Frequently Asked Questions

Product Information

What is the Nucleus Vulnerability Intelligence Platform (VIP)?

The Nucleus Vulnerability Intelligence Platform (VIP) is a centralized solution that aggregates vulnerability data from multiple tools, prioritizes risks using real-world intelligence, and automates remediation workflows. It enables organizations to unify their vulnerability management processes, streamline operations, and improve security outcomes. Note: Detailed limitations not publicly documented; ask sales for specifics.

What are the main products and services offered by Nucleus?

Nucleus offers the Vulnerability Intelligence Platform (VIP), Nucleus Insights (an AI-powered intelligence feed), and the MCP Server for advanced data interaction. Solutions include Exposure Management, Risk-Based Vulnerability Management (RBVM), Application Security, and Cloud Vulnerability & Exposure Management. Nucleus also provides tailored offerings for the Federal Government and State/Local/Education (SLED) sectors. Note: Some features may be limited to specific sectors; check product documentation for details.

Features & Capabilities

What are the key features and capabilities of the Nucleus platform?

Nucleus consolidates vulnerability data from over 200 tools, prioritizes risks using asset context and threat intelligence, automates remediation workflows (including ticketing and ownership assignment), and simplifies compliance with frameworks like NIST, FedRAMP, and CISA. It also supports POA&M compliance, cloud and application security, asset management, and threat intelligence enrichment. Note: Best fit for organizations needing centralized vulnerability management; teams requiring deep custom integrations should review the full integrations list.

Does Nucleus support custom file schema ingestion?

Yes, Nucleus allows customers to upload any data using its Custom File Schema feature. Recent performance upgrades have improved the speed of file ingestion, and no changes are required by customers to benefit from these enhancements. Note: Custom file schema may require technical setup; consult documentation for compatibility.

What integrations does Nucleus offer?

Nucleus integrates with over 160 tools, including Jira (ITSM), Microsoft (CWPP), Qualys and Tenable (DAST), Alienvault USM (SCA), AWS EC2, Prisma, Palo Alto Networks (Containers), Github (SAST), Wiz and Orca (CSPM), Synack and HackerOne (Pen Testing), CrowdStrike (EDR), Nozomi (OT), SecurityScorecard and Censys (ASM), and many more. For a complete list, visit the integrations page. Note: Some integrations may require additional configuration or licensing.

Does Nucleus provide an API for custom integrations and reporting?

Yes, Nucleus offers an API that enables users to query the database, build custom dashboards and reports in tools like PowerBI or Tableau, and integrate with SIEM, SOAR, and other security tools. The API supports real-time updates and is documented at the API documentation page. Note: API usage may require technical expertise and proper authentication.

Product Performance & Implementation

How fast can Nucleus be implemented and onboarded?

Nucleus integrates with over 200 tools out of the box, enabling onboarding in hours instead of weeks. Prebuilt connectors and reusable templates simplify deployment, and step-by-step guides, video tutorials, and a dedicated support portal are available. Note: Implementation speed may vary based on environment complexity and integration requirements.

What improvements have been made to Nucleus product performance?

Nucleus has enhanced platform speed and resiliency, improved custom file schema ingestion, and upgraded reporting download speeds for large datasets. Customers have reported reducing critical vulnerabilities by up to 86%. Note: Performance may depend on data volume and integration complexity.

Security & Compliance

What security and compliance certifications does Nucleus hold?

Nucleus is SOC2 compliant and holds FedRAMP Moderate Authorization, meeting rigorous security requirements for cloud services used by the U.S. Federal Government. These certifications demonstrate adherence to controls relevant to security, availability, processing integrity, confidentiality, and privacy. Note: Certification scope may vary; review documentation for details.

How does Nucleus protect customer data and support compliance?

Nucleus employs industry-standard administrative, physical, and technical safeguards to protect customer data. It automates compliance framework controls for standards like NIST, FedRAMP, and CISA, and supports PCI DSS Requirement 6. Under its Master Service Agreement, Nucleus warrants compliance with applicable laws and regulations, including breach notification laws. Note: For specific compliance scenarios, consult legal or sales teams.

