Exciting news! We are redesigning the Arctic Wolf Help Documentation site to provide a better user experience. Our new site will launch on May 1, 2024.

Managed Risk


Risk Dashboard

Updated Apr 11, 2024

External Vulnerability Assessment

External Vulnerability Assessment (EVA) scans are automated vulnerability tests used to verify the strength of your externally facing services and to increase your security posture.

Scans should only include IP addresses and domains that you own or are authorized to scan.

Arctic Wolf IP addresses should be excluded from your security platforms that might prevent scanning. For more information about allowlist requirements, see Allowlist Requirements.

Scan types

These configurable scans are used in EVA:

Feature availability

These features are available depending on the Arctic Wolf solution that your organization uses:

Scan type Managed Risk Managed Detection and Response Managed Security Awareness Feature
Vulnerability scanning Yes Yes No Risk reports.
Yes No No Risk management in the Risk Dashboard.
ATO scanning Yes Yes Yes Alerting on high and critical severity breaches.
Yes Yes No Enriched quarterly report with an ATO risk summary, which includes all breaches detected, and a list of email addresses exposed.
Yes No Yes A review of ATO risks in the Arctic Wolf Portal.
Yes Yes No External Vulnerability Review report.

Account Takeover data breach risk severity

Account Takeover (ATO) scan reports contain data breach risks that are categorized into these types:

Data Breach Risk Type Score Description
Informational User Data Breach 1 The breached data includes email addresses without passwords.
Minor User Data Breach 4 The breached data does not include passwords, or includes passwords that cannot be decrypted.
Severe User Data Breach 8 The breached data includes passwords in plain text or passwords that can be decrypted.
Critical User Data Breach 10 The breached data includes passwords. These users have been identified in a botnet.

EVA scan operations

For vulnerability scans that are IP address based, including IP address ranges and CIDR, an initial scan runs using a limited list of ports and ICMP. If Arctic Wolf receives any port response in the initial scan, the IP address is added to a list of scan targets. The scan continues with the list of scan targets using the top 1,000 common ports. By default, vulnerability scans scans are scheduled monthly.

For ATO scans, your email domain is used to identify exposed credentials, including emails and usernames, against information from dark and grey web sources. By default, ATO scans are scheduled monthly.

EVA port states

The table below describes the port states that EVA scanning recognizes. For more information about port scanning, see Port Scanning Overview.

Port state Description
open The application is actively accepting TCP queries on this port.
closed The port is accessible, but there is no application listening on it.
filtered Arctic Wolf cannot determine whether the port is open because packet filtering prevents probes from reaching the port. This could be due to a firewall, router rules, or host-based firewall software.
unknown Arctic Wolf is unable to determine if the port is open, closed, or filtered. This typically happens when a port is initially found to be open, but changes state during the scan. This can indicate interference from an intrusion prevention system (IPS) or a web application firewall (WAF). For accurate vulnerability scan results, make sure that Managed Risk Scanner IP address ranges are excluded from devices causing interference.