Vulnerabilities (CVEs)
Pulse matches published CVEs (Common Vulnerabilities and Exposures) against your device inventory and surfaces each match as a finding you can triage. Unlike an incident — which represents a monitor going up or down — a vulnerability rarely resolves on its own. It needs a decision: does it apply to this device, is the device used in a way that exposes it, and how will you handle it? Vulnerabilities are therefore a first-class area in Pulse with their own lifecycle, activity log, and reporting, separate from incidents.
CVE monitors
A CVE monitor represents one device in your inventory that you want scanned for known vulnerabilities. You create it with the device's identity:
- Vendor — the device manufacturer (for example, Siemens).
- Order code — the manufacturer's order number (the Siemens MLFB, for example
6ES7515-2AN03-0AB0). - Firmware (optional) — the installed firmware version, so version-specific advisories can be evaluated precisely.
CVE monitors live alongside your other monitors under CVE Monitors. You can create one directly, or start from an existing endpoint monitor to pre-fill the vendor.
Pulse re-scans each CVE monitor regularly against the vulnerability catalog. A monitor is shown as unhealthy while it has any vulnerability still awaiting action, and healthy once every finding has been triaged away or no vulnerabilities apply.
Findings and their lifecycle
Each applicable CVE becomes a finding attached to its CVE monitor. A finding carries the advisory details (CVSS score and severity, affected product and version, remediation guidance, and a link to the source advisory) plus a triage status:
- Open — newly detected, not yet triaged.
- In progress — actively being investigated or remediated.
- Resolved — the vulnerability has been remediated.
- Won't fix — a real vulnerability, but a deliberate decision not to remediate (accepted risk). Requires a reason.
- Not affected — triaged as not applicable (for example, the affected feature isn't used, or the version match was a false positive). Requires a reason.
- Risk accepted — temporarily accepted until a date you choose. When that date passes, the finding automatically returns to Open for re-triage. Requires a reason and a future expiry date.
Triage decisions are sticky: they persist across re-scans. If a vulnerability disappears from a scan and later reappears, its previous triage decision is kept rather than reset.
Findings are never deleted. When a re-scan no longer detects a CVE, the finding is marked no longer detected and retained, so your history and trends stay complete. Use the Show no-longer-detected filter to include these in the list.
Triaging a finding
Open a finding to see its full advisory and triage panel. Administrators can change the triage status from the Change triage action:
- Choose the new status.
- For Won't fix, Not affected, or Risk accepted, enter a reason.
- For Risk accepted, pick the date the acceptance expires.
- Save.
Every member can add comments to a finding to record investigation notes.
Activity feed
Each finding keeps a chronological activity feed of everything that happened to it — automatic scan events (detected, no longer detected, reappeared, risk-acceptance expired) and human actions (triage changes with the before/after status and reason, and comments). Scan-driven entries are attributed to System; human entries show who made them.
The Activity tab on the Vulnerabilities page shows the same events across every finding in your organization, newest first, so you can see recent triage and detection activity at a glance.
The Vulnerabilities page
The Vulnerabilities page opens on the Findings tab, which leads with a summary dashboard:
- By triage status and By severity — counts of the vulnerabilities that currently apply.
- Detected vs. resolved — a 30-day trend.
- Most affected devices — the CVE monitors with the most applicable findings.
Below the dashboard, filter and search the findings:
- Search — by CVE id, title, or affected product.
- Filter — by triage status and severity, and toggle whether no-longer-detected findings are shown.
Investigating with AI Canvas
On any CVE finding detail page, the Ask AI button opens the AI Canvas with a pre-filled question about that specific CVE and device. The assistant explains the vulnerability in plain terms — what it is, how severe it is, and what an attacker could do — and then analyzes how it affects the particular monitored device: whether it is likely exploitable in an OT environment and what concrete remediation or mitigation steps to take.
You can also ask the AI Canvas about vulnerabilities without opening a specific finding. From the canvas, the assistant can query your CVE findings by triage status, severity, affected device, and other filters — for example, "which of my devices have critical open CVEs?" or "give me a vulnerability report for my Siemens devices."
Reporting
Pulse emails a weekly vulnerability summary to organization administrators: counts by triage status plus the number of new critical and high-severity findings detected in the past week. No configuration is required.
Licensing
The vulnerability feature is enabled per organization by your license. Without it, CVE monitors and findings are unavailable.