Vulnerability Management
Vulnerability Management finds the known security flaws (CVEs) affecting the devices you manage, ranks them by how much they actually matter, and gives you a clear path to act on each one – deploy a patch, formally accept the risk for a set period, or record a compensating control. It cross-references the software and operating-system versions Breeze already inventories against authoritative vulnerability feeds, so there is nothing to install or scan separately – but scanning is opt-in per scope and off by default, so you turn it on for the organizations you want covered (see Enabling vulnerability scanning).
This page is the operator’s guide. Fixes are usually deployed through Patch Management, and vulnerability posture also feeds the Security overview and the AI agent.
Open Vulnerabilities from the Security section of the left sidebar for the fleet-wide view, or open any device and select its Vulnerabilities tab for a single machine.
Enabling vulnerability scanning
Section titled “Enabling vulnerability scanning”Vulnerability scanning is off by default. A device only produces findings once it’s covered by a configuration policy that turns scanning on, so you can roll the feature out organization by organization instead of flooding every customer at once.
- Go to Configuration → Policies and open (or create) a policy.
- On the Vulnerability feature tab, switch Enable vulnerability scanning on, and save.
- Assign the policy to the scope you want covered – a partner, organization, site, device group, or individual device.
Coverage follows the same closest-wins inheritance as every other policy feature: a device- or group-level setting of off overrides an organization-wide on, so you can enable scanning broadly and carve out exceptions. Once a scope is enabled, Breeze correlates its inventory against the CVE feeds once a day (around 13:00 UTC, after the feeds refresh) and populates the findings below. Platform administrators can also trigger a correlation pass on demand.
What you can do
Section titled “What you can do”- Work a fix-first queue across your whole fleet, grouped by the fix that clears each finding.
- Triage at the fleet level – deploy a patch, accept a risk, or mitigate across every affected device at once.
- Drill into one device to see its findings and act on them individually.
- Open a ticket from a finding so remediation lands on someone’s work queue.
- Let the AI agent report on vulnerabilities and propose remediations for your approval.
The fleet dashboard
Section titled “The fleet dashboard”The Vulnerabilities page is a fix-first queue: instead of making you read a flat list of CVEs, it organizes open findings by the action that resolves them, and leads with the numbers that decide what to do first. It has two views, switched with a tab:
- By software (default) groups findings into one row per remediation unit – the software product whose update clears them (for example, a browser or runtime), or “Windows / macOS / Linux OS updates” for operating-system findings. Each row shows how many devices and how many CVEs the one fix covers, so you remediate a whole class of exposure in a single action.
- By CVE is the classic one-row-per-vulnerability view, one row per CVE across every organization you can access.
Priority stat cards
Section titled “Priority stat cards”Four cards sit above the queue and double as filters – click one to narrow the list to it:
| Card | What it counts |
|---|---|
| Critical open | Open findings at Critical severity. |
| KEV exposure | Open findings on CISA’s Known Exploited Vulnerabilities list – the ones being used in the wild. |
| Patch ready | Open findings that have an available, approved patch you can deploy right now. |
| Accepted, expiring soon | Risk acceptances whose Accepted until date falls within the next 14 days, so nothing lapses back to open unnoticed. |
Columns and filters
Section titled “Columns and filters”The By CVE view shows, per row:
| Column | What it shows |
|---|---|
| CVE | The vulnerability identifier (e.g. CVE-2024-1234). |
| Severity | Critical / High / Medium / Low, color-coded. |
| CVSS | The standard 0–10 base severity score (shown as — until scored). |
| Risk | Breeze’s prioritized 0–100 score (see Risk scoring). |
| Devices | How many of your devices are affected by this CVE. |
| Known exploited | Flagged when the CVE is on CISA’s Known Exploited Vulnerabilities list. |
Narrow either view with the Severity and Status filters, a KEV only toggle, and a Patch available toggle.
