Shadowspot Incidents
Each exposure or vulnerability discovered by Shadowspot is surfaced as an incident in the CyberXTron platform. This page covers how to access, manage, and remediate Shadowspot incidents.
Viewing Incidents
Via Dashboard
Navigate to Shadowspot → Incidents in the CyberXTron dashboard to see all findings. Filter by:
- Severity
- Finding type (exposed service, CVE, certificate, misconfiguration, etc.)
- Asset
- Status (Open, In Progress, Resolved)
Via API
# List all Shadowspot findings
curl \
-H "XTRON-ORG-KEY: your_org_key" \
-H "XTRON-ORG-SECRET: your_org_secret" \
"https://incidents.cyberxtron.com/api/v1/shadowspot/findings"
# Filter by domain and severity
curl \
-H "XTRON-ORG-KEY: your_org_key" \
-H "XTRON-ORG-SECRET: your_org_secret" \
"https://incidents.cyberxtron.com/api/v1/shadowspot/findings?domain=example.com&severity=Critical&status=Open"
→ Full Incidents API Reference
Incident Types
Exposed Service
A sensitive service is accessible from the internet without adequate access controls.
Common examples:
- Database ports open to the internet (MongoDB, Redis, Elasticsearch, MySQL)
- Administrative interfaces accessible without VPN (Kubernetes dashboard, Grafana, Jenkins)
- Development environments reachable publicly
Response:
- Confirm the exposure is real and unintentional
- Restrict access using firewall rules or move behind VPN/bastion
- Check access logs for unauthorized access during the exposure window
- Rotate any credentials that may have been accessible
Subdomain Takeover
A subdomain is pointing to a resource (cloud service, CDN, etc.) that no longer exists, making it susceptible to takeover by an attacker who registers the orphaned resource.
Response:
- Verify the subdomain is genuinely vulnerable
- Either delete the DNS record or re-create the cloud resource it points to
- Prioritize — subdomain takeovers can be used for phishing and session hijacking
Certificate Issue
SSL/TLS certificate is expired, expiring soon, or configured with deprecated protocols.
Response:
- Expired: Renew immediately; expired certs cause browser warnings for all visitors
- Expiring in fewer than 30 days: Schedule renewal this week
- Weak protocols (TLS 1.0/1.1): Disable in server configuration; update to TLS 1.2 or higher
Known CVE
A software version with a known CVE is running on a discovered asset.
Response:
- Check the CVE details to understand exploitability and impact
- Determine if the service is actually exploitable in your environment
- Apply the vendor patch or upgrade to a non-vulnerable version
- If patching is delayed, apply compensating controls (WAF rule, network restriction)
Cloud Storage Misconfiguration
A cloud storage bucket (S3, GCS, Azure Blob) is publicly accessible.
Response:
- Immediately review the bucket contents — determine if sensitive data is exposed
- Remove public access permissions
- Enable access logging on the bucket
- If sensitive data was exposed, initiate your data breach response procedure
Finding Fields
| Field | Type | Description |
|---|---|---|
id | integer | Unique numeric ID |
title | string | Short description of the finding |
taskKey | string | Ticket key (e.g., SSINC-456) |
status_statusCd | string | Open, In Progress, Closed |
severity_label | string | Critical, High, Medium, Low |
category_name | string | Finding category |
taskType_name | string | Specific finding type |
description | string | Full details |
domain | string | Affected domain |
assets | string | Affected asset (host, IP, port) |
url | string | Affected URL |
cvss | string | CVSS score |
epss | string | EPSS exploitation probability score |
ransomware_exploited_cve | string | Whether this CVE is exploited by ransomware groups |
in_the_wild | string | Whether the vulnerability is actively exploited |
impact | string | Impact description |
remediation | string | Remediation steps |
verification_details | string | Evidence and confirmation details |
createdDt | integer | Creation Unix timestamp |
updatedDt | integer | Last update Unix timestamp |
Accepting Risk
If a finding is intentional (e.g., a publicly accessible service that is by design), you can mark it as Closed via the CyberXTron dashboard under Shadowspot → Findings → [finding] → Update Status, and add a note explaining the accepted risk.
Closed findings are excluded from active alerting for that specific asset and finding type combination.