Skip to main content

Overview

Impacts describe attacker outcomes. They answer a simple question: if a vulnerability is exploited, what happens? This helps teams prioritize remediation and explain risk in plain language.

Why impacts matter

  • Filter by consequence: find all vulnerabilities that could lead to account takeover, regardless of the technical category
  • Communicate risk: explain security issues to non-technical stakeholders in terms they understand
  • Prioritize effectively: focus on high-impact vulnerabilities first

Impact categories

Cysmiq uses 13 standardized impact categories.

Execute Commands

Execute arbitrary code or commands, e.g. command injection, unsafe deserialization, template injection, or XXE.

Takeover Accounts

Authenticate as another user or hijack sessions, e.g. auth bypass, session fixation, or insecure cookie handling.

Gain Access

Bypass authorization or escalate privileges, e.g. missing access checks, IDOR, or over-broad allowlists.

Obtain Secrets

Extract credentials or keys for reuse, e.g. hardcoded secrets, token exposure, or leaked key material.

Access Data

Read or manipulate structured data, e.g. SQL injection, LDAP injection, or unsafe query construction.

Access Files

Read or modify files or paths, e.g. path traversal, file inclusion, or insecure archive handling.

Intercept Traffic

Observe or alter data in transit, e.g. TLS validation failures or weak transport protections.

Insufficient Data Protection

Sensitive data at rest is not adequately protected, e.g. weak encryption, weak hashing, or missing integrity checks.

Bypass Cryptographic Controls

Predict or undermine cryptographic controls, e.g. weak randomness, predictable tokens, or signature verification flaws.

Facilitate Client-side Attacks

Target end users, e.g. XSS, open redirect, CSRF, or clickjacking.

Access Application State

Learn internal state or configuration, e.g. debug info leakage, verbose errors, or config exposure.

Evade Detection

Avoid logging or monitoring, e.g. missing audit events or log tampering.

Degrade Performance

Exhaust resources or reduce availability, e.g. DoS or resource exhaustion.

How impacts are assigned

Impacts are assigned based on CWE mappings and attacker outcomes. When a vulnerability is detected, it inherits the impacts associated with that CWE category. A vulnerability can have multiple impacts, and filters match any assigned impact. For example:
  • A SQL injection vulnerability gets the Access Data impact
  • A command injection vulnerability gets the Execute Commands impact
  • A weak password hash gets the Insufficient Data Protection impact