Risk Manager

Risk Manager helps you register, prioritize, and close risks across your workspace. Open it from the sidebar (Risk Manager). Every risk is tied to an asset from Asset Manager. Use it to document threat scenarios and TARA findings (Design), record security test results (Test), and track vulnerability findings (Monitor), with owner assignment, triage workflows, and PDF report export throughout.

Typical flow: create a risk with New risk, then Accept it from Triage to move it to Open. Open any risk from the list → Risk Details → Summary for status and ownership; use the type-specific tab for detailed fields and Activity for the change log. Discard hides a risk from the default view without deleting it; Resurface brings it back.

At a glance

Create your assets in Asset Manager first: every risk requires at least one asset.
Use New risk → Create Risk to add a risk; it opens in Triage. Accept to move it to Open, or Discard to set it aside (reversible).
Open any risk from the list to reach Risk Details. Summary holds status and ownership; the type-specific tab holds the detailed fields.
Click Edit (pencil, bottom of the page) to change fields, then Done to save.

Asset Manager

Each risk references one asset from Asset Manager. Assets must exist before you can create risks; the asset link is set at creation and cannot be changed.

Permissions

The Risk Manager page lists every risk your role may see. If you only have view access, New Risk and Edit on Risk Details stay disabled; detail fields are read-only. Your workspace administrator assigns roles and permissions (see VSEC Core for workspace and access management).

Risks list

Filter by assets: Select one or more assets, or leave the filter empty for all assets.
Include discarded risks: Show triage-discarded items so you can open them and Resurface.
Include parent assets (when filtering by asset): Also return risks from ancestor assets. Assets can be organized into a hierarchy in Asset Manager (for example, a vehicle containing systems containing components); this option walks up the tree from your selection.
Report: After the table finishes loading, build a PDF of the risks currently shown (same filters and Include discarded setting). Preview, print, or download. Wait for the row count to stabilize before generating; exporting while the table is still loading can omit rows.
Columns: Status, Type, Heading, Priority, Risk score, Stage, Days open (days since the risk was created), and Assigned. Click any column header to sort. Status shows the lifecycle step (Triage through Closed); Stage reflects your workspace’s workflow configuration and may track additional milestones alongside status.
New risk → Create Risk: Choose an asset and a risk type (Design, Test, or Monitor). Requires at least one asset; if none exist, you are prompted toward Asset Manager. The new risk opens in Triage. Select any row to open Risk Details.

Import Risk

Import Risk uploads an Excel workbook (.xlsx) for bulk or automated intake. The workbook must contain sheets named Risks, Threat Scenarios Attack Steps, and Damage Scenarios. Exact column requirements vary by workspace; ask your workspace administrator for the template your tenant uses.

Recommendations (optional)

Some workflows add a recommendations view (naming may vary) for risks that still need a decision: risks of any type that are still in Triage. Your workspace administrator controls whether that view appears. If you use it, behavior matches the main list: open a row → Risk Details → Accept or Discard as usual. Many teams rely only on the all risks table.

Risk details

Layout

Breadcrumbs run Risk Manager → asset → risk title; use them to step back toward the list. Every risk shows Summary and Activity; one additional tab specific to the risk type also appears (see Risk types below). The Comments section is on the Summary tab alongside the main fields and accepts text and file attachments.

Editing

Content is read-only until you click Edit (pencil icon, bottom of the page). Done (check icon) saves; Cancel (undo arrow icon) abandons edits and restores the last saved values. Without update permission, Edit does not appear.

Risk types (quick reference)

Design → TARA Info: Threat scenario, risk scores, treatment, controls, keywords, justification, attack paths, and damage scenarios.
Test → Test Info: Test type, report details, CVSS score, test steps, expected and actual results, and description.
Monitor → Vulnerability Info: Vulnerability description, recommended mitigation, vulnerability ID, threat intel link, and evaluation notes.

Summary

Manage Status, ownership, and context here.

