Skip to content

The Strike List

The Strike List is the most important view on your dashboard. It answers the single most critical question in vulnerability management: "What should I fix right now?"

How It Works

The Strike List pulls findings from all your environments, scores them by BCS (BreachSpider Confidence Score), and presents the results ranked by exploitation urgency. The CVE most likely to be used against you appears at the top.

The Strike List is not sorted by CVSS severity. It is sorted by BCS priority. This is a deliberate design decision. A CVSS 7.5 with a confirmed exploit and KEV flag is a more urgent real-world threat than a CVSS 9.8 with no known exploitation. BCS accounts for both severity and exploitation intelligence.

Reading a Strike List Entry

Each entry in the Strike List shows:

  • CVSS score bubble: A colored circle with the numeric CVSS score. Red for critical (9.0-10.0), orange for high (7.0-8.9), yellow for medium (4.0-6.9), blue for low (0.1-3.9).

  • CVE ID and title: The NVD identifier and a truncated description of the vulnerability.

  • KEV badge (red): Present when the CVE is in the Known Exploited Vulnerabilities catalog. This means exploitation is confirmed, not predicted.

  • EXPLOIT badge (orange): Present when a working exploit is publicly available (exploit_maturity = FUNCTIONAL or WEAPONIZED).

  • PoC badge (yellow): Present when proof-of-concept code has been published (exploit_maturity = POC).

  • EPSS percentile badge: Shows where this CVE ranks in exploitation probability compared to all CVEs. A badge showing "95%" means this CVE is in the top 5% of exploitation likelihood.

Ordering Logic

The Strike List uses the following priority ordering:

  1. KEV flagged AND EPSS 90th percentile or higher. These are the most dangerous findings -- confirmed exploitation with high predicted ongoing activity. They always appear at the top.

  2. KEV flagged, any EPSS. Confirmed exploitation, regardless of the prediction model's current score.

  3. Public exploit available, high EPSS. Working exploit code exists and the model predicts high exploitation activity.

  4. PoC available, high CVSS. Proof-of-concept code lowers the barrier for attackers. Combined with high severity, this is a near-term threat.

  5. High CVSS, high EPSS, no exploit. Severe vulnerability with predicted exploitation but no public attack code yet.

Within each tier, entries are sorted by BCS score descending.

What to Do with the Strike List

Daily routine: Open the dashboard. Look at the top 5-10 Strike List entries. These are your day's priorities.

For each entry:

  1. Click the entry to open the full CVE detail page.
  2. Read the SAGE analysis for ICS-specific context.
  3. Check if a patch is available.
  4. Decide your action:
    • Patch available: Schedule the patch. Create a ticket to track it.
    • Patch not available: Implement compensating controls. Acknowledge the finding with documented controls.
    • Not applicable: Verify the match is accurate. If it is a false match, acknowledge with reason: false_match.
    • Need more time: Create a ticket and assign it to the appropriate team.

When the Strike List Is Empty

An empty Strike List means one of three things:

  1. No environments with assets. You have not added any assets yet, so there are no findings to prioritize. Add assets to start generating findings.

  2. All critical/high findings acknowledged. You have reviewed and documented a position on every significant finding. This is the ideal state.

  3. No matching CVEs. Your assets do not currently match any CVEs in the corpus. This is uncommon for most vendor/product combinations but can happen with niche or very new devices.

Acknowledged findings are filtered from the default Strike List view but remain in your finding history for compliance documentation. Toggle the "Show Acknowledged" filter on the findings page to see them.

Strike List vs Full Findings

The Strike List is a curated, prioritized excerpt of your full findings. It shows the top items that need attention now.

For the complete list of all findings in an environment (including acknowledged, dismissed, and low-priority items), navigate to the environment detail page and open the Findings tab. The full findings list supports filtering by severity, layer, KEV status, patch status, and acknowledgment state.