Use Cases & Benefits

What problems does Nucleus solve for organizations?

Nucleus addresses vulnerability aggregation, risk prioritization, manual remediation workflow automation, compliance challenges, POA&M management, exposure management across hybrid cloud environments, and application security integration. Note: Best fit for organizations with complex infrastructures; teams with simple environments may not require all features.

Who can benefit from using Nucleus?

Roles include Security Analysts, Development and IT Teams, CISOs and Security Leadership, and GRC/Compliance Teams. Industries represented in case studies include banking, airlines, healthcare, cybersecurity services, education, energy, retail, public sector, and technology. Note: Smaller organizations may find some features more than they need; review use case fit before purchase.

What business impact can customers expect from using Nucleus?

Customers report improved operational efficiency, enhanced security outcomes, cost savings, simplified compliance, centralized visibility, and proven ROI (up to 86% reduction in critical vulnerabilities). Service providers like Orange Cyberdefense have seen 85% of their customers use Nucleus weekly. Note: Impact may vary based on organizational maturity and adoption.

Can you share specific case studies or customer success stories?

Yes. Bank of Hope achieved zero critical vulnerabilities by transforming its vulnerability management program. A Tier-1 airline reduced 86% of critical vulnerabilities. A healthcare enterprise replaced Kenna with Nucleus, reducing its backlog from 4,000 vulnerabilities to nine critical threats. Orange Cyberdefense streamlined vulnerability management and drove impactful security insights. For more, visit Customer Stories. Note: Results are specific to each organization; outcomes may vary.

Support & Documentation

What support and technical documentation does Nucleus provide?

Nucleus offers a dedicated support portal, comprehensive API documentation, FlexConnect Framework setup guides, quickstart onboarding guides, and troubleshooting resources. Standard product support is included at no additional cost. Note: For advanced troubleshooting, contact technical support directly.

What feedback have customers provided about Nucleus's ease of use?

Customers report that Nucleus is easy to use, with intuitive automation and a smooth onboarding process. Reviews highlight immediate value, streamlined workflows, and a user-friendly interface. For example, a Manager of Security Architecture in Healthcare stated, "Nucleus Security has been an exceptional partner from the beginning…After purchasing, they offered one of the best onboarding/implementations I’ve worked with, and the product is easy to use." Note: User experience may vary based on team size and technical expertise.

Customer Proof & Industry Coverage

Who are some of Nucleus's customers?

Named customers include Autodesk, CISCO, Motorola, Zebra, Delta Dental, Abbott, University of California Santa Barbara (UCSB), Udemy, Department of Energy (DOE), Australian Red Cross, JCPenney, Henkel, Constellation Brands, Paychex, Marathon, American Airlines, Australia Post, and Premier League. Note: Customer fit varies; review case studies for industry-specific examples.

What industries are represented in Nucleus case studies?

Industries include banking and financial services, airlines, healthcare, cybersecurity services, education, energy and utilities, retail and consumer goods, public sector, and technology. Note: Industry-specific features may vary; consult sales for tailored solutions.

Nucleus Product Update 3.7

Adam Dudley
August 18, 2023
Product
Nucleus Product Update 3.7

SNow App 1.2.0, Custom File Schema upgrade, and more asset group restrictions incoming.

Welcome to the Nucleus Product Update 3.7. This product update comes just in time for the start of the 2023 US Open Tennis Championships. Serving a few aces, this edition continues to rack up the work we’re doing to introduce new features and product capabilities that improve your Nucleus platform experience and vulnerability management outcomes.

Key highlights from this update include: 

  • ServiceNow App update to further strengthen our ticketing integration 
  • Performance upgrades to Custom File Schema ingestion 

We’ve also included a preview of the enhancements coming for AGAC. Oh yea! 

Get the details for all updates below.

Have questions or want to know more about anything you see here? Our team is happy to help. Just reach out to our crew at [email protected] for further assistance. Happy reading!

