# Prioritization Criteria (Stages)

## Prioritization Criteria (Stages)

Any funnel is composed of criteria that produce the different stages of the funnel.

### Out-of-the-box criteria

Xygeni provides several out-of-the-box criteria, although you can add your own custom criteria.

{% hint style="info" %}
**Nature (Technical vs Business)**

* Some criteria have a technical nature (Technical) while some others are business-oriented (Business) and their meaning has to do with custom categorization.

**Calculation (Auto vs Manual)**

* Other criteria are bussiness-oriented and should be supplied by the user (Manual) .
* There are also criteria that, although initially calculated by Xygeni, can be further modified by user (Both).

**Scope (Project vs Issue)**

* Some criteria apply to all issues of a Xygeni project. The concrete value for an issue depends on some characteristic of the project to which belongs (Project).
* Instead, other criteria applied individually to every issue (Issue).
  {% endhint %}

<table><thead><tr><th width="163">Criteria</th><th width="289">Description</th><th width="112">Calculation</th><th width="104">Nature</th><th>Scope</th></tr></thead><tbody><tr><td>Reachability</td><td>Is this vulnerability reachable? (see <a href="/pages/1cDRUKuZEjLr2F3ahC3Z">Reachability </a>for further details)</td><td>Auto</td><td>Technical</td><td>Issue</td></tr><tr><td>Exploitability</td><td>Is this vulnerability exploitable ? (see <a href="/pages/7nMSGXrXdTYFEIeQ7evH">Exploitability </a>for further details</td><td>Auto</td><td>Technical</td><td>Issue</td></tr><tr><td>Fixable</td><td>Is this vulnerability fixable? (see <a href="/pages/7yTLCKApyySdv36UkJGH">Fixable </a>for further details)</td><td>Auto</td><td>Technical</td><td>Issue</td></tr><tr><td>In application code</td><td>Is this vulnerability is app code (i.e. not in tests code)</td><td>Auto</td><td>Technical</td><td>Issue</td></tr><tr><td>AI Triage Result</td><td>Has AI Triage classified this finding as a real vulnerability, a likely false positive, or as needing review? SAST only (see <a href="/pages/kLK1vzfQlaBaTTYppxap">AI Triage Result</a> for further details)</td><td>Auto</td><td>Technical</td><td>Issue</td></tr><tr><td>Remediation Urgency</td><td>How urgently should this AI-confirmed vulnerability be remediated (Immediate, Next Sprint, Planned, Backlog)? SAST only (see <a href="/pages/uAPHVNYdIZh7GutB1eNx">Remediation Urgency</a> for further details)</td><td>Auto</td><td>Technical</td><td>Issue</td></tr><tr><td>Deployed</td><td>Is this application being deployed? Xygeni can detect if the application is being deployed to some resource, but you can also manually assign the correct value</td><td>Both</td><td>Technical</td><td>Project</td></tr><tr><td>Active Development</td><td>Is this application actively under development? An application is considered by Xygeni as "Active Development" if the latest commit is not older than 90 days. You can manually change this value</td><td>Auto</td><td>Technical</td><td>Project</td></tr><tr><td>Internet Exposed</td><td>Is this application exposed to the Internet?</td><td>Both</td><td>Technical</td><td>Project</td></tr><tr><td>Legacy</td><td>Is this a legacy (i.e. out of active maintenance) application?</td><td>Manual</td><td>Technical</td><td>Project</td></tr><tr><td>Product Unit</td><td>To which Product Unit this application belongs?</td><td>Manual</td><td>Business</td><td>Project</td></tr><tr><td>Business Value</td><td>What is the Business value of this application?</td><td>Manual</td><td>Business</td><td>Project</td></tr><tr><td>Provider</td><td>Who is the provider of this application?</td><td>Manual</td><td>Business</td><td>Project</td></tr><tr><td>Architecture</td><td>Which is the technical architecture of this application?</td><td>Manual</td><td>Business</td><td>Project</td></tr><tr><td>Business Area</td><td>To which Business Area (or dept) does the application belong to?</td><td>Manual</td><td>Business</td><td>Project</td></tr><tr><td>Any custom criteria</td><td>Any custom-defined property defined for a project (see <a href="#custom-criteria">Custom criteria</a>)</td><td>Manual</td><td>Business</td><td>Project</td></tr></tbody></table>

{% hint style="info" %}
We are continuously adding new criteria so you will likely find more criteria than explained at the time of writing this document.
{% endhint %}

### Criteria's Specifics

Additionally to the general meaning of the above prioritization criteria, every criteria has a special meaning depending on the issue type that applies.

