> ## Documentation Index
> Fetch the complete documentation index at: https://docs.socfortress.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Vulnerability overview

> Review vulnerability posture across agents with EPSS scoring and package detail.

# Vulnerability overview

**Menu:** Agents → Vulnerability Overview

Vulnerability Overview provides near real-time vulnerability data (from **Wazuh Indexer**) enriched with **EPSS** scoring and package details, so you can prioritize remediation based on both severity and likely exploitation.

<img src="https://mintcdn.com/socfortressllc/fv7R9XvWAzPJz26e/assets/ui/agents-vulnerability-overview.png?fit=max&auto=format&n=fv7R9XvWAzPJz26e&q=85&s=4571ff0e71591026115bb190a569257a" alt="Vulnerability Overview" width="1894" height="796" data-path="assets/ui/agents-vulnerability-overview.png" />

***

## What you’re looking at

### Distribution

<img src="https://mintcdn.com/socfortressllc/fv7R9XvWAzPJz26e/assets/ui/agents-vulnerability-overview-distribution.png?fit=max&auto=format&n=fv7R9XvWAzPJz26e&q=85&s=7f38d101e138e0039684e5126c376ff7" alt="Distribution (placeholder)" width="1560" height="808" data-path="assets/ui/agents-vulnerability-overview-distribution.png" />

A quick breakdown of vulnerabilities by severity (Critical / High / Medium / Low).

Use this for:

* “How bad is it right now?”
* tracking whether patching is reducing overall exposure

### Coverage + top packages by EPSS

<img src="https://mintcdn.com/socfortressllc/fv7R9XvWAzPJz26e/assets/ui/agents-vulnerability-overview-top-packages.png?fit=max&auto=format&n=fv7R9XvWAzPJz26e&q=85&s=21abcb9d092c12c3474b2e003559ce30" alt="Top packages by EPSS (placeholder)" width="1556" height="558" data-path="assets/ui/agents-vulnerability-overview-top-packages.png" />

This section highlights:

* how many **agents** are impacted
* how many **unique packages** are involved
* how many **customer codes** are represented

And surfaces packages/vuln clusters ranked by **EPSS** (a good “what should we care about first?” view).

### Detailed table

<img src="https://mintcdn.com/socfortressllc/fv7R9XvWAzPJz26e/assets/ui/agents-vulnerability-overview-table.png?fit=max&auto=format&n=fv7R9XvWAzPJz26e&q=85&s=3a9262d64a6d2dc29d2194bc6d37c96e" alt="Table (placeholder)" width="1556" height="738" data-path="assets/ui/agents-vulnerability-overview-table.png" />

The table is the working view where you can pivot by:

* CVE
* severity
* affected agent/hostname
* package / OS / architecture
* **CVSS**
* **EPSS score** and **EPSS percentile**
* timestamp (when observed)

***

## EPSS (Exploit Prediction Scoring System) — how to use it

EPSS is a probability model maintained by FIRST that estimates the likelihood a CVE will be exploited “in the wild.”

In CoPilot you’ll typically see:

* **EPSS**: a score between **0 and 1** (higher means more likely exploitation)
* **EPSS Pct**: percentile ranking (how that CVE compares to other CVEs)

How to operationalize it:

* Use **CVSS** to understand *impact/severity*
* Use **EPSS** to understand *likelihood/urgency*
* Prioritize items that are **High CVSS + High EPSS** first

Rule of thumb:

* A Medium CVSS with a very high EPSS can be more urgent than a High CVSS with very low EPSS.

Reference:

* [https://www.first.org/epss/](https://www.first.org/epss/)

***

## Common tasks

### Filter by tenant/customer

Use filters to focus on one customer code at a time in multi-tenant environments.

<img src="https://mintcdn.com/socfortressllc/fv7R9XvWAzPJz26e/assets/ui/agents-vulnerability-overview-filters.png?fit=max&auto=format&n=fv7R9XvWAzPJz26e&q=85&s=05ffac2f0e09611f7befafe590ea4e90" alt="Filters (placeholder)" width="1560" height="640" data-path="assets/ui/agents-vulnerability-overview-filters.png" />

### Identify “top risk” items

A practical triage flow:

1. Review **Top Packages by EPSS**
2. Open the package/CVE details
3. Identify affected agents
4. Create remediation tasks (patch/update/remove package)
5. Validate closure by confirming the item disappears as inventory updates

### Pivot to reporting

If you need a deliverable for a customer or internal patch window:

* use the reporting workflow described here: [Vulnerability report](/user/ui/report-vulnerability)

***

## Prerequisites

* Wazuh inventory (syscollector) is flowing for endpoints
* Wazuh vulnerability detection is enabled and indexing results

***

## Gotchas

* Stale inventory = stale posture. If an agent hasn’t checked in recently, its vulnerability list may be outdated.
* EPSS is a prioritization signal, not a guarantee—use it alongside your environment context (internet exposure, compensating controls, exploitability, asset criticality).
