CyCognito Connector
The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the Tenable FedRAMP Product Offering.
The CyCognito platform discovers and tests all assets discoverable via the internet. This process finds previously unknown assets unmonitored and exposed to attack. The platform continuously monitors and tests all assets associated with an organization.
Connector Details
Details | Description |
---|---|
Supported products |
|
Category |
DAST |
Ingested data |
Assets and Findings |
Ingested Asset Classes |
Devices Web Applications |
Integration type |
UNI directional (data is transferred from the Connector to Tenable Exposure Management in one direction) |
Supported version and type |
SaaS (latest) |
Prerequisites and User Permissions
Before you begin configuring the connector, make sure to:
-
Create a CyCognito user with the necessary permissions to generate and manage API keys within the CyCognito platform.
-
Identify your CyCognito platform URL.
Add a Connector
To add a new connector:
-
In the left navigation menu, click Connectors.
The Connectors page appears.
-
In the upper-right corner, click
Add new connector.
The Connector Library appears.
-
In the search box, type the name of the connector.
-
On the tile for the connector, click Connect.
The connector configuration options appear.
Configure the Connector
To configure the connector:
-
(Optional) In the Connector's Name text box, type a descriptive name for the connector.
-
(Optional) To use a preconfigured on-prem connector to connect to this connector, from the Gateway drop-down, select the on-prem connector you want to use for the connector. Otherwise, select Don't use gateway.
Note: For information about configuring a gateway, see Tenable On-Prem Connector. -
From the Platform URL drop-down, select the Cycognito platform URL to use for the connector.
-
In the API Key text box, paste the API key you generated earlier.
-
In the Data pulling configuration section, you can configure dynamic settings specific to the connector.
-
In the Cycognito asset types to fetch section, select the check boxes next to the asset types you want to ingest from Cycognito:
-
Web Applications
-
Domains
-
IP Addresses
-
-
In the Asset Retention text box, type the number of days after which you want assets to be removed from Tenable Exposure Management. If an asset has not been detected or updated within the specified number of days, it is automatically removed from the application, ensuring your asset inventory is current and relevant.
Tip: For more information, see Asset Retention. -
For the Immediately remove assets when their status is option, choose to automatically remove assets that reach a certain asset status, for example, Removed.
-
-
In the Test connectivity section, click the Test Connectivity button to verify that Tenable Exposure Management can connect to your connector instance.
-
A successful connectivity test confirms that the platform can connect to the connector instance. It does not, however, guarantee that the synchronization process will succeed, as additional syncing or processing issues may arise.
-
If the connectivity test fails, an error message with details about the issue appears. Click Show tests for more information about the exact error.
-
-
In the Connector scheduling section, configure the time and day(s) on which you want connector syncs to occur.
Tip: For more information, see Connector Scheduling. -
Click Create. Tenable Exposure Management begins syncing the connector. The sync can take some time to complete.
-
To confirm the sync is complete, do the following:
-
Navigate to the Connectors page and monitor the connector's status. Sync is complete once the connector status is Connected.
-
View the sync logs for the connector to monitor the logs for a successful connection.
-
CyCognito in Tenable Exposure Management
Locate Connector Assets in Tenable Exposure Management
As the connector discovers assets, Tenable Exposure Management ingests those devices for reporting.
To view assets by connector:
-
In Tenable Exposure Management, navigate to the Assets page.
-
In the Filters section, under 3rd Party Connectors, click the connector name for which you want to view assets.
The asset list updates to show only assets from the selected connector.
-
Click on any asset to view Asset Details.
Locate Connector Weaknesses in Tenable Exposure Management
As the connector discovers weaknesses, Tenable Exposure Management ingests those weaknesses for reporting.
To view weaknesses by connector:
-
In Tenable Exposure Management, navigate to the Weaknesses page.
-
In the Filters section, under 3rd Party Connectors, click the connector name for which you want to view weaknesses.
The weaknesses list updates to show only weaknesses from the selected connector.
-
Click on any weakness to view Weakness Details.
Locate Connector Findings in Tenable Exposure Management
As the connector discovers individual findings, Tenable Exposure Management ingests those findings for reporting.
