search

Attack Surface Snapshot

circle-info

This report provides an exposure-oriented view of the scan results:

  • port concentration (by hosts and by rows)

  • protocol split (TCP/UDP/unknown)

  • TLS vs cleartext/unknown indicators

  • “hotspots” (assets with high Sev4+ on ports and high port diversity)

hashtag
Output

  • Per scan: output/<scan_name>/attack-surface.html

Optional model artifact (only when metadata export is enabled):

  • output/<scan_name>/attack_surface_model.json

Model JSON is written when notifications.include_run_metadata: true.

hashtag
How to generate

CLI:

miyabi-qualys-ai-triage-pack run --config config/config.yaml

hashtag
Configuration

Enable/disable:

  • reports.attack_surface.enabled: true|false

UI options:

  • reports.attack_surface.ui.enable_filters

  • reports.attack_surface.ui.max_rows_render

Optional LLM narrative (guardrailed / JSON-only):

  • reports.attack_surface.llm.enabled

  • reports.attack_surface.llm.model

  • reports.attack_surface.llm.max_items_for_llm

hashtag
Data sources (Qualys CSV fields)

Primary:

  • Port, Protocol, SSL

  • Severity, QID, Title

  • asset identifiers: FQDN/DNS/NetBIOS/IP

chevron-rightInterpretation noteshashtag

  • “TLS” vs “cleartext/unknown” is derived from the SSL column in the export; missing/ambiguous values will be classified as unknown.

  • This report does not claim internet exposure; it is strictly an internal aggregation of scan data.

chevron-rightTroubleshootinghashtag

  • Charts look empty: the export may not include Port/Protocol fields for the findings in scope.

  • TLS split seems wrong: verify that the export includes SSL values and that they are consistent (some exports encode SSL/TLS differently by scanner profile).

PreviousRisk ReportNextLifecycle & Obsolescence