Vulnerability Assessment FAQ

This document provides an overview of Threat Stack’s vulnerability assessments, describes the supported operating systems (OSs), and provides troubleshooting steps for possible issues.

How does Vulnerability Assessment work?

The Threat Stack Agent retrieves a list of installed packages on the host and matches against all known Common Vulnerabilities & Exposures (CVEs) captured in the National Vulnerability Database (NVD). It then compares them against the published security notice and triage data from the specific Linux distribution.

Vulnerability Assessment Flow

This image depicts the flow of the Threat Stack agent detecting packages, cross-referencing them against more than two million identified CVEs. It automatically categorize them according to security risk and displays which servers are affected by which vulnerabilities.


For this illustration TS refers to Threat Stack.


Select the image to enlarge it.

Can I get a Vulnerability Assessment report?

Yes, you can subscribe to a daily vulnerability assessment email report. You can enable these reports through Settings > General Settings tabNotifications Settings section.


How do I remediate a vulnerability?

While Threat Stack does not offer vulnerability remediation as a part of our services, we aim to provide contextual information to help you prioritize any necessary remediation actions.

Threat Stack remediation recommendations:

  • Remove all unnecessary packages
  • Review the OS notice identified for the CVE and apply the best practice suggested
  • Confirm that your package is the lasted version

How is severity determined?

The vulnerability score is based on the Common Vulnerability Scoring System v2 (CVSS v2) used by the NVD. The severity can be high (H), medium (M), or low (L) as determined by NVD.

For more information see the NVD Frequently Asked Questions or A Complete Guide to the Common Vulnerability Scoring System v2 on

How often do assessments run?

Vulnerability assessments occur within 15 minutes of package collection. Threat Stack collects packages at the following times:

  • Daily between 12:00 a.m. and 2:00 a.m. UTC.
  • The first time an Agent starts and connects to the Threat Stack platform.

Can I run an assessment on demand?

No, you cannot run an assessment on demand. This means it will take up to 24 hours for suppressions to remove alerts or unsuppressed vulnerabilities to display.

I removed a package, why am I still seeing the vulnerability?

Threat Stack runs assessments every 24 hours. Removals and changes will not display until the next assessment completes.

Which Linux distributions are supported?

Threat Stack supports the following OSs:

  • Amazon Linux
  • CentOS
  • Redhat
  • Ubuntu

How does Threat Stack source vulnerabilities?

Threat Stack sources vulnerabilities from the NVD’s published CVE reports.

What if choose not to remediate a vulnerability?

You can choose to suppress a vulnerability, preventing it from displaying in future assessments. Click the Suppressing Vulnerabilities FAQ article for more about suppressing vulnerabilities.

Articles in the Vulnerability Assessment Series

Vulnerability Assessment Feature

Suppress or Unsuppress Vulnerabilities

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request