Aqua CSPM assigns a default severity ranking to each plugin that reflects our interpretation of the plugin's risk to the cloud account and its likelihood of exploitability. Severity rankings range from "low" to "medium," "high," and "critical." Every severity ranking can also be overridden on a global or per-IaaS account basis if you determine that Aqua CSPM's assigned severity is not sufficient.


Aqua CSPM severity rankings are provided "out-of-the-box" based on the following:


  • Cloud provider (e.g. AWS, Azure, GCP) documentation, white papers, and blog posts
  • Common industry best practices
  • Public benchmark programs, such as CIS
  • Compliance programs, such as PCI and HIPAA