Skip to main content

Overview

The Top Vulnerabilities view answers the single most important triage question — “if I had time for only five fixes today, which ones should I take?” It ranks active vulnerabilities across every scanner (SAST, SCA, IAC, Container, CICD, Secrets) on a single composite priority score, so the most urgent items always surface first — regardless of which scanner detected them.

Cross-Scanner

One ranked list across SAST · SCA · IAC · Container · CICD · Secrets

Priority-Based

Sorted by composite Priority Score, not raw severity

Active Only

Excludes resolved / ignored detections automatically

Configurable Size

Default Top 5 — request any N via the API

What “Top” means

Each detection is scored by the platform’s Priority Scoring engine — a weighted blend of CVSS 4.0 environmental score, EPSS percentile, exploitability verdict and project Security Context. The Top Vulnerabilities list returns the N highest composite scores across the project. Only detections in an active state are eligible:
  • to_verify
  • proposed_not_exploitable
  • confirmed
Resolved, ignored, fixed and false-positive findings are excluded — the list is always a current to-do.
A re-scored detection (after a Security Context change or an exploitability verdict update) can enter or leave the Top in real time. There is no daily snapshot — the ranking is computed on demand.

API reference

GET /project/{projectId}/results/top-vulnerabilities?limit=5
ParameterInTypeDescription
projectIdpathUUIDThe project to query
limitqueryintegerNumber of items to return. Defaults to 5

Response shape

{
  "items": [
    {
      "id": "b41…",
      "vulnerabilityType": "sca",
      "name": "CVE-2024-12345",
      "description": "Prototype pollution in lodash",
      "severity": "critical",
      "compositeScore": 0.842,
      "cvss4EnvironmentalScore": 9.4,
      "exploitabilityVerdict": "proven",
      "exploitabilityReason": "Reachable from production code path",
      "exploitabilityScoreReason": "Used in src/server/index.ts",
      "exploitabilitySource": "agent",
      "filePath": null,
      "line": null,
      "cveId": "CVE-2024-12345",
      "cwe": [],
      "packageName": "lodash"
    }
  ]
}
FieldNotes
vulnerabilityTypeOne of sast, iac, cicd, secret, sca, container
compositeScoreInternal 0–1 composite priority (× 100 = user-facing Priority Score)
cvss4EnvironmentalScoreThe project-adjusted CVSS 4.0 score used in the calculation
exploitabilitySourceagent, manual or static — see Priority Scoring
filePath / linePopulated for SAST, IAC, CICD and Secrets findings
cveId / packageNamePopulated for SCA and Container findings
cweCWE identifiers for code-based findings

How items are selected

1

Fetch the top of each detection table

For each scanner table, the service pre-loads max(limit × 4, 20) rows ordered by stored priorityScore DESC. This keeps the candidate pool large enough that re-scoring with the current Security Context cannot demote a true winner.
2

Re-compute composite scores

Each candidate is re-scored with the project’s current Security Context (business criticality, data classification) so the ranking always reflects the latest configuration — not the score stored at the time of the scan.
3

Merge and sort

All candidates from all scanners are merged and sorted by compositeScore descending. The first limit items are returned.
Detections with a manual priority override keep their stored score and are included in the ranking unchanged. If you want them re-evaluated, clear the override first.

Where it appears

  • Project dashboard — the Top 5 widget on the project overview.
  • Email reports — periodic vulnerability reports start with the project’s Top items.
  • Cybe MCP & API — agents and external integrations consume the same endpoint to brief developers on the day’s priorities.

Best practices

The Top list is most useful once the project’s Internet Exposure, Environment, Data Classification and Business Criticality are set. Without context, the CVSS environmental score and the Context signal fall back to neutral defaults and the ranking becomes a CVSS-only sort.
The default limit=5 matches what a developer can realistically address in a day. A wider limit=25 is better suited to weekly grooming or release-readiness reviews.
A not_exploitable verdict from Cybe Analysis can keep a CVSS 9.8 out of the Top — that is by design. Review the exploitabilityReason before reopening.
Pair the Top list with a Policy that blocks merges when any Top item is in the Critical Urgent bucket. Triage becomes self-enforcing.
Related: Priority Scoring · CVSS 4.0 Scoring · Project Vulnerability List · Updating Vulnerabilities