Vulnerability Risk Intelligence (BYO Scanner)¶
NodeZero's Vulnerability Risk Intelligence (VRI) feature enables customers to upload vulnerability scan exports from tools like Tenable (Nessus), Rapid7, and Qualys, and receive attacker-validated risk classification. NodeZero leverages real exploit evidence and attack correlation to prioritize findings based on what attackers can actually exploit.
Overview¶
NodeZero's VRI capability brings attacker-first validation to scanner data. Customers can upload vulnerability scan outputs (CSV or .nessus) via the UI or API, and NodeZero classifies each vulnerability-asset pair according to exploitability and context. NodeZero:
- Confirms exploitability
- Determines contextually exploitable attacks
- Highlights vulnerabilities tied to high-value assets or threat actor behavior
- Shows unique exploits and mitigated weaknesses found by NodeZero
How It Works¶
- Upload your scanner data to NodeZero via UI or API.
- NodeZero uses its Exploit Correlation Engine to process each CVE-asset pair.
- Vulnerabilities are classified into risk categories (see below).
- Results are shown in the Risk Intelligence tab and can be exported via UI or API.
Supported Scanner Sources¶
- Tenable/Nessus CSV
- Tenable/Nessus XML
- Rapid7 CSV
- Qualys CSV
Classification Categories¶
Each vulnerability is classified into one of the following:
| Category | Description |
|---|---|
| Confirmed Exploitable | Successfully exploited by NodeZero. |
| Contextually Exploitable | Reachable through RCE or chaining, but not directly landed. |
| High-Value Asset | Found on assets identified as mission-critical. |
| Threat Actor Detected | Tied to TTPs observed in real-world attacks. |
| Vulnerable but not Exploited | Not validated but still potentially exploitable. |
| Asset Not Enumerated | Asset couldn't be matched to NodeZero data. |
| Mitigated Weakness | Issue already mitigated based on prior results. |
Using the UI¶
- Go to the Risk Intelligence tab in the Vulnerability Management Hub.
- Upload your scanner file via drag-and-drop or file picker.
- NodeZero processes your file within 1 hour (SLA).
- View classification results directly in the UI.
Upload Validation¶
- Max file size: ≤1GB
- File type validation: CSV, XML, .nessus
- Duplicate check via checksum
- If the scope isn't in the file, user will be prompted to enter it manually.
Using the API¶
- Get a pre-signed URL from the API (requires authentication).
- Upload your file using a POST request to the signed URL.
-
Fetch results via GET request.
-
API supports CSV, XML, and JSON
- Token-auth required
- Export formats: JSON
Scanner File Statuses¶
| Status | Description |
|---|---|
| PENDING | The scanner file is awaiting to be uploaded or has been uploaded but risk intelligence has not started. |
| PROCESSING | The scanner file is undergoing risk intelligence. |
| FAILED | The scanner file failed risk intelligence. View the status message for more details. |
| COMPLETED | The scanner file completed intelligence processing. |
| EXPIRED | The scanner file is expired. Scanner files expire after 90 days. |
| DUPLICATE | The scanner file is a duplicate of another file. See status message for details. |
Security & Compliance¶
- Files uploaded via HTTPS to presigned S3 URLs
- Stored in KMS-encrypted S3 buckets
- Retained temporarily (max 90 days), then deleted post-ingestion
- Normalized data retained permanently
- RBAC and full audit logging enabled
- SOC2 compliant, GDPR aligned
Scanner File Field Mappings¶
Tenable/Nessus CSV¶
| Requirement | Field Type | Accepted Field Name(s) |
|---|---|---|
| Must Have | IP Address | IP Address, Host, asset.display_ipv4_address |
| Must Have | Plugin ID | Plugin ID, definition.id |
| Must Have | CVE | CVE, CVE ID, definition.cve |
| Should Have | Port | Port |
| Should Have | Protocol | Protocol |
