Environment Risk Report
The Environment Risk Report is a detailed technical report for a single environment. It provides the full picture of vulnerability exposure, finding details, asset coverage, and remediation status for one specific site. Designed for OT engineers, security teams, and site managers who need comprehensive data for operational decision-making.
Audience
- OT engineers planning a maintenance window and needing the full finding list.
- Site security managers preparing for a site-level review.
- MSSP analysts delivering a client-specific vulnerability assessment.
- Consultants documenting the state of a facility.
What the Report Contains
Environment Overview
- Environment name, site type, and criticality level.
- Asset count by type (PLCs, HMIs, SCADA servers, etc.).
- Asset count by layer (OT, OS, NETWORK).
- Total active findings.
- Acknowledgment coverage: what percentage of findings have been reviewed.
Finding Detail Table
Every active finding in the environment, listed with:
| Column | Description |
|---|---|
| CVE ID | NVD identifier |
| BSID | BreachSpider identifier |
| Affected Asset | Device name |
| CVSS | Severity score |
| BCS | Exploitation priority score |
| EPSS | Exploitation probability percentile |
| KEV | Yes/No |
| Exploit Maturity | NONE, POC, FUNCTIONAL, WEAPONIZED |
| Match Confidence | HIGH, MEDIUM, LOW |
| Patch Status | Patched, Unpatched, Partial |
Findings are sorted by BCS score (highest priority first).
Acknowledged Findings
A separate section listing all acknowledged findings with:
- CVE ID and asset name.
- Acknowledgment reason (not_applicable, compensating_control, accepted_risk, false_match, escalated).
- Notes provided at acknowledgment time.
- Who acknowledged and when.
This section demonstrates that your team has reviewed and dispositioned findings, not just ignored them.
Severity Distribution
A chart showing the breakdown of findings by severity level for this environment specifically.
Layer Distribution
A breakdown showing OT, OS, and NETWORK finding counts for this environment.
SAGE Risk Narrative
A SAGE-generated narrative summarizing the environment's risk posture. This narrative is technical, written for OT engineers, and includes:
- The most critical findings and why they matter for this specific site type.
- Remediation recommendations in priority order.
- Compensating control suggestions for unpatchable devices.
- Protocol-specific risks (e.g., "Three findings affect Modbus/TCP implementations on your PLCs").
Patch Coverage
A summary of patch availability across all findings:
- X findings have patches available.
- X findings have no patch available.
- X findings have partial patches.
- Patch coverage percentage.
Generating the Report
- Navigate to Reports > Generate Report.
- Select Environment Risk Report.
- Select a single environment.
- Set the reporting period.
- Click Generate.
The report generates in 15-45 seconds. Larger environments with many findings take longer due to SAGE narration generation.
Using the Report
Maintenance window planning: Print or share the finding detail table with your OT team before a scheduled maintenance window. The BCS-sorted list tells them what to patch first.
Client deliverable (MSSP): Generate an Environment Risk Report for each client's environment and deliver it as a monthly vulnerability assessment.
Site review preparation: Generate the report before a site security review meeting. The SAGE narrative provides talking points and the acknowledged findings section shows what has already been addressed.
Vendor coordination: Share the findings affecting a specific vendor's products with that vendor's support team to request firmware updates or remediation guidance.