Risk Spotlight (In Use)

Sysdig has updated and completed the full release cycle of its pioneering Risk Spotlight tool, which identifies vulnerable packages and libraries that are actually used in runtime workloads. It is used to power the In Use field in the Vulnerability runtime scan results and Risk Spotlight integrations with 3rd-party software.


Risk Spotlight is based on Image Profiling, a technology pioneered by Sysdig that combines the observed runtime behavior of a particular container image with vulnerabilities detected in its software packages. This combination is used to determine which packages are effectively loaded during execution and thus, are a more direct security threat for your infrastructure.

Prioritizing the vulnerabilities that represent an actual risk to the organization is one of the most critical aspects of a successful vulnerability management program. Images often contain hundreds of vulnerabilities. Multiplying this by the number of workloads running for any non-trivial infrastructure deployment, it is easy to see that the total number of potential vulnerabilities to fix is very large.

Many prioritization criteria are commonly used and accepted to start filtering the list: Severity and CVSS scoring, Exploitability metrics, Runtime scope, and other environment considerations. Risk Spotlight is a new criterion, completely supported by observed runtime behavior, to add to the vulnerability management tool belt that can considerably reduce the working set of vulnerabilities that must be addressed as a priority.


  • EVE: Effective Vulnerability Exposure, an earlier term. The installation settings may still refer to the eveConnector and eveEnablement.
  • Image Profiling: The technology powering Risk Spotlight.
  • Risk Spotlight: Profiling insights applied to vulnerability prioritization and the In-Use feature.

Technology Details

To understand how Risk Spotlight is architected:

The Sysdig Agent components deployed for every instrumented node (host) continuously observe the behavior of runtime workloads. Some of the information collected includes:

  • Image runtime behavior profile: accessed files, processes in execution, system calls. See Profiling for more details.
  • The Software Bill Of Material (SBOM) associated with container images used by runtime containers, including used packages and versions and the vulnerabilities matched by those.
  • The combination of the SBOM and the Packages/Libraries identified as running make a Runtime Bill of Materials (RBOM).

By correlating these three pieces of information, Sysdig can differentiate between packages merely installed in the image vs the ones that are loaded at execution time. This information is then propagated to vulnerability scan results and can be shared with partner integrations.


Risk Spotlight requires the Vulnerability Management engine in Sysdig Secure SaaS. Make sure you are using the correct documentation: Which Scanning Engine to Use.

It works with all packages and formats that Vulnerability Management supports. See the list, here.

From Sysdig Agent v.12.15+, Risk Spotlight is auto-enabled. You can disable/enable it as described in Profiling.

Understanding the In Use Column

Risk Spotlight insights show up in the Vulnerabilities Runtime page in the In Use column.

The In Use designation lets you focus first on the packages containing vulnerabilities that are actually being executed at runtime. If an image has 180 packages and 160 have vulnerabilities, but only 45 are used at runtime, then much of the vuln notification noise can be reduced.

Click on an image entry to see the In Use panel and drill down, clicking on the vulnerabilities for details and examining the link to any known exploits that exist.

Data in the In Use column will appear approximately 12 hours after the feature has been deployed.