Application Vulnerability Management (PA) dashboard
Summarize
Summary of Application Vulnerability Management (PA) dashboard
The Application Vulnerability Management (PA) dashboard is a Performance Analytics tool designed to help vulnerability managers track and analyze application vulnerabilities from detection through remediation. It offers graphical insights into Application Vulnerable Items (AVIs), prioritizing those that pose the greatest risk to the organization. This dashboard supports planning and monitoring remediation efforts by focusing on critical and high-visibility vulnerabilities tied to key applications.
Show less
Key Features
- Dashboard Access and Setup: Included in the Performance Analytics for Vulnerability Response content pack, which requires a separate subscription and installation. Users such as Security Champions, App-Sec Managers, and Developers can access it via Application Vulnerability Response > Overview or within the Vulnerability Manager Workspace in the New Experience UI.
- Dashboard Tabs and Filters: The main Overview dashboard presents KPIs on vulnerability risks, affected applications, and remediation trends over customizable time frames (7 days to all-time). Data can be filtered by Scan Type (dynamic, static, manual), Application, or Business Unit with additional element selection refinement.
- Security Posture Tab: Displays current security status, remediation progress, and penetration test findings (manually created AVIs) for a comprehensive view of risk and remediation efforts.
- Exceptions Tab: Highlights deferred AVIs, expiring deferral requests, and exceptions by assignment group or requester to manage risk exposure from delayed remediation.
- Remediation Trend Tab: Tracks remediation progress over time, helping managers evaluate effectiveness and identify bottlenecks.
- Scoreboard Tab: Identifies applications with the highest number of critical and overdue AVIs, focusing attention where remediation support is most needed.
- Key Indicators: Includes metrics such as mean time to remediate by risk rating (Critical, High, Medium, Low), count of active and closed AVIs, average AVIs per application, unassigned AVIs, and net change in vulnerabilities, all aimed at minimizing risk and improving remediation efficiency.
Practical Benefits for ServiceNow Customers
By leveraging this dashboard, vulnerability managers can:
- Gain a clear, data-driven understanding of application vulnerability risks and remediation status.
- Focus remediation efforts on the most critical vulnerabilities and high-risk applications.
- Monitor remediation timelines and trends to improve response strategies and reduce risk exposure.
- Manage exceptions and deferred vulnerabilities to prevent unchecked risk accrual.
- Use detailed KPIs and visualizations to communicate security posture and progress to stakeholders effectively.
This dashboard empowers organizations to make informed decisions that enhance application security and streamline vulnerability management workflows within the ServiceNow platform.
Track the volume, performance and progress of application vulnerabilities from initial analysis and detection to containment or remediation.
Use cases
| User | Dashboard use |
|---|---|
| Vulnerability managers | With the Application Vulnerability Management dashboard, vulnerability management can determine which application vulnerable items (AVIs) present the most risk to their organizations. These dashboards provide a graphical view into AVI activity to help them determine remediation plans and status progress. Focus on the KPIs associated with critical affected applications and high-visibility vulnerabilities. |
Required ServiceNow AI Platform roles, setup, and the dashboard tabs
The Application Vulnerability Management (PA) dashboard is included as a part of the Performance Analytics for Vulnerability Response content pack. The Performance Analytics for Vulnerability Response content pack is not automatically installed with the Vulnerability Response application. It is available on the ServiceNow® Store as a separate subscription.
For more information about setting up, installing, and configuring your Performance Analytics for Vulnerability Response application, see Install and configure the Performance Analytics for Vulnerability Response [PA] application.
To view the dashboard, as a user assigned to Security Champion, App-Sec Manager, or Developer user groups, navigate to .
Starting with version 19.0 of Application Vulnerability Response, this dashboard can also be viewed in the New Experience UI. To view the dashboard in the new UI, navigate to and click theDashboards icon. Depending on your role, the default dashboard is displayed. To view other dashboards, click the drop-down next to the dashboard name. For more information, see Dashboards in the Vulnerability Manager Workspace and Dashboards in the IT Remediation Workspace.
The Overview dashboard communicates KPIs for vulnerability risk and prevalence, affected applications, remediation trends, and remediation progress. The default for trends is three months but can be changed to 7 day, one month, 3 months, 6 months, YTD, 1 year, or All.
Breakdown the data in the Application Vulnerability Management dashboard by Scan Type, Application or Business unit. Each of these choices has an additional filter, Select elements, to refine your selections. Starting from Application Vulnerability Response v15.0, business and CI applications have been added to the choices for the Application filter.
The Security Posture tab helps you understand your security posture and the progress of your remediation actions.
This dashboard helps you understand where your organization is taking risk due to potentially excessive deferrals and reconsider remediation options.
You can view Deferred Application Vulnerable items by Reason, Expiring Deferral Requests for AVIs, Exceptions for Critical Application Vulnerable Items by Assignment Group, AVI Exception Requests by Requester.
The Remediation Trend tab helps you understand the progress of your remediation actions.
