Skip to main content

Understanding the Severity Levels - Critical, High, Medium, and Low

backBack

Understanding the Severity Levels - Critical, High, Medium, and Low

Risk Assessment & PrioritizationDuration3 min

Introduction

Not all security risks carry the same weight. To help organizations prioritize threats effectively, vulnerabilities detected by External Attack Surface Management (EASM) are classified into four severity levels: Critical, High, Medium, and Low. Each category represents a different level of risk and urgency for remediation.

This article explores the severity classification system, why it matters, and how to respond to each type of risk.

Why Severity Levels Matter

Prioritization for Faster Remediation

Security teams often face hundreds or thousands of detected vulnerabilities. Without clear severity levels, it would be difficult to determine which issues require immediate action and which can be addressed later.

Reducing Business Impact

Categorizing vulnerabilities helps organizations:

  • Prevent immediate exploitation of high-risk issues.
  • Minimize operational disruptions by fixing critical problems first.
  • Efficiently allocate security resources to the most pressing risks.

Severity Breakdown

🟥 Critical Severity

Definition: Vulnerabilities that are actively exploitable, publicly known, and high-impact. Attackers can use them to gain full control over systems or access sensitive data.

Examples:

  • Unpatched zero-day vulnerabilities.
  • Publicly accessible database servers with no authentication.
  • Remote code execution (RCE) exploits.

Action: Immediate remediation is required. If possible, disconnect the affected service until fixed.

🟧 High Severity

Definition: Security flaws that pose a significant risk but may require additional steps to exploit.

Examples:

  • Weak encryption protocols (e.g., TLS 1.0, SSL 1.0).
  • Exposed admin panels without multi-factor authentication (MFA).
  • Known software vulnerabilities with publicly available exploits.

Action: Fix as soon as possible, ideally within a few days. Monitor for suspicious activity until resolved.

🟨 Medium Severity

Definition: Vulnerabilities that could be exploited under specific conditions but are not immediately dangerous.

Examples:

  • Subdomains with outdated software versions.
  • Web application misconfigurations that leak minor data.
  • Services running older but not critically vulnerable versions.

Action: Address within a reasonable timeframe (e.g., weeks). Regularly review and patch these issues before they become high-risk threats.

🟩 Low Severity

Definition: Informational findings or minor risks that have low exploitability or minimal impact.

Examples:

  • Expired SSL certificates on non-sensitive services.
  • DNS records leaking minor metadata.
  • Open ports with secure authentication enabled.

Action: Monitor these issues and address them when convenient. Some low-severity risks can escalate over time if left unpatched.

Conclusion

Understanding severity levels allows security teams to prioritize threats efficiently, focusing on critical and high-risk vulnerabilities first. By following this classification system, organizations can reduce exposure, allocate resources effectively, and enhance their security posture.

In the next article, we will explore how we discover subdomains and why it matters in external attack surface management.

Frequently Asked Questions

AI-Powered Insights
Can I ask follow-up questions about vulnerabilities?

Absolutely! The 'Dig Deeper' chat is interactive, allowing you to:

  • Request more details about how a vulnerability works.
  • Ask for additional remediation methods.
  • Clarify attack vectors and potential risks.

This ensures security teams get deeper insights beyond just a vulnerability description.

What is the 'Dig Deeper' chat, and how does it help?

The 'Dig Deeper' AI chat provides instant expert-level insights on detected issues.

  • It explains vulnerabilities in a clear, actionable way.
  • It helps users understand why an issue is risky and how attackers might exploit it.
  • It suggests remediation steps tailored to the asset and issue type.

This allows security teams to quickly grasp risks and respond effectively without deep security expertise.

Access & Security
Does this tool comply with security frameworks like NIST or CIS?

Yes, the EASM tool aligns with frameworks such as NIST, CIS, and ISO 27001 by identifying security gaps in publicly accessible infrastructure. While it does not enforce compliance, it helps security teams detect misconfigurations and vulnerabilities that could impact regulatory requirements.

Scanning & Detection
What sources does the scanner use to find vulnerabilities?

The scanner leverages multiple intelligence sources to detect vulnerabilities, including:

  • Public vulnerability databases (CVE, NVD, MITRE, etc.).
  • Security research feeds and threat intelligence sources.
  • Passive reconnaissance techniques such as OSINT and fingerprinting.

By combining these sources, the scanner provides real-time risk assessments without intrusive scans.

Does the scanner perform active exploitation or just passive mapping?

The scanner performs only passive mapping, meaning it identifies vulnerabilities but does not exploit them.

This approach:

  • Avoids system disruptions while gathering security intelligence.
  • Provides safe, real-world attacker perspectives without breaching legal boundaries.
  • Ensures compliance with ethical scanning practices.

Organizations can use these findings to proactively patch weaknesses before attackers do.

How does the EASM scanner find subdomains?

The scanner discovers subdomains using:

  • DNS enumeration (brute-force, dictionary-based, wildcard resolution).
  • Certificate transparency logs that expose registered subdomains.
  • Passive DNS records and web crawling to identify related assets.

This helps map the full attack surface, including shadow IT and forgotten subdomains.

On this page