Vulnerability Assessment FAQ


This document can help give you a better understanding of the boundaries of Threat Stack’s assessments, confirms the supported OSs, and can help triage and troubleshoot issues you’re experiencing.  

How does the Vulnerability Assessment Scan work?

We get a package list and match against all known Common Vulnerabilities & Exposures (CVEs) based on the National Vulnerability Database (NVD) and then compare them against the published security notice and triage data from your OS.

Vulnerability Assessment

Detect systems and packages containing known vulnerabilities and cross-reference against more than two million identified CVEs. Automatically categorize them according to security risk and see which servers are affected by which vulnerabilities.

NOTEFor this illustration TS refers to Threat Stack.


Does Threat Stack offer a Vulnerability Assessment Report?

Yes, you can subscribe to a daily vulnerability assessment email report. You can enable these reports on the SETTINGS page in the Notifications Settings section.

Notifications Settings section of the Settings page within ThreatStack

How do I remediate a vulnerability?

While Threat Stack does not offer vulnerability remediation as a part of our services, we aim to provide contextual information to help you prioritize any necessary remediation actions.

Threat Stack remediation recommendations:

  • Remove all unnecessary packages
  • Review the OS notice identified for the CVE and apply the best practice suggested
  • Confirm that your package is the lasted version 

How does the Threat Stack vulnerability severity score work?

The vulnerability score is based on the NVD CVSS v2 given to the identified CVE. The severity can be high (H), medium (M), or low (L) as determined by NVD.

For more information see the NVD Frequently Asked Questions, we recommend the beta NVD site for increased usability, or A Complete Guide to the Common Vulnerability Scoring System v2 on

How often do Vulnerability Assessment scans run?

Threat Stack runs a daily scan starting at 12am UTC and when the agent first deploys.

Can I run a Vulnerability Assessment scan on demand?

No, you cannot run a scan on demand. This means it will take up to 24 hours for suppressions to remove alerts or unsuppressed vulnerabilities to display.

I removed a package, why am I still seeing the vulnerability?

Threat Stack runs scans every 24 hours, removals and changes will not display until the next scan completes.

Which OSs and distributions does Threat Stack support for vulnerability scans?

Threat Stack supports the following operating systems:

  • Amazon (Linux)
  • Redhat
  • Ubuntu

How does Threat Stack source vulnerabilities?

Threat Stack sources vulnerabilities from the NVD’s published CVE reports.

What if we can't remediate a vulnerability or the company chooses not to fix it?

You can choose to suppress a vulnerability if no remediation options exist. Click here for more about suppressing vulnerabilities.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Article is closed for comments.