Full-Disk Vulnerability Discovery: Uncovering Hidden Risks

Threat investigations rely on context to provide security teams with a clear picture of potential risks. This context comes from various sources, including telemetry, alert data, business impact, and risk assessments. One critical aspect of risk assessment is identifying open vulnerabilities on affected systems. This can help security teams determine whether known vulnerabilities are relevant to an active incident and how best to mitigate them.

To enhance the vulnerability discovery process, Cado Security has integrated vulnerability scanning into its investigation pipeline. This new capability enables automated full-disk vulnerability scanning, providing security teams with comprehensive visibility into risks hidden within forensic evidence.

The Need for Full-Disk Vulnerability Discovery

When responding to security incidents, analysts must assess the risk profile of affected systems. Traditional approaches to vulnerability scanning focus on live systems, but forensic investigations require analyzing offline disk images or extracted file systems. Without automated tools to scan these full-disk acquisitions, teams may struggle to identify known vulnerabilities linked to an incident.

By integrating vulnerability scanning as a pipeline step, the Cado Platform allows vulnerability detection to happen automatically during the analysis of imported evidence. This provides analysts with:

• Immediate visibility into known vulnerabilities on compromised systems.
• Correlation between detected threats and software vulnerabilities.
• Actionable intelligence to support remediation and post-incident recovery.

How Vulnerability Scanning Enhances Investigations

Automated Vulnerability Detection

Currently, the Cado platform supports scanning entire Linux file systems for vulnerabilities, making it an ideal tool for analyzing full-disk Linux acquisitions and Cado Host captures. Once an acquisition is imported into Cado, the platform automatically scans the disk image or extracted folder, identifying security weaknesses within installed packages.

Key Benefits

• Seamless Pipeline Integration: Runs automatically on supported imports without requiring manual setup.
• Context-Rich Analysis: Helps analysts correlate vulnerabilities with detected threats.
• Supports Offline Investigations: Analyzes forensic disk images, not just live systems.

Data Acquisition in Cado

The vulnerability discovery feature can be run as part of an acquisition, or via a faster ‘Scan only’ mode.

A fast vulnerability scan being performed on the acquired evidence

Once the acquisition has completed, the user will have access to a ‘Vulnerabilities’ table within their investigation, where they are able to view and filter open vulnerabilities (by Severity, CVE ID, Resource, and other properties), as well as pivot to the full Event Timeline. In the Event Timeline, the user will be able to identify whether there is any malicious, suspicious or other interesting activity surrounding the vulnerable package, given the unified timeline presents a complete chronological dataset of all evidence and context collected.

Vulnerabilities discovered on the acquired evidence

Pivot from the Vulnerabilities table to the Event Timeline provides an in-depth view of file and process data associated with the vulnerable package selected. In this example, Apache2.

The integration of vulnerability scanning into Cado’s pipeline represents a significant advancement in the platform. By automating vulnerability detection on full-disk Linux acquisitions, security teams gain deeper insights into risks that may be influencing an active incident. While challenges remain—such as Windows support and vulnerability-to-file mapping—ongoing research aims to address these gaps, ensuring even greater investigative clarity.

With this enhancement, Cado Security continues to bridge the gap between forensic evidence and proactive risk mitigation, empowering analysts to uncover threats hidden in plain sight.