Skip to main content
There are two types of assessments that can be created:
This is our complete assessment. It covers:
  1. Network scanning (Internal & External)
  2. Application scanning (cloud apps & desktop apps)
  3. Data Security - PII detection on systems
  4. Identity & Access Management
  5. Password management
  6. M365 Security
External Scans:Installation: 2 minScanning: 10-15 minRisk Assessment:Installation: 10 minsScanning: 2-3 hours
Please refer to this document for more details on the different steps needed to complete the different Risk Assessments.
You can add an IP/domain to an external scan by going to “Targets” > “Add Target” (top right) to add an IP address or additional domains.
For a Risk Assessment or an External Scan, click on the “Archive” button in the topic right corner to archive the assessment.The assessment will not show up on your dashboard.For a Risk Assessment, note that archiving will uninstall the Telivy scanners from any assets that are installed.
The ‘Rescan All’ feature deploys all the scans to refresh data. This includes:
  • Vulnerabilities
  • PII
  • Credential analysis
  • Risky Applications
  • Microsoft 365
  • External Attack Surface
  • Asset Inventory
For External Scans, under the “Security” tab, navigate to “Targets” and click on “Add Target” to add either an external IP address or another domain.For Risk Assessments, under the “Assets” tab, navigate to “Domain/IP Address” and click on “Add Target” to add either an external IP or another domain.
You can add an external scan by going to “Assets” > “Domain / IP Addresses” > “Add Target” (top right) and then you can add an IP address or additional domains.
We offer two options for every assessment.
  1. Agent
  • You can deploy rapidly using your RMM
  • You can leave Telivy deployed and “rescan” on demand
  • You will generate the most comprehensive data
  • You can convert a CSRA to “Monitoring” where Telivy will rescan and help build risk-over-time charts and graphs
  • With Monitoring you can also set policies and receive alerts when a policy is violated
  1. Agentless (Non Agent)
  • Recommended for new clients as it does not require any installation or uninstallation
  • Link to executable can be sent on email, very useful for prospecting when you don’t have RMM setup to the devices to install agent
  • It tries to run as admin, if no permission granted then runs as non admin
  • Non admin scan limitations
    • PII scan done only for files accessible by the local use
    • Browser history and passwords captured only for the local user
Telivy combines three sources to make vulnerability findings both complete and actually prioritizable:
  • The CVE Program (cvelistV5), the authoritative CVE catalog published by the CNAs through MITRE, is synced nightly into Telivy’s vulnerability database. This is the same upstream source NVD ingests from, so Telivy’s coverage tracks new and updated CVEs within 24 hours of upstream publication.
  • Vulners (executed via the Nmap vulners script) handles scan-time correlation. When the network or agent scanner fingerprints a service or installed software version, Vulners maps that fingerprint to the CVEs that affect it, including signal about whether public exploits exist.
  • EPSS (Exploit Prediction Scoring System) is pulled daily and stored per CVE. EPSS scores represent the probability of a CVE being exploited in the next 30 days and drive Telivy’s prioritization, so partners can sort by what’s likely to be hit instead of by CVSS alone.
NVD is used for the human-readable detail link on each finding (nvd.nist.gov/vuln/detail/CVE-...), not as the bulk feed Telivy ingests from. For a deeper walkthrough you can hand to a client or auditor, see Vulnerability Data Sources.
By default, yes. When the Telivy agent’s Data Security scan finds a PII match on an endpoint, the platform captures the matched value along with file path, device, PII type, and a dollar-risk valuation. Transmission from the agent to the platform is encrypted at the application layer, and access inside the platform is gated by ApplicationAccess controls. The reason the default captures the value is operational: confirming a finding isn’t a false positive (a Luhn-valid string in a code sample, an old test export) requires being able to see what was matched.Cleartext passwords from the password-analysis module are handled differently: they are never transmitted off the device; only hashes are stored. PII matches are governed by a separate control described in the next FAQ entry.For full detail, including how matches appear in the platform and what’s covered in exports, see Data Security.
Yes. Telivy provides a Mask PII Data (may be required under HIPAA) setting at the agency level and per-assessment, located in Account Settings → PII Configuration → Configure PII Costs. When enabled, the platform redacts the literal match values everywhere they would otherwise appear: the Data Found detail view, CSV exports, and any other surface that would have shown the raw match. Counts, file paths, device names, and dollar-risk valuations are still shown, so the finding remains actionable.Important: the setting requires a rescan to take effect on already-captured findings. After enabling Mask PII Data, run Rescan All on the affected assessments to refresh the data. New scans honor the masking from the moment of capture.A separate Mask Dark Web Passwords toggle on the same screen controls how dark-web credential evidence is displayed. The two toggles are independent. See Data Security for the full configuration walkthrough.