How do I find details and evidence about a vulnerability reported by Coalition?

To find asset information, scan details, and evidence for alerts:

  • Navigate to the Vulnerabilities tab above the risk score

  • Select the vulnerability category you want to know more about

  • Select IP or Domain depending on the asset you are trying to review

  • Locate the asset via the advanced search feature or by scrolling through the assets

  • Review the vulnerabilities for that asset, as well as the indicator for how it was linked to your organization

  • Select the criticality button of any of the vulnerabilities to see the evidence collected in detail (e.g., the label saying “Critical” or “High”)

How do I request to rescan a vulnerability that I fixed?

To rescan specific vulnerabilities:

  • Navigate to the “Vulnerabilities” section of the Control dashboard

  • Select rescan on any vulnerability you would like to rescan after implementing corrective actions. Rescans can take up to 48 hrs

How do I report / remove a false positive asset?

To report/remove a false positive:

  • Copy the IP or domain name of the asset(s) you would like to report as false positive (e.g., assets that do not belong to your organization). You can also look for the asset detail under the vulnerabilities you were notified about

  • Navigate to the main dashboard

  • Select “Assets”

  • Select IP or Domain depending on the asset you are trying to report

  • Locate the asset via the advanced search feature or by scrolling through the assets

  • Check the “sourcefield of the asset to see the reason why we detected it. Please remove the asset from your DNS entry. If you still believe it is not yours select the “remove” button next to the asset and follow the prompt to submit the asset from being reported further. You will have to enter a valid reason and the security team will approve or reject your request within 48 hours.

How do I mute security alerts?

To Mute an Alert: (This will mute future email notifications, we are working on removing it from your risk score, coming soon)

  • Navigate to the vulnerabilities section of the Control dashboard

  • If your security alert requires you to submit evidence of additional security controls we cannot detect, select the Mute feature

  • Update the prompt with your supporting evidence and submit

Are my insurance terms affected by these scan findings or my risk score?

During your policy period, scan details do not affect your current insurance policy terms. However if they are not fixed over a period of time they will lead to contingencies at renewal time and could also result in a claim. In order to reduce your cyber risk, Coalition provides information about what vulnerabilities your organization has from an external perspective. These alerts are based on security best practices. These alerts may also differ from the risk assessment findings found at the start of your policy: the threat space is ever-evolving and we want to ensure each policyholder has a snapshot of active risks. Addressing these risks will help prepare you for your insurance renewal.

Are the scans a penetration test?

Coalition Control attack surface monitoring is not a penetration test. On a monthly basis we scan policyholders’ external attack surfaces based on the domains provided during the quotation process, added by the policyholder during the policy, or enumerated by our security platform using public information (see below).

After public records, domains, and IPs are collected, our platform scans those endpoints from the public internet to identify technologies that may be vulnerable, similar to how threat actors might conduct reconnaissance. Our platform also pulls data from a variety of third party sources including databases of known breaches, which Coalition then correlates with these scan findings and enrich the risk assessment.

How does Coalition find our assets?

The most common ways Coalition finds assets and associates them with policyholders are: sub-domain enumeration (finding subdomains associated with domains already associated), DNS records, SSL certificates directly or historically associated with your organization, and IPWhois data showing the organization’s name/address/domain name registered to that asset in ARIN. Each of these can occasionally result in false-positive associations These can be reported in the Control platform as noted above, but can also be reported to the source of the data, and can often be corrected in the public records themselves.

You can also add/update your domains and IPs through Control to ensure we accurately capture your infrastructure.

Why are there so many medium and low level alerts?

Having a high number of medium and low level alerts is an indicator that you may have something that's expanding your attack surface outside of what you may have in documentation. Assets like SPF records that have too many IP's allowed in them, or the use of public/shared/wildcard certificates may be exposing your organization to outside risks that have varying levels of security control in your attack surface. Use the “source” column in the assets section to help identify the asset that might be opening the door to the other exposures.

Did this answer your question?