Findings is the complete list of vulnerabilities on your fleet — every weakness surfaced by endpoint scanners, vendor advisories, and threat feeds, normalized into one consistent format for triage. Open it from Security > Patch & vulnerability > Findings.
The findings table
Each row is one finding. The columns are:
Sev – Severity of the vulnerability.
CVE / title – The CVE identifier and a short description.
Vendor and Product – The affected software.
CVSS – The industry-standard severity score, from 0 to 10.
Exploit – Whether the vulnerability is being exploited.
Status – Where the finding is in its lifecycle.
Affected – How many devices are affected, and the share already patched.
SLA – Time left before the remediation deadline.
First seen – When the finding was first detected.
Severity, exploit, and status
Severity is one of critical, high, medium, low, or info.
Exploit status tells you how urgent a finding is:
Actively exploited – Being used in real-world attacks. Patch immediately.
PoC available – Public proof-of-concept code exists. Patch within 24 hours.
No known exploit – No public exploit yet. Patch within its SLA.
Finding status moves through open, in progress, resolved, and accepted (a risk you have deliberately chosen not to patch). The SLA column shows the days remaining, or SLA breached once the deadline passes. A red zero day badge marks vulnerabilities under active exploitation or with public proof-of-concept code.
Finding and filtering
Use the search box to find a CVE, product, or finding, and the filter pills — Severity, Status, Vendor, Exploit, and SLA — to narrow the list. The Zero day toggle shows only zero-day findings. Run scan refreshes findings on demand, and Export downloads the current list.
Acting on a finding
Select one or more findings to Create patch plan, Mark in progress, Mark resolved, or export. The row menu also lets you Copy CVE ID or open the CVE in the National Vulnerability Database.
The finding detail view
Click a finding to open its detail view. The header shows the severity, exploit, and status badges plus a metadata card with the CVSS score, exploitability, devices affected, number patched, SLA, fix version, first seen, and last scan.
Four tabs organize the rest:
Overview – A description of the vulnerability, live remediation progress, and any linked patch plan.
Affected devices – Every device showing this finding, with its current version and patch status.
Patch history – The remediation events recorded for this finding.
Activity log – Every action taken on the finding, with actor and timestamp.
When a finding has a patch available, use Create patch plan to deploy the fix. When no patch exists yet, follow the vendor advisory and apply compensating controls until one ships.
If you have any questions, please contact Trio support.