ServiceNow App v 1.2 strengthens our ticketing integration 

The Nucleus ServiceNow app interface

Our integration with ServiceNow ITSM just improved: We’re excited to announce the release of version 1.2.0 of our ServiceNow App!      

Highlights include a new “Manage Projects” menu in the ServiceNow App, which allows customers to integrate and easily configure mapping for each action in each project. It also includes an automated test suite that will check that everything is working per the permissions, which reduces the time to integrate substantially and can get you up and running with the app in minutes. 

Additionally, this menu has a configurable selection of your preferred ticketing structure for incidents from Nucleus. Select from single tickets per unique vulnerability or a parent/child configuration that maps parent tickets at the unique vuln level to child tickets for each vuln instance.   

These changes will ensure a smoother and more functional integration between Nucleus and ServiceNow, which is much faster to configure and test. We hope the result will be a better experience for our customers’ vulnerability remediation teams and, ultimately, more remediated vulnerabilities.  

View our change log for a complete list of our updates in v 1.2.0, or view our listing on the ServiceNow store. 

Performance upgrades to Custom File Schema ingestion 

The custom file upload interface in the Nucleus platform
The custom file upload interface in the Nucleus platform

One of our most popular and most-beloved product features is the ability for customers to upload any data they want onto the platform using our Custom File Schema. The flexibility provided by this capability means that Nucleus customers are never blocked by our lack of a native connector with any of their favorite security tools, even as we continue to add to our roster of integrations with these. Our Custom File Schema is a workhorse that our customers have used for years, and we’ve incorporated many lessons learned in building file ingestion into the product over that time.  

We are pleased to share that we’ve made some low-level changes to this functionality to improve the speed of these file ingestions. Best of all, no changes are required by customers to enjoy the benefits of these enhancements. Stay tuned for additional improvements in the coming months! 


Upcoming Release Spotlight:
Enterprise Scale Asset Group Restrictions

We are greatly enhancing Asset Group Access Control (AGAC) functionality in the coming quarter. Once released, Org Admins can restrict their users’ asset group access in the context of SSO Team Mapping in Nucleus. With this upcoming release, Org Admins can create teams within Nucleus, map an SSO object to that team, and restrict that team’s access to specified asset groups. Currently, only a single user’s access can be restricted, which can be cumbersome for sprawling enterprises with tons and tons of users. We will also give the “Add Team” modal a facelift to better accommodate these changes.

Design Preview of upcoming AGAC enhancements
Design Preview of upcoming AGAC enhancements

This release will be available in closed beta by the end of the quarter. Please get in touch with Nucleus Support if you want to be added to the beta program or would like to learn more.


Your personal invite to our upcoming webinar 

Using Decision Trees for Vulnerability Prioritization With SSVC
On Augusts 30th at 2 pm ET, join Patrick Garrity, Security Researcher at Nucleus Security, as he sits down with Stephen Shaffer, Staff Security Automation Engineer at Peloton Interactive, Jonathan Spring, Cybersecurity Specialist at CISA, and Chris Madden, Sr Principal Technical Security Engineer at Yahoo, to talk about the benefits of using SSVC Decision Trees to automate your vulnerability triage process, and also share real-world examples of how to build out a decision criteria that will address critical vulnerabilities first.

The session will include topics such as an overview of SSVC, the benefits of using SSVC, and how to gain organizational alignment on risk priorities. You can register here. 

Click here to expand our full Release Notes

You can access the Nucleus change log to view the complete, unedited version of release updates posted each week. Select the subscribe to the RSS feed option on this page if you would like to receive weekly change log updates. This new Nucleus Product Update is intended to fully summarize and outline those weekly changes for you, with more details, each month. The product updates include all the following features and improvements: 

New Features 

  • Added the ability to assign external Jira cases dynamically by assignee, using a dynamic value in the assignee field. This is in beta for Jira only. Please contact Nucleus Support if you are interested in having this enabled for your org. 

