> ## Documentation Index
> Fetch the complete documentation index at: https://support.telivy.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Risk Assessments and External Scans

> Common questions and answers

<AccordionGroup>
  <Accordion title="What Are Different Types Of Security Assessments I Can Create?">
    There are two types of assessments that can be created:

    <Tabs>
      <Tab title="Risk Assessment">
        This is our complete assessment. It covers:

        1. Network scanning (Internal & External)

        2. Application scanning (cloud apps & desktop apps)

        3. Data Security - PII detection on systems

        4. Identity & Access Management

        5. Password management

        6. M365 Security
      </Tab>

      <Tab title="External Assessment">
        This is the external scan which uses the domain(s) and any public IPs of a client.
        For an in depth description of the different risk assessments, please refer to [this](https://docs.google.com/document/d/1TZ9JpT2kpV89JMi0bPwrcsPHjILMCDAGBR-XHwfbHq4/edit?tab=t.0#heading=h.x0j217ecqvk7) document.
      </Tab>
    </Tabs>
  </Accordion>

  <Accordion title="What Are The Timelines For The Different Risk Assessments?">
    **External Scans:**

    Installation: 2 min

    Scanning: 10-15 min

    **Risk Assessment:**

    Installation: 10 mins

    Scanning: 2-3 hours
  </Accordion>

  <Accordion title="What Are The Different Steps Involved In Each Risk Assessment?">
    Please refer to [this](https://docs.google.com/document/d/1udauxMxkkn6lN3fTyg-eZ24DCKj2gc9PAqqZtOx4taI/edit?tab=t.0#heading=h.cqf0wabvjxiy) document for more details on the different steps needed to complete the different Risk Assessments.
  </Accordion>

  <Accordion title="How To Add An IP/Domain To An External Scan?">
    You can add an IP/domain to an external scan by going to "Targets" > "Add Target" (top right) to add an IP address or additional domains.
  </Accordion>

  <Accordion title="How Do I Delete Or Archive A Risk Assessment Or External Scan?">
    For a Risk Assessment or an External Scan, click on the "Archive" button in the top right corner to archive the assessment.

    The assessment will not show up on your dashboard.

    For a Risk Assessment, note that archiving will uninstall the Telivy scanners from any assets that are installed.
  </Accordion>

  <Accordion title="What Assets Does the 'Rescan All' Feature Scan Again?">
    The 'Rescan All' feature deploys all the scans to refresh data. This includes:

    * Vulnerabilities

    * PII

    * Credential analysis

    * Risky Applications

    * Microsoft 365

    * External Attack Surface

    * Asset Inventory
  </Accordion>

  <Accordion title="How Do I Add Multiple Domains To A Scan?">
    For External Scans, under the "Security" tab, navigate to "Targets" and click on "Add Target" to add either an external IP address or another domain.

    For Risk Assessments, under the "Assets" tab, navigate to "Domain/IP Address" and click on "Add Target" to add either an external IP or another domain.
  </Accordion>

  <Accordion title="How To Add An IP/Domain To A Risk Assessment?">
    You can add an external scan by going to "Assets" > "Domain / IP Addresses" > "Add Target" (top right) and then you can add an IP address or additional domains.
  </Accordion>

  <Accordion title="What Is Agent/Agentless?">
    We offer two options for every assessment.

    1. **Agent**

    * You can deploy rapidly using your RMM

    * You can leave Telivy deployed and "rescan" on demand

    * You will generate the most comprehensive data

    * You can convert a CSRA to "Monitoring" where Telivy will rescan and help build risk-over-time charts and graphs

    * With Monitoring you can also set policies and receive alerts when a policy is violated

    2. **Agentless (Non Agent)**

    * Recommended for new clients as it does not require any installation or uninstallation

    * Link to executable can be sent on email, very useful for prospecting when you don't have RMM set up on the devices to install the agent

    * It tries to run as admin, if no permission granted then runs as non admin

    * Non admin scan limitations

      * PII scan done only for files accessible by the local user

      * Browser history and passwords captured only for the local user
  </Accordion>

  <Accordion title="What CVE Database Does Telivy Use?">
    Telivy combines three sources to make vulnerability findings both complete and actually prioritizable:

    * **The CVE Program (cvelistV5)**, the authoritative CVE catalog published by the CNAs through MITRE, is synced nightly into Telivy's vulnerability database. This is the same upstream source NVD ingests from, so Telivy's coverage tracks new and updated CVEs within 24 hours of upstream publication.

    * **Vulners** (executed via the Nmap `vulners` script) handles scan-time correlation. When the network or agent scanner fingerprints a service or installed software version, Vulners maps that fingerprint to the CVEs that affect it, including signal about whether public exploits exist.

    * **EPSS (Exploit Prediction Scoring System)** is pulled daily and stored per CVE. EPSS scores represent the probability of a CVE being exploited in the next 30 days and drive Telivy's prioritization, so partners can sort by what's likely to be hit instead of by CVSS alone.

    NVD is used for the human-readable detail link on each finding (`nvd.nist.gov/vuln/detail/CVE-...`), not as the bulk feed Telivy ingests from. For a deeper walkthrough you can hand to a client or auditor, see [Vulnerability Data Sources](/learning-center/vulnerability-data-sources).
  </Accordion>

  <Accordion title="Does Telivy Store The Actual PII It Finds (Like Credit Card Numbers)?">
    By default, yes. When the Telivy agent's Data Security scan finds a PII match on an endpoint, the platform captures the matched value along with file path, device, PII type, and a dollar-risk valuation. Transmission from the agent to the platform is encrypted at the application layer, and access inside the platform is gated by `ApplicationAccess` controls. The reason the default captures the value is operational: confirming a finding isn't a false positive (a Luhn-valid string in a code sample, an old test export) requires being able to see what was matched.

    Cleartext **passwords** from the password-analysis module are handled differently: they are never transmitted off the device; only hashes are stored. PII matches are governed by a separate control described in the next FAQ entry.

    For full detail, including how matches appear in the platform and what's covered in exports, see [Data Security](/products/risk-assessments/data-security).
  </Accordion>

  <Accordion title="Can I Prevent PII Evidence From Being Shown In The Platform?">
    Yes. Telivy provides a **Mask PII Data (may be required under HIPAA)** setting at the agency level and per-assessment, located in **Account Settings → PII Configuration → Configure PII Costs**. When enabled, the platform redacts the literal match values everywhere they would otherwise appear: the **Data Found** detail view, CSV exports, and any other surface that would have shown the raw match. Counts, file paths, device names, and dollar-risk valuations are still shown, so the finding remains actionable.

    **Important:** the setting requires a rescan to take effect on already-captured findings. After enabling Mask PII Data, run **Rescan All** on the affected assessments to refresh the data. New scans honor the masking from the moment of capture.

    A separate **Mask Dark Web Passwords** toggle on the same screen controls how dark-web credential evidence is displayed. The two toggles are independent. See [Data Security](/products/risk-assessments/data-security#mask-pii-data-the-supported-privacy-control) for the full configuration walkthrough.
  </Accordion>
</AccordionGroup>