Status

All risks start in Triage regardless of type. From Triage:

Accept moves the risk to Open; Discard hides it from the default list (it is not deleted).
Accept and Discard appear in the status progress bar and as buttons at the bottom of the page while the risk is in Triage.

Once open, risks advance through a progress bar at the top of the page: Open → WIP → In Review → Closed. While in edit mode, click any step to jump to that status.

Discarded risks

If a risk was discarded, an alert at the top of Risk Details explains that and offers Resurface. Alternatively, enable Include discarded risks on the list, open the risk, then Resurface from Risk Details.

Ownership and treatment

Set assignee, priority (Unassigned, Low, Medium, High, Critical), risk score (0–5; 0 displays as No Rating), and risk treatment (how your team plans to handle the risk; options are defined in your workspace). Monitor risks also show Risk state: Event, Weakness, Vulnerability, Not Applicable.

Context

Review the risk ID, created and updated dates, created by, type, and heading. On Design risks, the threat scenario and risk scores also appear here as read-only previews; the full editable fields are under TARA Info.

TARA Info

Design risks only.

Left column: Threat scenario; Original and Residual risk score (0–5; 0 displays as No Rating); Risk treatment from your workspace’s catalog; Control and Keyword tags (select from workspace suggestions or type to create a new entry, which is then available workspace-wide); Justification; Recommended action for next steps.

Right column: Two tabs, Attack Path and Damage Scenario.

Attack Path captures how a threat could be realized. Create a named path for each plausible attack route (e.g., different entry points or attacker prerequisites). Each path has a step table (step number and activity description) and an Attack feasibility rating (Very Low through High) for how difficult or likely that route is. Click a path name to switch between paths. Blank steps are removed when you save. Add as many paths as needed; scenarios do not need to be paired one-to-one with paths.

Damage Scenario captures what happens if a threat succeeds. Each scenario has a name, a description, and an Impact rating (Negligible through Severe) for how severe the harm would be. Click a scenario name to switch between scenarios. Use Justification and the Threat scenario on the left to connect paths and scenarios for reviewers and reporting.

Aggregates: After at least one path or scenario exists, Aggregate Impact Rating is the worst damage impact across scenarios; Aggregate Attack Feasibility Rating is the worst feasibility across paths (each dimension uses the strongest rating you entered).

Test Info

Test risks only. Left column: type, report fields, reference, date, CVSS score, Description, Recommended action. Right column: Test steps, Expected result, Actual result.

Test type: Your workspace’s list (e.g., Functional Test, Penetration Test, Fuzz Test, Other, plus custom types). Empty selection shows Not Entered.
Test report: In edit mode, separate name (label) and URL (target). In view mode, one line, clickable when a URL exists (link text prefers the name).
Test reference: identifier for an external test plan, ticket, or document. Last ran (date), CVSS score.

Use Description for narrative; Recommended action for next steps. Test steps holds the procedure; Expected / Actual are short single-line fields; put detail in Description or Test steps when needed.

Vulnerability Info

Monitor risks only. Same two-column layout as Test Info: identification and mitigation on the left; assessment and follow-up on the right.

Left column: General description (narrative; structured SBOM or file-list content renders as a formatted list when detected). Recommended mitigation, Vulnerability ID, Link to threat intel platform (opens in a new tab). Controls and Keywords (select from workspace suggestions or type to create a new entry, available workspace-wide).
Right column: Event Evaluation (initial assessment of the finding), Vulnerability Analysis (technical deep-dive), Vulnerability Management (remediation tracking); keep each field focused on its stage so the record stays readable as work progresses.

Activity

Per-risk change log. An entry is created whenever a field is edited, status changes (accepted, discarded, resurfaced), or a comment or attachment is added. Filter entries with From and To date pickers. If your workspace supports revision comparison, open an entry to compare it side by side with the previous version.

Asset Manager

Create and maintain assets for risks

DOCS

VSEC Test

Remote hardware-in-the-loop testing

DOCS

VSEC Core

Workspaces, tiers, and administration

DOCS

Last updated on April 13, 2026