Product Improvements (Performance, Experience, & Functionality) 

  • Added “total mitigated,” “total manual,” and “total open” data to the response of the GET projects/{project id}/findings/mitigated API endpoint.   
  • Improved performance of Nucleus custom file schema ingestion. 

Integration Improvements    

All: 

  • Improved the Ticketing automation experience by making system entries in the external system drop down more detailed. 

Carbon Black: 

  • Improved the Carbon Black connector by allowing larger download limits. 
  • Sped up ingestion of the Carbon Black connector by more efficiently updating finding statuses.     

Defender: 

  • Added retries in Microsoft Defender for certain network errors, like failure to connect. 

Dependabot: 

  • Sped up ingestion of Dependabot connector by more efficiently updating finding statuses.       

HackerOne: 

  • Added a setting to append HackerOne’s report unique id to the finding name. Contact support for enablement. 

InsightVM: 

  • Improved the InsightVM connector by speeding up ingestion, especially for large data sets. 

Prisma Cloud: 

  • Added support for the Prisma Cloud (self-hosted) connector to work with auditor service accounts that are restricted by projects and/or collections. 

ServiceNow: 

  • Improved the ServiceNow App connector by providing more meaningful errors during setup. 

Tenable: 

  • Standardized the naming convention of Tenable WAS imports to be consistent across both scheduler and automation engines. 

Reporting Improvements 

  • Improved the Vulnerability Details xlsx report by increasing download speed, especially for large data sets.   

Bug Fixes 

  • Fixed an issue where using host name as criteria in asset processing automation failed to run in certain scenarios.   
  • Fixed an issue in Qualys where previously manually mitigated findings were incorrectly marked as “potential” upon scan ingestion.  
  • Fixed an issue where vuln details xlsx report was not generating as expected in limited scenarios where a unique finding was not unique enough across multiple sources.  
  • Fixed an issue with ServiceNow asset ingestion where EMAC addresses were not being ingested correctly. 
  • Fixed an issue where empty CSV files were attached to tickets in cases where assets were deactivated and later reactivated.  
  • Fixed a few issues with SNYK:  
  • SNYK orgs and targets were not being removed from Nucleus.   
  • We were still ingesting results from inactive SNYK projects.  
  • Fixed an issue where assigning asset groups dynamically using {{asset.business_owner}} was not assigning as expected.  
  • Fixed an issue in Crowdstrike where we were not downloading all data from APIs for exceptionally large environments.   
  • Fixed an issue where ingesting Veracode sandbox scans included non-descript scan names. 
  • Fixed an issue where using certain Mandiant filters to generate a Vuln Details xlsx report for large data sets resulted in an error. 
  • Fixed filtering in the Active Vulnerabilities and Resolved pages by ensuring that applied filters pull through to the instance details view.  
  • Fixed an issue where a specific combination of filters on the active vulnerabilities page was incorrectly populating the quick filters at the top of the page.  
  • Fixed an issue where the mitigated count on the resolved page was incorrect when using a combination of asset groups and team filters.  
  • Fixed an issue where the last seen dates were not consistent between the active vulnerabilities grid and the instance details view. 
  • Fixed an issue when creating a Jira ticket where text with lengthy values were not wrapping properly.   
  • Fixed an issue where the Crowdstrike last import date was incorrectly showing as “never” in certain cases.  
  • Fixed an issue where the teams filter applied on the active vulnerabilities page was not applied when creating a report.   
  • Fixed an issue where finding descriptions were not rendered correctly, nor consistently between the interface and API when certain HTML tags were included as part of the description. 
  • Fixed an issue where duplicate entries of finding instances in the CSV attached to ServiceNow tickets were included.      


Click here to review past Nucleus product updates.

Adam Dudley
Adam is VP of Strategy and Alliances at Nucleus Security, working closely with the company's partners and integrations. Adam is also proudly the company's longest-tenured non-founding employee.

See Nucleus in Action

Discover how unified, risk-based automation can transform your vulnerability management.