ASM Issue Severity Definitions and Examples

This document describes how Mandiant Advantage Attack Surface Management (MA-ASM) determines the severity ratings for Issues.

Confidence Level of Issues

MA-ASM uses triage categories to determine whether an Issue needs further investigation or is ready for review.

  • Confirmed: MA-ASM has high confidence in the finding.
  • Potential: There is a known vulnerability related to this Entity, but MA-ASM cannot confirm that this is true in this case.
Mandiant recommends prioritizing Confirmed Issues.

Prioritization of Issues

Mandiant recommends giving priority to the resolution of critical and high severity Issues in order to strengthen the Entities associated with these Issues. As a customer, you iterate on the MA-ASM program. You and other team members discuss how you can effectively triage medium and low severity Issues over time. Discussions could be about a ticketing system or whether channels of communication are open to infrastructure or technology owners.

The following table, Issue Severity Definitions, outlines a common understanding of the risks of vulnerability, misconfiguration, and exposure.

Issue Severity Definitions
Issue Severity Definitions Examples
Critical The asset has an increased risk of exploitation based on activity observed in the wild, or the potential exposure and data leakage will negatively affect the organization. Successful exploitation could allow a threat actor to achieve persistence, lateral movement, account compromise, or data exfiltration. A CVE CVSS 9.0-10.0 and a Critical Risk Rating from Mandiant validate the issue severity.

Suggested Usage:

  • Investigate within 24 hours
  • Remediate within 7 days
High The asset has a vulnerability, misconfiguration, or exposure that, when exploited or leveraged by a threat actor, can enable them to achieve persistence or lateral movement or perform unauthenticated actions. CVEs with a CVSS of 7.0-8.9 or a High Risk Rating from Mandiant Threat Intelligence generate high severity Issues.

Suggested Usage:

  • Investigate within 48 hours
  • Remediate within 14 days
Medium The asset is vulnerable; however, the affect of exploitation is offset by hardening methods such as MFA or additional access requirements that hinder a threat actor from achieving their mission.

Suggested Usage:

  • Investigate within 72 hours
  • Remediate within 21 days
  • Exposed VPN Service
  • Exposed Databases
  • A 2FA which can be bypassed
Low The asset has a vulnerability, misconfiguration, or exposure that can further a threat actor's reconnaissance effort, but does not pose an immediate risk.
In some organizations, low severity Issues are considered acceptable.

Suggested Usage:

  • Investigate within 4 days
  • Remediate within 28 days
  • World Readable AWS S3 Buckets
  • Wildcard Certificates
  • Security Headers Missing from URL
Informational Security hygiene insights that do not require immediate attention but should be addressed during ongoing efforts to improve security posture. You may choose to delegate informational Issues to the appropriate team. 

Suggested Usage:

  • Investigate within 1 month
  • Remediate within 3 months
  • Self-signed Certificates
  • Deprecated SSL/TLS Protocols
  • Insecure Cookies

Numeric Severity

A numeric severity system is used when configuring some MA-ASM outbound integrations. The following table outlines the numbers associated with each Issue Severity level in MA-ASM.

Numeric Severity for Issues
Issue Severity Numeric representation
Critical 1
High
2
Medium
3
Low
4
Informational
5
  • December 26, 2022
  • November 19, 2025
In This Article