Vulnerability metrics explained

InsightVM uses 3 metrics to present vulnerability-based table data and Key Performances Indicators (KPIs):

  • Vulnerabilities
  • Vulnerability Findings
  • Vulnerability Instances


A “vulnerability” is a unique, defined, and publicly disclosed software weakness. Each vulnerability is typically identified by an enumeration system, barring a few exceptions based on the type of software. Although multiple enumeration systems exist, the Common Vulnerabilities and Exposures (CVE) system is the most widely used and accepted system today.

Vulnerability Findings

A “vulnerability finding” is a determination that an asset is vulnerable to a vulnerability in some way. For example, if InsightVM shows 50 vulnerability findings for a single vulnerability, that means 50 assets in your network are vulnerable to this vulnerability.

Vulnerability Instances

A “vulnerability instance” refers to the specific condition on an asset that causes it to be vulnerable to a vulnerability. An asset can be vulnerable to the same vulnerability in multiple ways. Common causes for this scenario are:

  • Having multiple versions of the same software installed on an asset at the same time; all of which are vulnerable to the same vulnerability
  • Being vulnerable to the same vulnerability through multiple network ports

Vulnerability instances are the most granular view available for determining the level of risk in your environment.