percentage
  2. Hover over a chart legend to highlight the corresponding slice
  3. Click on a chart legend to exclude the corresponding category from the percentage calculation

Total weaknesses

See total vulnerability types on the Fluid Attacks platform

This figure is the number of weaknesses  reported to you out of all the types recognized by Fluid Attacks’ categorization . These categories are the ones into which security issues found in your system most likely fall.

Total vulnerabilities

See total vulnerabilities on the Fluid Attacks platform

This figure is the total amount of reported security issues with a specific location within your system. This information may be of help to justify the need for additional security investments.

Total exclusions

See total exclusions on the Fluid Attacks platform

Exclusions are vulnerabilities deliberately omitted by you. The total number of exclusions your group has is shown.

Exclusions by root

Exclusions by root

These are all your exclusions categorized by root.

Vulnerabilities by tag

See vulnerabilities by tag on the Fluid Attacks platform

This chart shows the number of vulnerabilities for each of the tags your team has categorized them into when assigning a treatment . This information allows you to analyze the security issues in your software using categories that are especially significant for your team.

Hover over a bar to see the precise number of vulnerabilities.

Vulnerabilities by Priority score

See vulnerabilities by Priority score on the Fluid Attacks platform

This chart shows the number of vulnerabilities for each of the Priority values your team has given them when assigning a treatment . This information might help your team to understand its vulnerability prioritization strategy.

Accepted vulnerabilities by user

See accepted vulnerabilities by user on the Fluid Attacks platform

This chart shows you the number of accepted vulnerabilities grouped by the user who assigned the treatment. This information provides details about accountability for this important vulnerability management decision.

You can interact with the chart as follows:

  1. Hover over a bar to see all the complete number information
  2. Hover over a chart legend to highlight the corresponding portion in the chart
  3. Click on a chart legend to hide the corresponding information from the visual comparison

Exposure by assignee

See exposure by assignee on the Fluid Attacks platform

This chart shows how team members have managed the risk exposure (CVSSF ) assigned to them, which is identified by the statuses of vulnerabilities that cause that risk exposure. Open vulnerabilities are those still present and unaccepted; whereas closed ones are those remediated. The information in this chart provides details about accountability for vulnerability remediation.

You can interact with the chart as follows:

  1. Hover over a bar to see all the complete percentage information
  2. Hover over a chart legend to highlight the corresponding portion in the chart
  3. Click on a chart legend to hide the corresponding information from the visual comparison
Tip

You can switch to see the percentage corresponding to number of vulnerabilities instead by selecting the Vulns filter accessible through the

Filter the exposure by assignee chart on the Fluid Attacks platform

icon.

Files with open vulnerabilities in the last 20 weeks

See files with vulnerabilities on the Fluid Attacks platform

This chart shows the paths of files with vulnerabilities from the last 20 weeks, not yet remediated nor accepted, along with the total number of such vulnerabilities in each file. This information helps you pinpoint the files that should be prioritized in your remediation efforts.

Hover over a bar to see the precise number of vulnerabilities.

Tip

Want advice based on Analytics? Try asking Fluid Attacks’ AI Agent! 

 

Tip

Free trial Search for vulnerabilities in your apps for free with Fluid Attacks’ automated security testing! Start your 21-day free trial  and discover the benefits of the Continuous Hacking  Essential plan . If you prefer the Advanced plan, which includes the expertise of Fluid Attacks’ hacking team, fill out this contact form .

Last updated on February 13, 2026
Check your compliance with standardsDownload a report of detected vulnerabilities
Fluid Attacks 2026. All rights reserved.