To view findings by connector:
-
In Tenable Exposure Management, navigate to the Findings page.
-
In the Filters section, under 3rd Party Connectors, click the connector name for which you want to view findings
The findings list updates to show only assets from the selected connector.
-
Click on any asset to view Finding Details.
Data Mapping
Exposure Management integrates with the connector via API to retrieve relevant weakness and asset data, which is then mapped into the Exposure Management system. The following tables outline how fields and their values are mapped from the connector to Exposure Management.
Device Mapping (CyCognito IP Address)
Tenable Exposure Management UI Field |
CyCognito Field |
---|---|
Unique Identifier | Asset Id |
Asset - Name | IP |
Asset - Operating Systems | Platforms |
Asset - IPv4 Adresses Asset - IPv6 Adresses |
IP |
Asset - First Observation Date | First Seen |
Asset - Last Observed At | Last Seen |
Asset - External Tags |
Organizations Technical Owner Business Units Asset Type tags |
Asset Custom Attributes |
type: type score: Security Score grade: Security Grade hosting: Hosting discoverability: Discoverability attractiveness: Attractiveness technical_owner: Technical Owner organizations: Organizations locations: Locations environments: Environments ip_ranges: IP Ranges |
Web Application Mapping (CyCognito Web Applications)
Tenable Exposure Management Value |
CyCognito Value |
---|---|
Unique Identifier | Asset Id |
Asset - Name | Webapp Address |
Asset - First Observation Date | First Seen |
Asset - Last Observed At | Last Seen |
Asset - Webapp Homepage Screenshot Url | Homepage URL |
Asset - External Tags |
tags Organizations Technical Owner Business Units Asset Type |
Asset Custom Attributes |
type score: Security Score grade: Security Grade hosting discoverability attractiveness technical_owner organizations |
Web Application Mapping (CyCognito Domain)
Tenable Exposure Management Value |
CyCognito Value |
---|---|
Unique Identifier | Asset Id |
Asset - Name | Domain |
Asset - First Observation Date | First Seen |
Asset - Last Observed At | Last Seen |
Asset - Webapp Homepage Screenshot Url | Domain |
Asset - External Tags |
tags Organizations Technical Owner Business Units Asset Type |
Asset Custom Attributes |
type score: Security Score grade: Security Grade hosting discoverability attractiveness technical_owner organizations |
Finding Mapping
Tenable Exposure Management UI Field |
CyCognito Field |
---|---|
Unique Identifier | Asset Id + id + issue_id |
Finding Name | title |
CVEs | issue_id |
Severity Driver |
enhanced_severity_score or severity_score |
Description | summary |
First Seen | first_detected |
Last seen (Observed) | last_detected |
Finding Custom Attributes |
investigation_status evidence issue_type issue_id status: issue_status severity severity_score base_score: base_severity_score locations confidence exploitation_availability attacker_interest underground_activit detection_complexity potential_threat potential_impac references |
Finding Status Mapping
Tenable Exposure Management Status |
CyCognito Status |
---|---|
Active |
Al other statuses |
Fixed |
issue-removed |
Note:For CyCognito, Exposure Management uses the issue_status field to determine finding status.
Finding Severity Mapping
Tenable Exposure Management Severity |
CyCognito Score |
---|---|
Critical |
9-10 |
High |
7-8 |
Medium |
4-6 |
Low |
1-3 |
None |
0 |
Note:For CyCognito, Exposure Management uses the severity_score field to determine severity. If severity_score is not available, Exposure Management uses the enhanced_severity_score field from the connector, if provided.
Status Update Mechanisms
Every day, Tenable Exposure Management syncs with the vendor's platform to receive updates on existing findings and assets and to retrieve new ones (if any were added).
The table below describes how the status update mechanism works in the connector for findings and assets ingested into Tenable Exposure Management.
Update Type in Exposure Management |
Mechanism (When?) |
---|---|
Archiving Assets |
|
Change a Finding status from "Active" to "Fixed" |
|
Uniqueness Criteria
Tenable Exposure Management uses defined uniqueness criteria to determine whether an ingested asset or finding should be recognized as a distinct record. These criteria help define how assets and findings are identified and counted from each connector.
