Skip to main content

Vulnerabilities

⚠️ Select your experience

The steps depend on your interface version. Select a link to skip to the instructions for your version.

Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.

Instructions for the New Experience ⬇️

The Vulnerabilities page centralizes security vulnerabilities discovered across your connected tools. It helps you prioritize remediation, track SLA deadlines, and monitor compliance status in one place.

Drata uses vulnerability data to support audit readiness, SLA enforcement, and monitoring tests tied to your security controls.

How vulnerability tracking works in Drata

When you connect a supported vulnerability scanning or exposure management tool:

  • Drata continuously syncs vulnerability findings

  • Each vulnerability is assigned an SLA due date based on severity

  • Status updates reflect the latest data from the source system

  • Monitoring tests evaluate whether critical and high vulnerabilities are addressed

Drata does not remediate vulnerabilities. It tracks status, deadlines, and compliance impact.

Before you begin

Connect at least one supported vulnerability provider. Supported connections include:

  • Arnica

  • Aikido

  • AWS Inspector

  • CrowdStrike Falcon Exposure Management

  • Microsoft Defender Vulnerability Management

  • Orca

  • Qualys

  • Rapid7 InsightVM

  • Semgrep

  • SentinelOne Singularity Vulnerability Management

  • Snyk

  • Tenable Vulnerability Management

  • Wiz Code

  • Zoho Desk

View vulnerabilities

To open the Vulnerabilities page:

  1. Select Risk > Vulnerabilities from the left navigation.

From this page, you can:

  • Filter vulnerabilities by connection, severity, due date, or fix availability

  • Search by vulnerability ID

  • View SLA due dates and current status

  • Download vulnerability reports (filtered or complete)

  • Resync data using Resync

View vulnerability details

Select a vulnerability to its specific details such as:

  • CVSS score

  • Severity

  • SLA due date

  • Status

  • Platform-specific metadata from the source tool

SLA behavior and due dates

Drata calculates SLA due dates based on vulnerability severity.

Default SLAs

If no Vulnerability Management Policy is configured, Drata applies default SLAs:

  • Critical: 7 days

  • High: 30 days

  • Medium: 90 days

  • Low: 180 days

If a Vulnerability Management Policy exists, Drata uses the SLAs defined in that policy instead. SLA due dates appear in the SLA Due Date column on the Vulnerabilities page.

Configure SLA settings and warning periods

To update SLA and warning period settings:

  1. Navigate to Risk > Vulnerabilities settings:

  2. In the SLA Settings:

    • Edit SLA values by severity

    • Set a warning period for upcoming SLA deadlines

The warning period determines when you receive notifications before an SLA is due.

Example:
If the warning period is set to 7 days, Drata sends notifications 7 days before each SLA due date.

Schedule vulnerability notifications

To receive email notifications for missed or upcoming SLAs:

  1. Open Settings.

  2. Select Notifications.

  3. Enable Reminders for vulnerabilities with missed or upcoming SLAs.

  4. Select how often you want to receive notifications.

Notifications include summaries of critical and high-severity vulnerabilities, along with due dates.

Monitoring tests

For each connected provider, Drata creates the following monitoring tests:

  • Critical Vulnerabilities Addressed – <Provider Name>
    Fails if one or more critical vulnerabilities remain open.

  • High Vulnerabilities Addressed – <Provider Name>
    Fails if one or more high-severity vulnerabilities remain open.

These tests help ensure timely remediation and support audit evidence.

Key distinction to remember

Drata tracks and evaluates vulnerabilities, but remediation happens in your connected tools. Keeping SLAs accurate, connections active, and vulnerabilities resolved ensures:

  • Monitoring tests pass

  • SLA commitments are met

  • Audit evidence remains defensible

Instructions for the Classic Experience ⬇️

The Vulnerabilities page provides a clear overview of all vulnerabilities, allowing you to prioritize and address critical issues based on severity. Connect your vulnerabilities management tools to Drata so that you can easily view all of your vulnerabilities in one central place, automatically track SLA due dates, and receive the latest status of your vulnerabilities. You can also customize the frequency of notifications and reminders for missed or upcoming SLAs to stay informed.

Prerequisite

After a successful connection, select the View Findings button on the active connection card or go directly to the Vulnerabilities page through the left navigation menu to view your vulnerabilities.

Vulnerabilities page overview

To access the Vulnerabilities page, select Vulnerabilities from the left-side navigation menu. This page allows you to easily track and manage security vulnerabilities based on the connections you’ve set up. Ensure that the connections are the ones listed previously.

At the top of the page, use the filter option to view vulnerabilities specific to your connections. You can also search by vulnerability ID, due date, severity, and fix availability.

For more detailed information about a vulnerability, select the vulnerability to open the a drawer, where you’ll find key details like CVSS scores and platform-specific metadata. Scroll down to find the desired information.

To refresh select the Resync button which allows you to refresh existing vulnerability data. To export vulnerability reports, whether filtered or complete, select the Download button.

Define SLA and warning period

  1. Navigate to the Vulnerabilities page.

  2. Select the settings icon on the top right corner of the Vulnerabilities page. The SLA Settings drawer will open.

  3. View your SLAs and select the edit icon to update any of these configurations.

    • You can adjust the SLA settings for each severity level. Drata will calculate the due dates for each vulnerability and display the dates in the SLA Due Date column on the Vulnerabilities page.

    • If you have a Vulnerability Management Policy, Drata will use the SLAs from that policy. If not, default SLAs will be applied automatically.

      • The default SLAs are:

        • Critical: 7 days

        • High: 30 days

        • Medium: 90 days

        • Low: 180 days

  4. Scroll down to the Warning period section and select a time period, This defines when notifications are sent to you regarding upcoming vulnerabilities.

    • For example, if you select 7 days as your warning period, for each vulnerability, you will get notified 7 days before the upcoming SLA due date.

Schedule vulnerability email notifications

  1. Go to your settings. Under My Settings sections, select Notifications.

  2. Scroll down to Reminders for vulnerabilities with missed or upcoming SLAs and enable this option to receive a summary of critical and high-severity vulnerabilities, including their due dates. The summary will also include details about due dates.

    • Select how often you would like to receive these notifications.

Monitoring tests

There are 2 new monitoring tests for each provider that you connect:

Related Articles
Snyk Integration Guide
Tenable Vulnerability Management Integration Guide
SentinelOne Singularity Vulnerability Management (VMS) Integration Guide
Microsoft Defender Vulnerability Management Integration Guide
Rapid7 InsightVM Integration Guide
Did this answer your question?