<table><thead><tr><th width="109">Criteria</th><th width="228">Open Source</th><th width="135">Supply Chain</th><th>Secrets</th><th>IaC</th></tr></thead><tbody><tr><td>Fixable</td><td>A vulnerability is Fixable if there is a safe component available remediating the vulnerability. This criteria removes from previous criteria those vulnerabilities with no available fixes.</td><td>Always True</td><td>Always True</td><td>Always True</td></tr><tr><td>In application code</td><td>The scope of the component is for production, not in test or compile scopes. Users can configure specific scopes used in their organization.</td><td>The issue is located into a file with a path that does not contain any "<strong>test"</strong> directory</td><td>The issue is located into a file with a path that does not contain any "<strong>test"</strong> directory</td><td>The issue is located into a file with a path that does not contain any "<strong>test"</strong> directory</td></tr><tr><td>Reachability</td><td>The vulnerability is reachable because the application code execution reaches the vulnerable code in the component</td><td>It includes issues that represent a security issue such as PPE, confusing names, or issues related to permissions. See each detector information for more details.</td><td>The secret is located in:<br><br>- a file under version control<br>- an image</td><td><p>It includes Iac security issue types (Appsec, Encryption, Gensec, IAM, Network, Secrets...)<br><br>It discards issues related to best practices (as Convention).</p><p>Check detectors documentation for more details</p></td></tr><tr><td>Exploitable</td><td>This criteria includes those CVEs with a EPSS score bigger than 0,1.</td><td>Same as Reachability</td><td><p>Includes any secrets that have been verified or can not be verified.</p><p>All secrets that Xygeni verifies as inactive are discarded by this criteria.</p></td><td>Same as Reachability</td></tr><tr><td>Active Development</td><td>The project has commits in the last 90 days.</td><td>The project has commits in the last 90 days.</td><td>The project has commits in the last 90 days.</td><td>The project has commits in the last 90 days.</td></tr><tr><td>Deployed</td><td>A component's vulnerability is considered as Deployed if Xygeni detects a pipeline or workflow that deploys (checkout) the project, image or package.</td><td>Always True</td><td>A secret is considered as Deployed if it appears in a public repo or image.</td><td>An IaC issue is considered as Deployed if Xygeni detects a pipeline or workflow that uses the IaC configuration to deploy the infrastructure</td></tr><tr><td>Internet Exposed</td><td>Any component vulnerability is considered as Internet Exposed if the project Internet Exposed property value is set to true.</td><td>The repository with automations is public, or the issue is associated with the infrastructure.</td><td>The repository, image or package is public.</td><td>Any IaC issue is considered as Internet Exposed if the project Internet Exposed property value is set to true.</td></tr></tbody></table>

{% hint style="info" %}
For any criteria with Business nature, its value depends on the value of the property and CUSPs associated to the project. Adjustments are available in the properties of the project in [Project Management](/xygeni-administration/platform-administration/projects-management.md).
{% endhint %}

### Custom criteria

Besides the above out-of-the-box criteria, you can create your own custom criteria. To do it, you just need to add **custom properties** to your applications (projects in Xygeni’s terminology) and those properties will be available as funnel criteria.

{% hint style="info" %}
See [Project Custom Properties](/xygeni-administration/platform-administration/projects-management.md#choosing_project_or_group_in_dashboard-3) for further info.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.xygeni.io/introduction-to-xygeni/prioritization-funnels/prioritization-funnels-1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.