Tip: Read all about Third-Party Data Deduplication in Tenable Exposure Management
The uniqueness criteria for this connector are as follows:
Data |
Uniqueness Criteria |
---|---|
Asset |
Asset Id |
Finding |
Asset Id + id + issue_id |
Detection | issue_id |
Support Limitations and Expected Behavior
This section outlines any irregularities, expected behaviors, or limitations related to integration of the connector and Exposure Management. It also highlights details about ingested and non-ingested data to clarify data handling and functionality within this integration.

Asset types are ingested based on user configuration. The supported asset types are:
-
Domains
-
IP Addresses
-
Web Applications
Certificates are not supported and are not ingested.

Assets are archived based on their status and user input. Available status values include:
-
Normal
-
New
-
Changed
-
Removed
-
N/A
By default, only assets marked as Removed are archived.

-
Findings with an investigation_status of archived or resolved are not ingested.
-
Findings with an investigation_status of investigated, uninvestigated, or investigating are ingested and considered vulnerable.

You may observe differences in the number of findings between CyCognito and Exposure Management due to differences in data association logic:
-
Exposure Management includes only findings that are directly linked to an asset.
-
CyCognito includes findings associated with linked assets.
Example:
If a domain has an IP address mapped to it, and both the domain and the IP each have a distinct finding:
-
In Exposure Management, these will appear as two separate assets, each with its own associated finding.
-
In CyCognito, both the domain and the IP will be treated as linked assets, and both findings will appear for both assets.
This behavior can result in a higher findings count in CyCognito compared to Tenable.
API Endpoints in Use
API version: v1
https://api.platform.cycognito.com/v1/assets/ip |
Test Connectivity |
https://api.platform.cycognito.com/v1/issues |
Test Connectivity |
https://api.platform.cycognito.com/v1/export/request/webapp |
Generate asset report |
https://api.platform.cycognito.com/v1/export/request/domain | Generate asset report |
https://api.platform.cycognito.com/v1/export/request/ip | Generate asset report |
https://api.platform.cycognito.com/v1/export/get | Get reports, Assets |
https://api.platform.cycognito.com/v1/issues |
Findings |
Data Validation
This section shows how to validate and compare data between Tenable Exposure Management and the CyCognito platform.
Asset Data Validation
Objective: Ensure the number of assets in CyCognito aligns with the number of assets displayed in Tenable Exposure Management.
In CyCognito:
-
Navigate to the Assets List > view.
-
Filter by Asset type to validate each category:
-
Web Application: Select Web Application in the Asset type filter, then hover over the asset count to view the exact number.
-
Domain: Select Domain in the Asset type filter, then hover over the asset count to view the exact number.
-
IP Address: Select IP Address in the Asset type filter, then hover over the asset count to view the exact number.
-
In Tenable Exposure Management:
-
Compare the total number of assets between CyCognito and Tenable Exposure Management.
Expected outcome: The number of assets shown in CyCognito and Exposure Management should match by asset type.
If an asset is not visible in Exposure Management, check the following conditions:
-
The asset was archived based on the last observed date (last seen).
-
The asset was archived based its status.
-
The asset was archived because it did not return in the connector's next sync.
Tip: To learn more on how assets and findings change status, see Status Update Mechanisms.
Finding Data Validation
Objective: Ensure that the number of findings in CyCognito aligns with the number of findings in Exposure Management.
In CyCognito:
-
Navigate to the Assets List and select an asset.
-
I n the right panel, review the Issue List section.
-
Click Explore further issues in list to view the complete issue count for that asset.
You are redirected to the Issues screen, filtered automatically for the selected asset.
In Tenable Exposure Management:
-
Compare the total number of findings between CyCognito and Tenable Exposure Management.
Expected outcome: The total numbers returned in CyCognito and Exposure Management should match
If a finding is missing from Exposure Management or no longer active, check the following conditions:
-
The finding is marked as Fixed and appears under the Fixed state on the Findings screen
-
The finding no longer appears because its related asset was archived.
Tip: To learn more on how assets and findings are archived or change status, see Status Update Mechanisms.