Vulnerability Risk Intelligence (BYO Scanner)
NodeZero's Vulnerability Risk Intelligence (VRI) feature enables customers to upload vulnerability scan exports from tools like Tenable (Nessus), Rapid7, and Qualys, and receive attacker-validated risk classification. NodeZero leverages real exploit evidence and attack correlation to prioritize findings based on what attackers can actually exploit.
Overview
NodeZero's VRI capability brings attacker-first validation to scanner data. Customers can upload vulnerability scan outputs (CSV or .nessus) via the UI or API, and NodeZero classifies each vulnerability-asset pair according to exploitability and context. NodeZero:
- Confirms exploitability
- Determines contextually exploitable attacks
- Highlights vulnerabilities tied to high-value assets or threat actor behavior
- Shows unique exploits and mitigated weaknesses found by NodeZero
How It Works
- Upload your scanner data to NodeZero via UI or API.
- NodeZero uses its Exploit Correlation Engine to process each CVE-asset pair.
- Vulnerabilities are classified into risk categories (see below).
- Results are shown in the Risk Intelligence tab and can be exported via UI or API.
Supported Scanner Sources
- Tenable/Nessus CSV
- Tenable/Nessus XML
- Rapid7 CSV and XML
- Qualys CSV
Classification Categories
Each vulnerability is classified into one of the following:
| Category | Description |
|---|---|
| Confirmed Exploitable | Successfully exploited by NodeZero. |
| Contextually Exploitable | Reachable through RCE or chaining, but not directly landed. |
| High-Value Asset | Found on assets identified as mission-critical. |
| Threat Actor Detected | Tied to TTPs observed in real-world attacks. |
| Vulnerable but not Exploited | Not validated but still potentially exploitable. |
| Asset Not Enumerated | Asset couldn't be matched to NodeZero data. |
| Mitigated Weakness | Issue already mitigated based on prior results. |
Using the UI
- Go to the Risk Intelligence tab in the Vulnerability Management Hub.
- Upload your scanner file via drag-and-drop or file picker.
- NodeZero processes your file within 1 hour (SLA).
- View classification results directly in the UI.
Upload Validation
- Max file size: ≤1GB
- File type validation: CSV, XML, .nessus
- Duplicate check via checksum
- If the scope isn't in the file, user will be prompted to enter it manually.
Using the API
- Get a pre-signed URL from the API (requires authentication).
- Upload your file using a POST request to the signed URL.
-
Fetch results via GET request.
-
API supports CSV, XML, and JSON
- Token-auth required
- Export formats: JSON
Scanner File Statuses
| Status | Description |
|---|---|
| PENDING | The scanner file is awaiting to be uploaded or has been uploaded but risk intelligence has not started. |
| PROCESSING | The scanner file is undergoing risk intelligence. |
| FAILED | The scanner file failed risk intelligence. View the status message for more details. |
| COMPLETED | The scanner file completed intelligence processing. |
| EXPIRED | The scanner file is expired. Scanner files expire after 90 days. |
| DUPLICATE | The scanner file is a duplicate of another file. See status message for details. |
Security & Compliance
- Files uploaded via HTTPS to presigned S3 URLs
- Stored in KMS-encrypted S3 buckets
- Retained temporarily (max 90 days), then deleted post-ingestion
- Normalized data retained permanently
- RBAC and full audit logging enabled
- SOC2 compliant, GDPR aligned
Scanner File Field Mappings
Tenable/Nessus CSV
| Field Type | Field Name |
|---|---|
| Must Have | IP Address, Plugin ID, CVE |
| Should Have | Port, Protocol, FQDN, MAC Address, OS |
Tenable/Nessus XML
| Field Type | Field Name |
|---|---|
| Must Have | host-ip, pluginID, cve |
| Should Have | port, protocol, host-fqdn, mac-address, netbios-name, operating-system |
Rapid7 CSV
| Field Type | Field Name |
|---|---|
| Must Have | Asset IP Address, Vulnerability ID, CVE ID |
| Should Have | Service Port, Service Protocol, Asset Names, Asset MAC Addresses, Asset OS Name |
Qualys CSV
| Field Type | Field Name |
|---|---|
| Must Have | IP, QID, CVE ID |
| Should Have | Port, Protocol, FQDN, NetBIOS, OS |
FAQs
Q: Can I sanitize scan files before upload (e.g., remove hostnames/IPs)? A: No, that would prevent asset mapping and classification from working properly. NodeZero requires full host/vuln pairing.
Q: Is data encrypted? A: Yes, in transit (HTTPS) and at rest (AES-256 with AWS KMS).
Q: How long is data stored? A: Files are deleted after 90 days. Metadata and classification results are retained indefinitely.
Q: Do you support PDF uploads? A: No. Only structured formats like CSV or .nessus are supported.
Feature Availability
- Available for customers on the Elite SKU
- Requires RBAC permissions to use the Vulnerability Management module
Note
VRI currently only supports the ingestion of internal (e.g. network, workstation) scanner data.