What the Event Types in Edgescan?
A summary of the event types in Edgescan, and the variables that can be configured are available in this article.
Version Number: v1.0.0
Published Date: 05 Mar 2026
____________________________________________________________________________
The following are the available event types and the conditions that trigger them:
- Assessment Complete: This event is activated once an Edgescan analyst completes the evaluation of an asset.
- Assessment Start: This event is triggered at a set time before an assessment begins on an asset.
- Vulnerability Opened/Closed: This event responds to the opening or closing of vulnerabilities on an asset during an evaluation.
- Host Discovered/Down: This event is activated when new hosts are discovered or when hosts go down on an asset in ASM.
- Port Opened/Closed: This event triggers when changes in port status (opened/closed) are detected on an asset in ASM.
- Node Added: This event fires when a note is added to either an asset or a vulnerability.
- Port Verification Complete: This event informs users about the completion of a mapper port verification scan and any changes in port status (Open/Closed/Unchanged).
- Credentials Added Notification: This event alerts if credentials are added for specific users on specified assets.
- Asset Blocker Created: This event is triggered when a blocker preventing asset evaluation is created.
- Asset Blocker Verified: This event triggers when an Edgescan analyst confirms that a blocker is still in place.
- Asset Blocker Resolved: This event is activated when a blocker is cleared.
- SLA Violation Event: This event alerts users when a service level agreement threshold is breached.
Assessment Complete
This event will fire once one of our Edgescan analysts complete an assessment on an asset that you specified in the event trigger.
Event Context:
| Field | Type | Explanation |
| id | Integer | The ID of the specific assessment |
| type | Enum | The type of assessment, "scheduled", "retest", "pen_test", "on_demand", "pci_scheduled", "pci_rescan" |
| score_delta | Integer | |
| number_of_vulnerabilities_opened | Integer | The number of new vulnerabilities opened in the assessment |
| number_of_vulnerabilities_closed | Integer | The number of vulnerabilities closed in the assessment |
| created_at | Date | Date the assessment was created |
| committed_at | Date | Date the assessment was committed at |
| asset | Object | |
| asset.id | Integer | The ID of the assessed asset |
| asset.name | String | The name of the assessed asset |
| asset.priority | Integer | The priority of the assessed asset |
| asset.location_specifiers | Array | An array of location specifier objects. Object will contain "location_type" I.e. "cidr" and "location" I.e. "192.168.1.1/28" |
| asset.tags | Array | An array of tags associated with the asset (empty of asset has no tags) |
| is_retest | Boolean | True/False depending on if the assessment is a retest or not |
| retested_vulnerabilities | Array | An array of vulnerability objects, each entry contains an ID, name and status of the retested vulnerability. |
Assessment Start
This event will fire at a set time before an assessment starts on an asset that you specified in the event trigger.
Event Context:
| Field | Type | Explanation |
| hours_until_task | Integer | The number of hours to be notified in advance of when an assessment is due to start |
| asset | Object | |
| asset.id | Integer | The ID of the assessed asset |
| asset.name | String | The name of the assessed asset |
| asset.priority | Integer | The priority of the assessed asset |
| asset.location_specifiers | Array | An array of location specifier objects. Object will contain "location_type" I.e. "cidr" and "location" I.e. "192.168.1.1/28" |
| asset.tags | Array | An array of tags associated with the asset (empty of asset has no tags) |
Vulnerability Opened/Closed
This event will fire when one or more vulnerabilities are opened or closed.
Event Context:
| Field | Type | Explanation |
| id | Integer | The id of the vulnerability opened/closed |
| definition_id | Integer | The id of the definition the vulnerability belongs to |
| name | String | The name of the vulnerability |
| location | String | The location of the vulnerability |
| severity | Integer | The severity in number form of the vulnerability |
| threat | Integer | The threat in number form of the vulnerability |
| risk | Integer | The risk in number form of the vulnerability |
| layer | Enum | The layer the vulnerability is found on. Can be "network" or "application" |
| cvss_score | Integer | The score of the Common Vulnerability Scoring System, belonging to the vulnerability |
| cvss_vector | String | Explanation of the cvss vector |
| on_cisa_list | Boolean | True/False if the vulnerability is on the cisa list |
| status | Enum | Status of the vulnerability can be "opened" or "closed" |
| asset | Object | |
| asset.id | Integer | The ID of the assessed asset |
| asset.name | String | The name of the assessed asset |
| asset.priority | Integer | The priority of the assessed asset |
| asset.location_specifiers | Array | An array of location specifier objects. Object will contain "location_type" I.e. "cidr" and "location" I.e. "192.168.1.1/28" |
| asset.tags | Array | An array of tags associated with the asset (empty of asset has no tags) |
Host Discovered/Down
Will be fired once one or more hosts are discovered to be up or down on an asset in ASM.
