Blackpoint Vulnerability Management
CompassOne exposes four exposure lenses against a tenant's assets: host-level vulnerabilities, scan history, dark-web leaks, and internet-facing external exposures. This skill covers all four and how to combine them into a prioritized remediation view.
API Tools
| Tool | Purpose |
|---|---|
blackpoint_vulnerabilities_list | Host-level vulnerability findings |
blackpoint_vulnerabilities_scans_list | Vulnerability scan history and status |
blackpoint_vulnerabilities_darkweb_list | Dark-web exposures (leaked data) |
blackpoint_vulnerabilities_external_list | Internet-facing external exposures |
Filters That Matter
blackpoint_vulnerabilities_list accepts:
tenant_id,asset_id— scopeseverity—low,medium,high,criticalstatus—open,fixed,ignored,false_positivecve_id— pivot on a specific CVEpatch_available— is a fix published?exploit_available— is it weaponized in the wild?
The fix-now cohort is the intersection: severity in
{high, critical}, status: open, exploit_available: true,
patch_available: true — a known, weaponized, fixable problem that
has not been fixed.
blackpoint_vulnerabilities_darkweb_list exposure types:
credentials, documents, data_breach, malware.
blackpoint_vulnerabilities_external_list exposure types:
open_port, vulnerable_service, certificate_issue,
misconfiguration.
blackpoint_vulnerabilities_scans_list status values:
pending, running, completed, failed.
Common Workflows
Prioritized remediation list for a tenant
- Check
blackpoint_vulnerabilities_scans_list— if the lastcompletedscan is stale or recent scansfailed, say so; it caps confidence in everything below. - Pull
blackpoint_vulnerabilities_listfor the tenant. - Filter to the fix-now cohort and present it first.
- List remaining open criticals/highs (especially no-patch ones) separately with a compensating-controls note.
Dark-web exposure check
blackpoint_vulnerabilities_darkweb_listfor the tenant.- For
credentialsexposures, recommend forced password resets and an MFA enforcement check. - Flag
data_breachandmalwareexposures for follow-up.
External attack-surface review
blackpoint_vulnerabilities_external_listfor the tenant.- Group by exposure type; treat
vulnerable_serviceandopen_porton management ports as highest priority. - Pair with
certificate_issuefindings for a complete edge view.
Edge Cases
- Stale scans — never present a vulnerability rollup without checking scan recency first; old data misleads the reader.
- No-patch criticals — separate these from the fix-now list; they need compensating controls, not a patch ticket.
- Read-only — remediation actions happen outside CompassOne; the MCP cannot mark findings fixed.
Best Practices
- Risk-weight, do not just severity-sort: exploitability and patch availability change the priority order materially.
- Combine all four lenses for QBRs — host, scan, dark-web, external tell complementary stories.
- Always cite CVE IDs and asset IDs so a finding can be re-pulled.
Related Skills
- incident-response - Detection-to-vulnerability correlation
- asset-inventory - Mapping findings to assets