| Should Have | FQDN | FQDN, asset.display_fqdn |
| Should Have | MAC Address | MAC Address, asset.display_mac_address |
| Should Have | OS | OS, asset.operating_systems |
| Should Have | NetBios | NetBios, asset.netbios_name |
Tenable/Nessus XML¶
| Requirement | Field Type | Accepted Field Name(s) |
|---|---|---|
| Must Have | IP Address | host-ip |
| Must Have | Plugin ID | pluginID |
| Must Have | CVE | cve |
| Should Have | Port | port |
| Should Have | Protocol | protocol |
| Should Have | FQDN | host-fqdn |
| Should Have | MAC Address | mac-address |
| Should Have | NetBios | netbios-name |
| Should Have | OS | operating-system, os |
Rapid7 CSV¶
| Requirement | Field Type | Accepted Field Name(s) |
|---|---|---|
| Must Have | IP Address | Asset IP Address, IP Address |
| Must Have | Vulnerability ID | Vulnerability ID |
| Must Have | CVE | Vulnerability CVE IDs, CVE |
| Should Have | Port | Service Port |
| Should Have | Protocol | Service Protocol |
| Should Have | FQDN | FQDN |
| Should Have | MAC Address | Asset MAC Addresses |
| Should Have | OS | Asset OS Name, OS |
Qualys CSV¶
| Requirement | Field Type | Accepted Field Name(s) |
|---|---|---|
| Must Have | IP Address | IP |
| Must Have | QID | QID |
| Must Have | CVE | CVE ID |
| Should Have | Port | Port |
| Should Have | Protocol | Protocol |
| Should Have | FQDN | FQDN |
| Should Have | MAC Address | MAC Address |
| Should Have | NetBios | NetBIOS |
| Should Have | OS | OS |
Additional Field-Matching Details
- Field matching is case-sensitive. Submissions with incorrect casing may not be processed correctly.
- When multiple field names are listed for a field type, they are listed in priority order. If your scanner file contains more than one of the accepted field names, NodeZero will use the first match found in the priority order.
FAQs¶
Q: Can I sanitize scan files before upload (e.g., remove hostnames/IPs)?
A: No, that would prevent asset mapping and classification from working properly. NodeZero requires full host/vuln pairing.
Q: Is data encrypted?
A: Yes, in transit (HTTPS) and at rest (AES-256 with AWS KMS).
Q: How long is data stored?
A: Files are deleted after 90 days. Metadata and classification results are retained indefinitely.
Q: Do you support PDF uploads?
A: No. Only structured formats like CSV or .nessus are supported.
Q: Why do vulnerability counts not match?
A: When you upload a scanner file (e.g., from Tenable) to NodeZero's Vulnerability Risk Intelligence, you may notice a mismatch between the number of vulnerabilities listed in your original scan and the number displayed in the NodeZero platform.
This is expected behavior, due to how NodeZero processes and normalizes scanner data. Let's say your Tenable scan includes a single vulnerability entry with this list of CVEs:
CVE-2024-12345, CVE-2024-67890, CVE-2025-12345, CVE-2025-67890
NodeZero will treat each CVE as an individual weakness and create four separate records — one for each CVE. This allows for more precise correlation between scanner results and what NodeZero discovers or confirms during the autonomous pentest.
As a result, it's common for the total number of records in the NodeZero report to exceed the original row count in your scanner export.
Additional Notes
- This CVE-level granularity enables NodeZero to provide enhanced risk insights, including confirmed versus unconfirmed weaknesses, chaining potential, and downstream impact.
- Filters like "Found by Scanner Only" may return more results than expected because they include each CVE as a separate item, rather than in a grouped entry.
Feature Availability¶
- Available for customers on the Elite SKU
- Requires RBAC permissions to use the Vulnerability Management module
Note
VRI currently only supports the ingestion of internal (e.g. network, workstation) scanner data.