Vulnerability Risk Intelligence (BYO Scanner)

NodeZero's Vulnerability Risk Intelligence (VRI) feature enables customers to upload vulnerability scan exports from tools like Tenable (Nessus), Rapid7, and Qualys, and receive attacker-validated risk classification. NodeZero leverages real exploit evidence and attack correlation to prioritize findings based on what attackers can actually exploit.

Overview

NodeZero's VRI capability brings attacker-first validation to scanner data. Customers can upload vulnerability scan outputs (CSV or .nessus) via the UI or API, and NodeZero classifies each vulnerability-asset pair according to exploitability and context. NodeZero:

Confirms exploitability
Determines contextually exploitable attacks
Highlights vulnerabilities tied to high-value assets or threat actor behavior
Shows unique exploits and mitigated weaknesses found by NodeZero

How It Works

Upload your scanner data to NodeZero via UI or API.
NodeZero uses its Exploit Correlation Engine to process each CVE-asset pair.
Vulnerabilities are classified into risk categories (see below).
Results are shown in the Risk Intelligence tab and can be exported via UI or API.

Supported Scanner Sources

Tenable/Nessus CSV
Tenable/Nessus XML
Rapid7 CSV
Qualys CSV

Classification Categories

Each vulnerability is classified into one of the following:

Category	Description
Confirmed Exploitable	Successfully exploited by NodeZero.
Contextually Exploitable	Reachable through RCE or chaining, but not directly landed.
High-Value Asset	Found on assets identified as mission-critical.
Threat Actor Detected	Tied to TTPs observed in real-world attacks.
Vulnerable but not Exploited	Not validated but still potentially exploitable.
Asset Not Enumerated	Asset couldn't be matched to NodeZero data.
Mitigated Weakness	Issue already mitigated based on prior results.

Using the UI

Go to the Risk Intelligence tab in the Vulnerability Management Hub.
Upload your scanner file via drag-and-drop or file picker.
NodeZero processes your file within 1 hour (SLA).
View classification results directly in the UI.

Upload Validation

Max file size: ≤1GB
File type validation: CSV, XML, .nessus
Duplicate check via checksum
If the scope isn't in the file, user will be prompted to enter it manually.

Using the API

Get a pre-signed URL from the API (requires authentication).
Upload your file using a POST request to the signed URL.
Fetch results via GET request.
API supports CSV, XML, and JSON
Token-auth required
Export formats: JSON

Scanner File Statuses

Status	Description
PENDING	The scanner file is awaiting to be uploaded or has been uploaded but risk intelligence has not started.
PROCESSING	The scanner file is undergoing risk intelligence.
FAILED	The scanner file failed risk intelligence. View the status message for more details.
COMPLETED	The scanner file completed intelligence processing.
EXPIRED	The scanner file is expired. Scanner files expire after 90 days.
DUPLICATE	The scanner file is a duplicate of another file. See status message for details.

Security & Compliance

Files uploaded via HTTPS to presigned S3 URLs
Stored in KMS-encrypted S3 buckets
Retained temporarily (max 90 days), then deleted post-ingestion
Normalized data retained permanently
RBAC and full audit logging enabled
SOC2 compliant, GDPR aligned

Scanner File Field Mappings

Tenable/Nessus CSV

Field Type	Field Name
Must Have	IP Address, Plugin ID, CVE
Should Have	Port, Protocol, FQDN, MAC Address, OS

Tenable/Nessus XML

Field Type	Field Name
Must Have	host-ip, pluginID, cve
Should Have	port, protocol, host-fqdn, mac-address, netbios-name, operating-system

Rapid7 CSV

Field Type	Field Name
Must Have	Asset IP Address, Vulnerability ID, Vulnerability CVE IDs
Should Have	Service Port, Service Protocol, FQDN, Asset MAC Addresses, Asset OS Name

Qualys CSV

Field Type	Field Name
Must Have	IP, QID, CVE ID
Should Have	Port, Protocol, FQDN, MAC Address, NetBIOS, OS

Note

Field matching is case-sensitive. Submissions with incorrect casing may not be processed correctly.

FAQs

Q: Can I sanitize scan files before upload (e.g., remove hostnames/IPs)?
A: No, that would prevent asset mapping and classification from working properly. NodeZero requires full host/vuln pairing.

Q: Is data encrypted?
A: Yes, in transit (HTTPS) and at rest (AES-256 with AWS KMS).

Q: How long is data stored?
A: Files are deleted after 90 days. Metadata and classification results are retained indefinitely.

Q: Do you support PDF uploads?
A: No. Only structured formats like CSV or .nessus are supported.

Q: Why do vulnerability counts not match?
A: When you upload a scanner file (e.g., from Tenable) to NodeZero's Vulnerability Risk Intelligence, you may notice a mismatch between the number of vulnerabilities listed in your original scan and the number displayed in the NodeZero platform.

This is expected behavior, due to how NodeZero processes and normalizes scanner data. Let's say your Tenable scan includes a single vulnerability entry with this list of CVEs:

CVE-2024-12345, CVE-2024-67890, CVE-2025-12345, CVE-2025-67890

NodeZero will treat each CVE as an individual weakness and create four separate records — one for each CVE. This allows for more precise correlation between scanner results and what NodeZero discovers or confirms during the autonomous pentest.

As a result, it's common for the total number of records in the NodeZero report to exceed the original row count in your scanner export.

Additional Notes

This CVE-level granularity enables NodeZero to provide enhanced risk insights, including confirmed versus unconfirmed weaknesses, chaining potential, and downstream impact.
Filters like "Found by Scanner Only" may return more results than expected because they include each CVE as a separate item, rather than in a grouped entry.

Feature Availability

Available for customers on the Elite SKU
Requires RBAC permissions to use the Vulnerability Management module