Event Context:
| Field | Type | Explanation |
| id | Integer | The ID of the host |
| address | String | The address of the host I.e. "192.168.1.1" |
| os_name | String | The operating system name of the host |
| hostnames | Array | An array of the hostnames of the specified host |
| reactivated (Host discovered only) | Boolean | True/False if the host as been reactivated or not |
| open_ports | Array | An object array of open_ports on the host will contain the "protocol" tcp/udp and the port number I.e. 80 |
| asset | Object | |
| asset.id | Integer | The ID of the assessed asset |
| asset.name | String | The name of the assessed asset |
| asset.priority | Integer | The priority of the assessed asset |
| asset.location_specifiers | Array | An array of location specifier objects. Object will contain "location_type" I.e. "cidr" and "location" I.e. "192.168.1.1/28" |
| asset.tags | Array | An array of tags associated with the asset (empty of asset has no tags) |
| region | String | The region the host is in |
Port Opened/Closed
Fires when one or more open/closed ports are found on an asset in ASM.
Event Context:
| Field | Type | Explanation |
| port | Integer | The port number that was opened/closed |
| protocol | Enum | What protocol either "tcp" or "udp" |
| host | Object | |
| host.id | Integer | The ID of the host |
| host.address | String | The address of the host I.e. "192.168.1.1" |
| host.os_name | String | The operating system the host is using |
| host.hostname | Array | An array of the hostnames associated with the host |
| host.open_ports | Array | An array of the open ports on this host. Is an object with the protocol either "tcp" or "udp" and the port number |
| asset | Object | |
| asset.id | Integer | The ID of the assessed asset |
| asset.name | String | The name of the assessed asset |
| asset.priority | Integer | The priority of the assessed asset |
| asset.location_specifiers | Array | An array of location specifier objects. Object will contain "location_type" I.e. "cidr" and "location" I.e. "192.168.1.1/28" |
| asset.tags | Array | An array of tags associated with the asset (empty of asset has no tags) |
Note Added
Fires when a note is added to an asset or a vulnerability.
Event Context:
| Field | Type | Explanation |
| id | Integer | The ID of the annotation |
| text | String | The content of the note |
| category | String | The category of the annotation |
| user | Object | |
| user.id | Integer | The ID of the user who created the annotation |
| user.username | String | The username of the user who created the annotation |
| annotated | Object | |
| annotated.id | Integer | The ID of annotated type (Could be asset or vulnerablity) |
| annotated.type | Enum | The type of the thing annotated "asset" or "vulnerablity" |
| annotated.identifier | String | A combined string of the ID and the type I.e. "Asset:1" or "Vulnerablity:52" |
| annotated.identifiable_name | String | The name of the asset or the vulnerability |
| annotated.identifiable_string | String | A combination of the annotated.identifier and the annotated.identifiable_name |
Port Verification Complete
Fires when the mapper port verification scan finishes. Informing user on changes in port status of a specific asset. Open/Closed/Unchanged.
Event Context:
| Field | Type | Explanation |
| options | Object | An object containing the options passed to mapper |
| asset | Object | |
| asset.id | Integer | The ID of the scanned asset |
| asset.name | String | The name of the scanned asset |
| target | Object | |
| target.address | String | The address of the target I.e. "192.168.1.1" |
| target.ports | Object | |
| target.ports.tcp | Array | An array of the TCP ports on the target scanned |
| target.ports.udp | Array | An array of the UDP ports on the target scanned |
| target.region | String | The region the target is located in |
| result | String | Either "change" "no_change" depending if ports were opened or closed |
| detailed_result | Object | |
| detailed_result.ports_opened | Object | |
| detailed_result.ports_opened.tcp | Array | An array of TCP ports that have been opened since last scan |
| detailed_result.ports_opened.udp | Array | An array of UDP ports that have been opened since last scan |
| detailed_result.ports_closed | Object | |
| detailed_result.ports_closed.tcp | Array | An array of TCP ports that have been closed since last scan |
| detailed_result.ports_closed.udp | Array | An array of UDP ports that have been closed since last scan |
| detailed_result.ports_unchanged | Object | |
| detailed_result.ports_unchanged.tcp | Array | An array of TCP ports that have not changed since last scan |
| detailed_result.ports_unchanged.udp | Array | An array of UDP ports that have not changed since last scan |
Credential Added
Fires when a credential is added to an asset.