The Scoreboard tab helps you understand the progress of your remediation actions, and which AVIs need the most assistance with their completion.
- Dynamic: Use only metrics from dynamic data import
- Static: Use only metrics from static data import
You can choose either or both.
Indicators
- Mean time to remediate Low AVIs
- [[Summed Duration of Closed Application Vulnerable Items > Risk Rating = 4 - Low]] / [[Closed Application Vulnerable Items > Risk Rating = 4 - Low]]. Goal is to minimize.
- Application Releases
- It is the count distinct on applications from AVI.Active, which is using the table: sn_vul_app_vulnerable_item. Goal is to minimize.
- Application Vulnerable Items
- It is the count on app vul items AVI.Active, which is using the table: sn_vul_app_vulnerable_item. Goal is to minimize.
- Average AVIs per application
- [Active Application Vulnerable Items]] / [[Application Releases]]. Goal is to minimize.
- Unassigned VIs
- It is the count on indicator source AVI.Active, which is using the table: sn_vul_app_vulnerable_item. Goal is to minimize.
- Mean time to remediate AVIs
- [[Summed Duration of Closed Application Vulnerable Items]] / [[Closed Application Vulnerable Items]]. Goal is to minimize.
- Mean time to remediate High AVIs
- [[Summed Duration of Closed Application Vulnerable Items > Risk Rating = 2 - High]] / [[Closed Application Vulnerable Items > Risk Rating = 2 - High]]. Goal is to minimize.
- Closed Application Vulnerable Items
- It is the count on indicator source AVI.Closed, which is using the table: sn_vul_app_vulnerable_item. Goal is to maximize.
- Mean time to remediate Critical AVIs
- [[Summed Duration of Closed Application Vulnerable Items > Risk Rating = 1 - Critical]] / [[Closed Application Vulnerable Items > Risk Rating = 1 - Critical]]. Goal is to minimize.
- New Application Vulnerable Items
- It is the count on indicator source AVI.New, which is using the table: sn_vul_app_vulnerable_item. Goal is to minimize.
- Mean time to remediate Medium AVIs
- [[Summed Duration of Closed Application Vulnerable Items > Risk Rating = 3 - Medium]] / [[Closed Application Vulnerable Items > Risk Rating = 3 - Medium]]. Goal is to minimize.
- Net change in VIs
- [[New Application Vulnerable Items]] - [[Closed Application Vulnerable Items]]. Goal is to minimize.
- Summed Duration of Closed Application Vulnerable Items
- It is the count on indicator source AVI.Closed, which is using the table: sn_vul_app_vulnerable_item. Goal is to minimize.
- Critical Overdue Application Vulnerable Items
- It is the count on data source AVI.Active, which is using the table: sn_vul_app_vulnerable_item. Goal is to minimize.
- Critical Application Vulnerable Items
- It is the count on indicator source Applications with active AVIs, which is using the table: sn_vul_analytics_app_ci_dept_bu. Goal is to minimize.
Breakdowns
- Age
- Age Closed
- Application
- Business Unit
- Risk Rating
- Scan Type
Data visualizations
| Name | Type | Description |
|---|---|---|
| V15.0: Penetration Test Findings in Validation Pending State | Pie Chart  |
Penetration test findings in Resolved state, but with validation pending, grouped by risk rating. |
| V15.0: Overdue Penetration Test Findings | Pie Chart |
Critical penetration test findings that have missed their remediation target date, grouped by risk rating. |
| Active Application Vulnerable Items (AVIs) | Single Score  |
Number of active (non-closed) application vulnerable items (AVIs). |
| Unassigned Application Vulnerable Items (AVIs) | Single Score |
Number of active application vulnerable items (AVIs) without an assignment group. |
| Application Vulnerable Item (AVI) Distribution | Pie Chart |
Distribution of all active application vulnerable items (AVIs) grouped by risk rating. |
| Application Vulnerable Items (AVIs) by Age | Heatmap  |
Number of active application vulnerable items (AVIs) grouped by risk rating and age (in days). |
| AVI trends | Trend  |
Trend of active application vulnerable items (AVIs) grouped by risk rating. |
| Average AVIs per application | Trend |
Trend of average application vulnerable items (AVIs) per application, grouped by risk rating. |
| Name | Type | Description |
|---|---|---|
| Mean time to Remediate Application Vulnerable Items (AVIs) | Line  |
Trend of the average remediation time for application vulnerable items (AVIs) by risk rating. |
| Net change of AVIs | Trend
|
Trend of new application vulnerable items (AVIs) detected vs closed by month. |
| Name | Type | Description |
|---|---|---|
| Top 10 Applications with Most Critical Application Vulnerable Items (AVIs) | Score card and Distribution Bar 
 |
Applications with most number of critical application vulnerable items (AVIs). |
| Top 10 Applications with Most Overdue Critical Application Vulnerable Items (AVIs) | Score card and Distribution Bar
|
Applications with the most number of active application vulnerable items (AVIs) that are past their remediation target dates. |