Baseline Coverage on Vulnerabilities

Assign asset criticality scores to your approved assets so the scanner can prioritize them, then review findings in the security inbox. Scans run automatically on your organization’s configured frequency (weekly by default for up to 10 assets on Standard plans) and the quota available with preference given to highest asset criticality-scored assets.

Before you begin: Complete Discover Your Estate first. Assets must be in Approved status and have asset criticality scores assigned before they are eligible for scanning.

Steps

1. Confirm Asset Criticality scores are assigned

From Assets then All assets, check the Asset Criticality column. Any asset showing no score will not enter the scan queue. Open the then Edit for each unscored asset and complete the four Security Posture fields: Business Criticality, Environment, Sensitivity, and Exposure Status. The score (0-40) calculates instantly on save.

Asset Criticality Score

Tip: For an asset to be automatically queued for vulnerability scanning or eligible for on-demand scanning it must be both approved and have asset criticality assigned.

2. Verify assets are queued

In the asset table, check the Vuln Scan Queued column. Filter by Vuln. Scans then Scheduled to see which assets have entered the queue.

Tip: Score scale: 31-40 = Critical, 21-30 = High, 11-20 = Moderate, 0-10 = Low. Critical-scored assets are front-of-queue.

3. Trigger an immediate scan if needed

Open any approved asset’s detail page and click Vuln. scan now button to bypass the queue schedule and run immediately. Use this for newly approved critical assets where you cannot wait for the next scheduled batch. Note that button will change to “Scanning…” and vulnerability scans will show as “In Progress”.

Vuln Scan Now

4. Review vulnerability scan findings

Navigate to Vulnerability scans and click the number below Latest scan results.

Vuln Scan Results

Tip: These are total findings identified in the most recent vulnerability scan of the selected assets. They are a summary of unique, non-remediated vulnerabilities found during the current scan period. Any vulnerabilities already marked as remediated are excluded.

5. Triage and assign findings in the Security Inbox

Open Filters then Issue Type then Vulnerability detection to isolate automated scan results from researcher submissions. Save this as a view (e.g., Automated Scans) by clicking Save as … for one-click access. By clicking each finding in the Inbox, it shows Asset Context, CVSS score, and Weakness Details with proof of detection. Use the State dropdown on each finding to progress it: Open then In review then Confirmed or False positive. Assign a team member via the Assignees field. Use the Activities tab for a full audit trail of who touched each finding and when.

Tip: Scan findings indicate potential exposure. Bugcrowd researcher findings are human-validated. Treat confirmed scan findings as triage candidates, not guaranteed critical issues.

Review Vuln Detections

6. Monitor quota and scan history

Track scan status (In Progress, Completed, Failed) in the Vulnerability scans tab on any asset detail page. Review the Activity Logs (Assets then Activity logs, filter by Vulnerability scan updated) for a timestamped audit trail across your entire estate. Standard customer accounts can scan 10 assets per week and this allocation is viewable on the Vulnerability scans tab as Weekly scan quota.

Vuln Scan Activity Logs

You now have an ongoing, prioritized view of externally detectable vulnerabilities across your approved asset inventory. The next step is doing an autonomous pentest to discover, validate, and exploit vulnerabilities in your newly discovered attack surface.