Manage Residual Risks
Residual risks represent known security gaps in your product—whether from controls that couldn't be implemented, penetration test findings, SBOM vulnerability scans, or threat intelligence. This guide walks you through how risks are created, how to assess them with CVSS scoring, and how to document mitigations for regulatory submissions.
Before You Begin
- You have created a product in Product Security Hub
- You have reviewed your security requirements
- You have reviewed your threat model
🔑 Key Concept: Risks from Not-Met Requirements
Residual risks are automatically created when you mark a security requirement as "Not Met" on the Requirements page. The risk is driven by the threat(s) associated with that requirement.
Important: If a not-met requirement has multiple associated threats, multiple residual risks will be created—one for each threat. This ensures each risk can be individually assessed and tracked.
Navigate to Residual Risks
From your product dashboard, click the Residual Risks tab in the top navigation bar (between SBOM and Vulnerability Mgmt).
You'll see a list of all residual risks—both those automatically created from not-met requirements and any manually added risks.
Understand the Risk Dashboard
The Residual Risks dashboard provides a comprehensive view of your security gaps. Click the Settings (gear) icon to configure which columns appear:
Available Columns
The dashboard shows traceability from risks back to their source—whether from not-met requirements, threats, or vulnerabilities.
Add Risks Manually
While most risks are created automatically, you can add risks manually for findings that don't originate from requirements—such as penetration test results or security audit findings.
➕ Add via Popup
Click + Add a New Residual Risk to open the risk creation modal and enter details directly.
📥 Import via Excel
Click Download Blank Template or Download Pre-Populated Template to bulk import risks.
💡 Risks from Vulnerabilities
You can also add risks directly from the Vulnerability Management page when you need to relate a vulnerability to a new risk. The same popup modal is used, giving you consistent risk entry regardless of where you start.
Enter Risk Details
When adding or editing a risk, the modal includes several sections:
Basic Information
Status
Current status of the risk (In Progress, etc.)
Component
Which architecture component is affected
Source of Risk
Where the risk originated (threat, pentest, etc.)
Potential Risk Impact
Select the potential impact category
Risk
Description of the residual risk
Other Details
Potential Safety Risk
Yes/No indicator for safety impact
Reference to Safety Risk Assessment
Link to related safety documentation
Requirement
Associated requirement reference
Perform CVSS Risk Assessment
The primary purpose of the Residual Risks page is to perform cybersecurity risk assessments. Each risk can be scored with both CVSS 3.1 and CVSS 4.0.
CVSS 3.1 Vectors
Score is calculated automatically based on your vector selections.
CVSS 4.0 Vectors
💡 Compare with Pre-Mitigation Score
You can see the pre-mitigation CVSS score from the associated threat, allowing you to compare and understand how your mitigations have reduced the risk severity.
Use AI-Assisted Documentation
Product Security Hub includes AI-powered Generate buttons to help you document your risk assessments:
Mitigation Details
The AI analyzes your met requirements to write a summary of mitigations already in place. It pulls context from:
- • Product details and description
- • The specific risk being assessed
- • Requirements marked as "Met" that address related threats
Scoring Justification (CVSS 3.1 & 4.0)
The AI writes a justification for your CVSS vector selections. It analyzes:
- • Your selected CVSS score and individual vectors
- • Product details (profile, name, description)
- • Met requirements and security controls
- • Cybersecurity details from the Product Details page
💡 Pro Tip: Enhance AI Output
For better AI-generated content, keep your Cybersecurity Details section on the Product Details page updated with information about your security controls and architecture. The AI uses this context to write more accurate and specific documentation.
Document Remediation Plans
For each residual risk, document your remediation approach:
Remediation Plan
Yes/No indicator for whether a remediation plan exists.
Remediation Details
Detailed description of how the risk will be addressed.
Patch
Link to associated patch if applicable.
Consideration for IFU Labeling
Whether the risk should be disclosed in Instructions for Use.
Track Risk Status
Use the Status field to track each risk through your workflow:
⏳ In Progress
Risk is being actively worked on—not yet approved or finalized.
✓ Finished
Risk record is complete—the risk is documented and known.
✓ Closed
Risk has been fully closed out through remediation.
Best Practices
Document Justifications
Always document your CVSS scoring justification—auditors and regulators expect to see your reasoning.
Track All Sources
Include risks from all sources: requirements gaps, pentests, vulnerability scans, and security audits.
Use Both CVSS Versions
Score risks with both CVSS 3.1 and 4.0 for comprehensive coverage across different regulatory frameworks.
Leverage AI Generation
Use AI-generated content as a starting point, then review and refine for your specific context.
What's Next?
Document residual risks for your compliance program:
- 1 Prepare for Audits
Export residual risks and risk acceptance decisions for audit evidence
Ready to assess your residual risks?
Document and score your security gaps with comprehensive CVSS risk assessments.