Help Center › Findings & de-noising
This is the heart of Perimeter. Instead of dumping a CVSS-sorted wall of findings on you, it ranks by real-world exploitation and suppresses likely false positives — with a transparent reason for every decision.
Severity (CVSS) measures how bad a vulnerability could be in theory. It says nothing about whether anyone is actually exploiting it. That’s why a “critical” dependency CVE that no attacker bothers with can drown out a “high” that’s being mass-exploited right now.
Perimeter still shows CVSS, but it ranks by exploitation likelihood first using two signals attackers actually care about:
| Signal | What it is | Where it comes from |
|---|---|---|
| EPSS | Exploit Prediction Scoring System — a 0–100% probability that a CVE will be exploited in the next 30 days. Also reports a percentile (how it ranks vs all CVEs). | FIRST.org, refreshed daily |
| CISA KEV | Known Exploited Vulnerabilities catalog — a definitive list of CVEs confirmed exploited in the wild, each with a federal remediation due date. | CISA, refreshed daily |
| CVSS | The base technical severity (0–10) and its vector string. | NVD / the scanner |
| Asset criticality | How important the affected asset is (a crown-jewel host vs a dev box). | Your inventory |
These combine into the transparent risk score: risk = 0.40·CVSS + 0.30·EPSS + 0.20·KEV + 0.10·criticality, normalized 0–100. The weights live in app/js/score.js and are fully tunable — no proprietary black box.
The 0–100 score is precise but abstract. On top of it, every finding gets a coarse, plain-English action tier that an owner with no security analyst can act on. KEV and high EPSS force the top tiers regardless of CVSS, which is exactly what pushes a KEV-listed “high” above a theoretical “critical.”
| Tier | When it applies | What to do |
|---|---|---|
| Act now | In CISA KEV (exploited in the wild) or EPSS ≥ 50%. | Drop everything; patch or mitigate today. |
| Prioritize | EPSS ≥ 10% (elevated likelihood), or a critical finding on an internet-facing asset. | Schedule within days, ahead of routine patching. |
| Schedule | A real critical/high finding that isn’t exploitation-driven. | Fix on your normal patch cadence. |
| Watch | Low real-world likelihood / informational. | Monitor; no urgent action. |
EPSS bands used: ≥ 50% = high (act-now), 10–50% = elevated (prioritize), < 2% = a strong deprioritize/noise signal. These are the FIRST.org practical bands.
When two independent engines (e.g. Nuclei and OpenVAS) flag the same vulnerability on the same asset, Perimeter marks it ✓ confirmed. Two engines agreeing is the strongest single signal that a finding is real, and a confirmed finding is never suppressed as noise. In the seed, the Zerologon finding is reported by both OpenVAS and Nuclei, so it shows as confirmed ×2.
Incumbent scanners are notorious for false positives (the common complaint: ~30% from Qualys, “mostly false positives” from Nessus). Perimeter’s de-noise engine gives each finding a verdict and a reason trail so you can see why it trusts or doubts a finding. Expand any finding to read it.
It scores trust signals up and down:
| Signal | Effect on trust | Reason you’ll see |
|---|---|---|
| Corroborated by ≥2 engines | strong + | “corroborated by nuclei + openvas” |
| In CISA KEV | strong + | “CISA KEV — confirmed exploited in the wild” |
| Authenticated / agent scan | + | “authenticated/agent scan — high evidence fidelity” |
| High EPSS (≥50%) | + | “high EPSS (…%)” |
| Single engine, not corroborated | − | “single-engine (nuclei) — not yet corroborated” |
| Very low EPSS (<2%) | − | “very low EPSS (…%) — minimal real-world exploitation” |
| Unauthenticated banner/version match only | strong − | “unauthenticated version/banner match only — prone to false positives” |
A finding is flagged likely false positive only when it is weak, unconfirmed, and has no exploitation signal at all — the canonical case being a lone, unauthenticated, version-banner-only check with very low EPSS. KEV or a second engine always rescues it; an exploited or corroborated finding is never called a false positive.
The seeded example. One finding in the demo is a deliberate false positive — an unauthenticated banner-only match with very low EPSS, found by a single engine. The de-noise engine flags it, it sinks to the bottom, and the Dashboard counts it under “Suppressed as noise.”
The verdict’s signal field summarizes the call: confirmed (multi-engine), trusted (KEV or authenticated), or weak (the candidates for suppression).
The findings list and the Dashboard “fix these first” use exploit-first ordering, in this priority:
So a KEV-listed critical on a crown-jewel host ranks #1, and a high-CVSS / low-EPSS dependency CVE drops well below it.
On the Findings tab the filter bar lets you slice the list:
| Filter | What it does |
|---|---|
| Search | Matches the title, CVE, or asset identifier. |
| Severity | All / critical / high / medium / low. |
| Status | Open / Closed-accepted / All. |
| Engine | All / Nuclei / Trivy / OpenVAS. |
| Exposure | All / External / Internal. |
| KEV only | Show only CISA-KEV findings — the “drop everything” shortlist. |
| Hide noise | Hides everything flagged likely false positive, so you see only findings worth acting on. |
Filters stack. For the tightest “what must I do today” view, set Status = Open, check KEV only and Hide noise.
Next: When the engine gets a verdict wrong, teach it — see the False-positive feedback loop. Or turn a finding into audit evidence with Compliance evidence.