Fleet-level triage
Section titled “Fleet-level triage”Open a software group or a CVE to see every device it affects, and act on all of them at once from that view:
| Action | What it does |
|---|---|
| Remediate | Schedules the fixing patch across every affected device that has an available, approved patch. |
| Accept risk | Records a formal, time-boxed risk acceptance (with a reason and an Accepted until date) for the whole group. |
| Mitigate | Records a compensating control across the group. |
| Create ticket | Opens a ticket for the finding and links it, so the work is tracked to closure. When a selection spans more than one customer, Breeze creates one ticket per organization. |
The per-device tab
Section titled “The per-device tab”Each device’s Vulnerabilities tab lists that machine’s findings and is where you act on a single machine. A status filter switches between Open (default), Accepted, Mitigated, Patched, and All. Open findings show their CVE (with a Patch available badge when an installable fix exists), severity, status, CVSS, risk, known-exploited flag, and per-row actions.
| Action | What it does | When available |
|---|---|---|
| Remediate | Schedules the patch that fixes this CVE on this device. | Open findings with an available, approved patch. |
| Accept risk | Records a formal, time-boxed risk acceptance with a reason. | Any open finding. |
| Mitigate | Records that a compensating control reduces this risk. | Any open finding. |
| Reopen | Returns an accepted or mitigated finding to open. | Accepted / Mitigated findings. |
When patches are available for several findings, select them and use Remediate selected to schedule them together.
Accept risk vs. mitigate
Section titled “Accept risk vs. mitigate”Both keep a finding off your open list, but they mean different things:
- Accept risk is a governance decision – “we acknowledge this and choose to live with it until a date.” It requires a reason and an Accepted until date. When that date passes, a nightly job automatically reopens the finding so it can’t be quietly forgotten.
- Mitigate is a technical assertion – “a control (a firewall rule, a disabled feature) reduces this risk.” It requires a note and stays in effect until someone reopens it.
Where the data comes from
Section titled “Where the data comes from”Breeze pulls vulnerability intelligence from several authoritative feeds and refreshes them on a schedule. The feeds themselves need no setup – they are always kept current; you only choose which scopes to scan against them (see Enabling vulnerability scanning). The sources:
| Source | Used for |
|---|---|
| NIST NVD | The core CVE catalog, CVSS scores, and affected-version ranges for third-party software. |
| Microsoft MSRC | CVEs and fixed builds for Windows and Microsoft products. |
| Apple SOFA | CVEs and fixed builds for macOS releases. |
| CISA KEV | Marks CVEs that are known to be actively exploited. |
| FIRST EPSS | A probability that a CVE will be exploited in the near term. |
How risk is scored
Section titled “How risk is scored”The Risk score (0–100) is designed to surface what attackers are most likely to use against you, not just what scores highest on paper. It builds on the CVSS base score and then adjusts for real-world signals:
- CVSS severity is the spine of the score.
- Active exploitation (KEV) lifts a finding into high-priority territory regardless of its base score – a “medium” CVE that is being exploited in the wild should not sit at the bottom of your list.
- Exploit likelihood (EPSS) nudges the score up when a flaw is statistically likely to be weaponized soon.
The result is that a moderately-rated but actively-exploited vulnerability can outrank a higher-CVSS flaw that nobody is using. Scores refresh hourly, so newly-exploited CVEs re-prioritize themselves without any action from you.
Permissions
Section titled “Permissions”| Permission | Allows |
|---|---|
devices:read |
View the fleet dashboard and per-device tab. |
devices:execute (plus MFA) |
Schedule remediation (patch installs) from a finding. |
vulnerabilities:accept_risk |
Accept a risk, and reopen an accepted or mitigated finding. |
devices:write |
Mark a finding mitigated. |
Risk acceptance is deliberately gated by its own permission so that formally waiving a critical or actively-exploited finding is a higher-trust action than everyday device work.
With the AI agent
Section titled “With the AI agent”Vulnerability data is available to the Breeze AI agent: it can summarize fleet-wide vulnerability posture, list a device’s findings, and – with your approval – schedule remediations. Critical detections and remediation activity also appear on the device event timeline, so they can drive automations. See AI Agent.