A critical vulnerability is easily discoverable and it can be exploited to result in the direct ability to execute arbitrary code, exfiltrate data, and otherwise gain additional access and privileges in cloud resources and workflows. Examples include publicly accessible user data and public SSH access with weak or no passwords. A critical threat is able to access, modify, or delete data, or execute unauthorized code within your existing resources. A critical SCC error class finding means any of the following: A configuration error prevents Security Command Center from generating new findings of any severity. A configuration error prevents you from seeing all of a service's findings. A configuration error prevents attack path simulations from generating attack exposure scores and attack paths.

A high-risk vulnerability is easily discoverable and could be exploited with other vulnerabilities to gain direct access to execute arbitrary code or exfiltrate data, and gain additional access and privileges to resources and workloads. For example, a database that has weak or no passwords and is only accessible internally could be compromised by an actor who has access to the internal network. A high-risk threat is able to create computational resources in an environment, but is not able to access data or execute code in existing resources. A high-risk SCC error class finding indicates that a configuration error is causing any of the following issues: You cannot see or export some of a service's findings. For attack path simulations, the attack exposure scores and attack paths might be incomplete or inaccurate.

A low-risk vulnerability hampers a security team's ability to detect vulnerabilities or active threats in their deployment, or prevents the root cause investigation of security issues. For example, a scenario in which monitoring and logs are disabled for resource configurations and access. A low-risk threat has obtained minimal access to an environment, but isn't able to access data, execute code, or create resources.

A medium-risk vulnerability could allow an actor to gain access to resources or privileges that enable them to eventually gain access and the ability to exfiltrate data or execute arbitrary code. For example, if a service account has unnecessary access to projects and an actor gains access to the service account, the actor could use that service account to manipulate a project. A medium-risk threat could lead to a more severe issue, but might not indicate current data access or unauthorized code execution.

A low-risk vulnerability hampers a security team's ability to detect vulnerabilities or active threats in their deployment, or prevents the root cause investigation of security issues. For example, a scenario in which monitoring and logs are disabled for resource configurations and access. A low-risk threat has obtained minimal access to an environment, but isn't able to access data, execute code, or create resources.