What is Security Check?
Running targeted security check allows you to proactively test your systems for the most impactful CVEs.
In our platform, Security Check is individual tests or probes executed against one or more assets to detect vulnerabilities or misconfigurations. The list of available checkpoints is maintained and regularly updated by YesWeHack to ensure coverage of the latest threats.
Each checkpoint corresponds to a specific vulnerability and is executed through a defined rule. You can browse and manage these checkpoints directly from the platform’s admin page.
How to configure Checkpoints & assets?
It is possible to select on which asset(s) security check is enabled. It is also possible to select specific checkpoints.
Go to the "Admin Panel"
Click on "Attack Surface" in the left-side menu
Go to "Security Check"
Start by activating "Continuous Security Check Scans" to enable to feature
In the "Assets" tab, you can select on which asset(s) you want the Security Check to run. You can select them individually, in bulk, or even all of them:
The tab "Checkpoints" of the same page enables you to select which control to operate. For each checkpoint, a table shows:
Name
Description
Associated CVE
CVSS
Activation status
Finally, you will find the notifications' configuration for the results of Security Check under "Admin Panel"/"Attack Surface"/"Notifications".
ℹ️ What are "Detected Issues"?
Detected Issues are the results of Security Check on the platform. When a vulnerability is identified, a "Detected Issue" report will be triggered.
You can review each issue and either validate or discard it from the Attack Surface pages. Once validated, the Detected Issue is converted into a confirmed vulnerability report in your Vulnerability Center.
Where can I view the results of a Security Check?
Open the "Attack Surface" page through the top banner.
The "Overview" tab provides you with a summary of the findings. Within it, a dedicated section highlights the Detected Issues. Clicking on this section opens a detailed view of both pending and confirmed issues.
In the "Primary Assets" tab, you can quickly see which hosts are vulnerable, including those where detected issues exist:
Open a primary asset to display the details. A red bug icon will show the detected issues in the "Risks" column:
ℹ️ The Risks column takes into account pending & confirmed detected issues.
When looking at Hosts, within the dedicated tab or through a primary asset, you can also make sure that the asset is covered by continuous Security Check:
The "Hosts" tab provides additional information for every host regarding detected issues:
The "Vulnerability Reports" tab now includes confirmed detected issues, tagged with "AS" (for Attack Surface).
The "Detected Issues" tab centralizes every detected issues identified for this host. Together with “Potential CVE” and “Vulnerability Reports”, this gives you a risk overview for the selected asset.
It is possible to filter these tabs on Program, Severity, Priority, and Status.
A detected issue must be validated before it can become a Vulnerability Report. This validation step determines whether the issue represents a real threat by examining the metadata and host’s characteristics of the underlying asset.
To validate a detected issue and create a vulnerability report:
Go to a given detected issue
Click on "Confirm"
What information should I expect in the Vulnerability Reports?
Confirmed reports from detected issues will be aggregated in the vulnerability center with others reports, such as Bug Bounty.
ℹ️ Learn more about the Vulnerability Center here.
Vulnerability Reports coming from detected issues include:
A reminder of which Security Checkpoint was triggered
The finding’s summary
Affected vendors
Inspection
Exploitation
They also follow the same standards as other reports and contain key information such as:
Bug description
Impacted asset & endpoint
CVE
Bug type
Asset value
CVSS
EPSS
Priority score
They also include key functionalities such as comments, tags and action statuses. Learn more here.