Risk Center Guide
Last updated: 2026-04-29
Status: Stable
Purpose
The Risk Center is the CISO's primary workspace in URIP. It answers one question: Where is my organisation most exposed today?
The Risk Center comprises six interconnected views, all drawing from the same normalised risk data layer.
Views
1. Risk Dashboard (/dashboard.html)
The executive summary view. Load this first every morning.
What to do on the dashboard: 1. Check the SLA Banner (top) — if it's red, you have overdue critical risks 2. Scan the KPI strip — Total / Critical / High / Medium / Low / KEV counts 3. Review the Top 10 Risks table — these are your highest-composite-score open findings 4. Check Connector Health — any red indicators mean data is not flowing; fix immediately
Export: Click the Export button (top right) to generate a PDF dashboard snapshot for board reporting.
Pitfalls: - Dashboard KPIs are cached for 5 minutes. Use Refresh button to force-update. - Connector health "degraded" is not an emergency — it usually means rate-limited. "Error" requires action.
2. Risk Overview (/risk-overview.html)
Executive risk narrative view. Used for board decks and QBRs.
Key panels: - Composite Risk Trend — 30/60/90-day composite score trend. Rising = worsening posture. - Risk by Domain — Stacked bar showing which security domain carries the most risk - Top 5 Assets at Risk — Assets with the highest aggregate risk score across all findings - EPSS Distribution — What percentage of your open CVEs have EPSS > 0.5 (high exploit probability in next 30 days)
See also: USER_GUIDE.md — Risk Overview
3. Risk Register (/risk-register.html)
The full working list. This is where analysts spend most of their time.
Step-by-step: Triaging a new finding
- Navigate to
/risk-register.html - Sort by Score (descending) — default
- Click the highest-score finding
- In the detail drawer, read: - EPSS probability — if > 0.50, treat as urgent regardless of CVSS - KEV flag — if present, treat as top priority - MITRE ATT&CK — which threat actor groups exploit this - Affected asset — is it T1 (production) or T4 (lab)?
- Set status: Assign the finding to the relevant team member with a due date
- If the risk cannot be remediated: click Accept Risk and provide justification
Bulk operations: - Check multiple rows → Bulk Assign → select user → set due date → Apply - Check multiple rows → Bulk Accept → enter a shared justification → set review date → Apply — useful for accepting a batch of low-severity risks on non-production assets - Use Export to download the filtered list as CSV for reporting
Complex filtering cookbook:
Use multiple filters together to triage precisely:
| Scenario | Filters to apply |
|---|---|
| "Show me critical KEV-flagged risks on T1 assets in the Cloud domain" | Severity = Critical; KEV = Yes; Asset Tier = T1; Domain = Cloud |
| "Show me everything assigned to my team that is overdue" | Assigned to = [team member]; Status = Open; Due date = Past |
| "Show me high EPSS risks on endpoints that nobody has claimed" | Severity = High; Domain = Endpoint; Assigned to = Unassigned; EPSS > 0.5 |
| "Show me risks from a specific connector that appeared this week" | Source = [connector]; Date range = Last 7 days |
Viewing the audit trail for a specific risk: 1. Open any risk in the Risk Register 2. In the detail drawer, scroll to the Activity tab 3. You see a chronological list of every action on this risk: who created it, who assigned it, who accepted it, what justification was given, when the status changed, and every comment 4. This is drawn from the immutable audit log — it cannot be edited or deleted
Can two people edit the same risk simultaneously? Yes. URIP uses last-write-wins: the most recent save is kept. Both versions are preserved in the audit log, so you can always see what the other person changed.
Keyboard shortcuts:
- ? — open keyboard help
- / — jump to filter search
4. Threat Intelligence (/threat-map.html)
Live view of threats relevant to your organisation.
Using the threat map: 1. Toggle My Assets Only to filter the map to IOCs matching your connected assets 2. Click a map marker to see the associated pulse or threat actor 3. The Feed Panel (right) shows chronological threat events: - New KEV entries — check if they match your open risks immediately - EPSS spikes — a CVE's exploit probability jumping means a new exploit kit landed - OTX pulses matching your assets' IPs or domains
Intelligence feeds:
| Feed | What it tells you |
|---|---|
| FIRST.org EPSS | Probability score (0–1) that a CVE will be exploited in the next 30 days |
| CISA KEV | Binary: is this CVE being actively exploited right now? |
| MITRE ATT&CK | Which threat actor groups exploit each CVE |
| AlienVault OTX | Real-time IOC matches against your asset IP/domain list |
Action: When the feed shows a new KEV entry, immediately check the Risk Register filtered by that CVE.
5. Remediation Tracker (/remediation-tracker.html)
SLA-enforced view of in-flight remediation work.
Daily workflow: 1. Sort by Days Remaining (ascending) — shows what's about to breach SLA first 2. Filter by Overdue only — address these first 3. For each overdue risk: contact the assignee or escalate via the Comment button 4. For risks that are resolved: click Mark Resolved → status moves to "Pending Retest"
Auto-Remediation (when configured): - Click Auto-Remediate on a risk - Select executor (CrowdStrike RTR / Ansible / Fortinet / CyberArk) - Review the Implication Check — what else might be affected - Click Approve to trigger execution - Monitor status in the remediation job list
SLA configuration: Default SLAs (Critical: 7d, High: 30d, Medium: 90d, Low: 180d) are configurable at /admin-scoring.html.
6. Risk Acceptance (/acceptance-workflow.html)
Formal workflow for risks that cannot be remediated.
When to accept a risk: - Legacy system that cannot be patched (e.g., Windows XP air-gapped PLC) - Vendor dependency that is outside your control - Risk appetite decision (risk is below your defined threshold)
Acceptance is NOT: - A way to hide risks from compliance controls - Permanent — all acceptances expire and auto-reopen
Step-by-step: 1. From Risk Register, click Accept Risk on the relevant finding 2. Write a clear justification (auditors will read this) 3. Set a review date (max 1 year for Critical, max 2 years for High) 4. Optionally list compensating controls in place 5. Submit — the acceptance is logged in the immutable audit trail
Accepted risks and compliance: Accepted risks still appear as failing compliance controls. A risk acceptance is not equivalent to a control pass. If a control is failing due to an accepted risk, you must add a control-level note explaining the business justification.