SecOps teams get almost 4500 alerts daily, and then spend an average of 3 hours a day manually triaging those alerts. About 83% of security analysts report that alerts are false positives and not worth their time. These triage hours can waste massive amounts of time, while also preventing teams from addressing real threats effectively.
This is exactly the challenge our team aimed to address with Risk Evidence, a new feature in Censys Attack Surface Management (ASM).
First, what exactly is risk evidence?
Risk Evidence provides clear, human-readable explanations about how a specific risk was detected in your attack surface. Instead of vague warnings or raw scan outputs, Risk Evidence translates findings into straightforward language, linking directly to the scan data that triggered the alert.
In simple terms, Risk Evidence answers two critical questions clearly and immediately:
- Why did this alert fire?
- Where exactly is the supporting data?
This clarity transforms the way you handle risk detections, streamlining triage, accelerating investigations, and significantly improving your team’s operational efficiency.
How it helps in the SOC
Here’s why Risk Evidence matters from a practitioner’s point of view:
1. Faster triage and reduced false positives
False positives drain SOC resources. When you see “Open Database Instance” or “Potential Data Exposure,” your first instinct is to investigate, but many tools don’t make this easy.
With Risk Evidence, when a risk like “Open Database” surfaces, you’re presented with a concise explanation — such as “Detected PostgreSQL database listening publicly on port 5432, no authentication prompt identified” — linked directly to the specific scan data. You can quickly confirm accuracy and immediately prioritize remediation, or confidently dismiss the false positives without digging through logs.
2. Easier collaboration across security teams
When risk detections are transparent, collaboration between SOC analysts, threat intel, and infrastructure teams gets smoother. Risk Evidence provides everyone a common, detailed view of each risk:
- Example: Your ASM identifies “Weak TLS Configuration.” Risk Evidence clearly states:
“TLS version 1.0 detected on host X.X.X.X, posing encryption weakness risks.”
Clicking into the evidence link takes you straight to the raw scan data.
Your SOC analysts quickly validate severity, infrastructure teams clearly see what needs fixing, and remediation happens faster, with less friction and fewer debates.
3. Efficient risk investigation
Detailed evidence helps analysts understand why a risk was flagged, directly reducing investigation times. Consider your typical investigation process before Risk Evidence:
- See alert → spend time tracking down logs → attempt validation → possibly consult multiple tools → finally confirm issue or false positive.
With Risk Evidence, the new workflow is far simpler:
- See alert → click evidence link → immediately view underlying scan data → confirm accuracy → remediate.
This dramatically accelerates your team’s ability to validate, respond, and move forward.
Examples of using risk evidence in practice
Let’s make this practical with some realistic scenarios:
Example 1: Misconfigured S3 Bucket
You get an alert from Censys ASM: “Exposed AWS S3 Bucket Detected”. With Risk Evidence, you quickly see something like:
“Detected publicly accessible AWS S3 bucket ‘finance-backups-prod’ via HTTP response header indicating open listing (200 OK response, XML list objects).”
Clicking the evidence takes you directly to the raw HTTP header data from Censys’s scan, validating the finding immediately.
Example 2: Vulnerable Application Server
You receive a risk instance alert: “Outdated Apache Struts Version.” Risk Evidence clearly states:
“Apache Struts version 2.3.32 detected on asset webapp.yourorg.com via HTTP response banner; known CVEs include CVE-2017-5638 (Remote Code Execution).”
Clicking the provided link shows you precisely the HTTP response from the scan, making your verification quick and accurate.
How to work with risk evidence
Here’s how your team can leverage Risk Evidence effectively within the Censys platform:
- Start at the Risk Instances page: Risks are sorted by severity, and quick filters help you quickly focus on the highest-impact issues.
- View risk details: Click any asset or risk to reveal the evidence card, clearly explaining detection logic.
- Validate quickly: Use the evidence link to instantly pivot into scan data, eliminating guesswork.
- Collaborate and remediate: Clearly articulated evidence lets your team swiftly agree on actions, improving cross-team efficiency.
- Customize severity ratings: Adjust severity levels based on context, allowing your team to prioritize effectively.
- Bulk edit and accept risks: Rapidly adjust or accept multiple risks simultaneously to streamline your remediation workflow.
You can even download risks as CSV files for broader analysis or reporting up.
Impact: less noise, faster response, stronger posture
Practically speaking, Risk Evidence is a force multiplier. It turns your security team from reactionary responders bogged down by validation tasks into proactive investigators who quickly focus on real threats and remediation.
The difference can be night-and-day in terms of efficiency, operational tempo, and security outcomes:
- Reduced false positives: Spend less time validating, more time protecting.
- Accelerated investigation: Clearly see why each risk matters and act immediately.
- Improved collaboration: Align SOC, threat intelligence, and infrastructure teams effortlessly.
- Increased trust in your tools: Transparency in detections boosts confidence, speeding decisions and actions.
Security isn’t just about spotting and reacting to threats, it’s about knowing why something matters and having the confidence to act fast. That’s exactly why Risk Evidence delivers. By embedding clear, human-readable explanations and direct links to the underlying scan data, your team can move from alert to action with speed and precision.
No more guesswork, no more alert fatigue. Just focused, evidence-based decisions that improve your operational tempo, reduce wasted time, and make collaboration effortless across your distributed security teams. Risk evidence turns noisy detection into clear direction and puts your team in command of risk response. Request a demo and see how you can start triaging smarter.