Event Context:
|
Field |
Type |
Explanation |
|
credential |
Object |
|
|
credential.id |
Integer |
The ID of the credential |
|
credential.created_at |
String |
The date the credential was created at |
|
initiator.user |
Object |
|
|
initiator.user.first_name |
String |
The first name of the user who created the credential |
|
initiator.user.last_name |
String |
The last name of the user who created the credential |
|
asset |
Object |
|
|
asset.id |
Integer |
The ID of the asset the credential was created on. |
|
asset.name |
String |
The name of the asset the credential was created on. |
|
asset.asset_status |
String |
The asset status of the asset the credential was created on. |
|
organisation |
Object |
|
|
organisation.id |
Integer |
The ID of the Organisation that owns the asset the credential was created on.
|
|
organisation.name |
String |
The name of the Organisation that owns the asset the credential was created on.
|
Asset Blocker Created
Fires when an asset blocker of any cause is created on an asset
Event Context:
| Field | Type | Explanation |
| asset | Object | |
| asset.id | Integer | The ID of the blocked asset |
| asset.name | String | The name of the blocked asset |
| asset.status | String | The current status of the asset |
| asset.tags | Array | An array of tags on the asset |
| organization | Object | |
| organization.id | Integer | The ID of the organization |
| organization.name | String | The name of the organization |
| blocked_at | Date | The date and time that the asset was blocked on |
| blocked_services | Array | An array of objects representing the services being blocked. Each object will contain a string "service_name". |
| cause | String | A short string representation of what caused the blocker |
| reason | String | A more detailed explanation for why the asset has been blocked. For manual blockers, this reason is provided by the admin that created the blocker. |
| blocker_type | String | The type of the blocker, can be either "automated" or "manual" |
| blocker_annotations | Array | An array of annotations on the blocker. Each object will include the name of the user who created it in "user_full_name", the note text in "text", and the time of creation in "created_at". |
Asset Blocker Verified
Fires when an asset blocker is verified by our operations team as still being unresolved after remediation has been submitted (manual blockers only)
Event Context:
| Field | Type | Explanation |
| asset | Object | |
| asset.id | Integer | The ID of the blocked asset |
| asset.name | String | The name of the blocked asset |
| asset.status | String | The current status of the asset |
| asset.tags | Array | An array of tags on the asset |
| organization | Object | |
| organization.id | Integer | The ID of the organization |
| organization.name | String | The name of the organization |
| blocked_at | Date | The date and time that the asset was initially blocked on |
| blocked_services | Array | An array of objects representing the services being blocked. Each object will contain a string "service_name". |
| cause | String | A short string representation of what caused the blocker |
| reason | String | A detailed explanation for why the blocker is still unresolved |
| blocker_type | String | The type of the blocker, can be either "automated" or "manual" |
| blocker_annotations | Array | An array of annotations on the blocker. Each object will include the name of the user who created it in "user_full_name", the note text in "text", and the time of creation in "created_at". |
Asset Blocker Resolved
Fires when an asset blocker is resolved
Event Context:
| Field | Type | Explanation |
| asset | Object | |
| asset.id | Integer | The ID of the asset |
| asset.name | String | The name of the asset |
| asset.status | String | The current status of the asset |
| asset.tags | Array | An array of tags on the asset |
| organization | Object | |
| organization.id | Integer | The ID of the organization |
| organization.name | String | The name of the organization |
| blocked_at | Date | The date and time that the asset was initially blocked on |
| resolved_at | Date | The date and time that the blocker was resolved at |
| blocked_services | Array | An array of objects representing the services being blocked. Each object will contain a string "service_name". |
| cause | String | A short string representation of what caused the blocker |
| blocker_type | String | The type of the blocker, can be either "automated" or "manual" |
| blocker_annotations | Array | An array of annotations on the blocker. Each object will include the name of the user who created it in "user_full_name", the note text in "text", and the time of creation in "created_at". |
SLA Violation Event
This event will fire when the specified service level agreement (SLA) setting is triggered by a vulnerability. Note that an SLA setting must first be established, which can be done through the platform as per the instructions here.
|
Field |
Type |
Explanation |
|
id |
Integer |
The ID of the specific SLA Setting |
|
definition_id |
Integer |
The vulnerability definition id |
|
name |
String |
The name of the triggering vulnerability |
|
location |
String |
The location of the triggering vulnerability |
|
severity |
Integer |
The severity of the triggering vulnerability |
|
created_at |
Date |
Date the assessment was created |
|
committed_at |
Date |
Date the assessment was committed at |
|
asset |
Object |
|
|
asset.id |
Integer |
The ID of the assessed asset |
|
asset.name |
String |
The name of the assessed asset |