Automated Proactive Risk Assessment

Proactively assess the risk of security policy changes with automated analysis that identifies potential impact, violations, and exposures before deployment.

Automated Proactive Risk Assessment guides you through using SecureChange workflows to:

  • Assess risk before access changes are approved and implemented.

  • Use one of two risk assessment methods:

    • External scanner-based risk analysis through the Vulnerability Change Automation (VCA) application extension

    • USP-based risk analysis through the Risk Analysis tool in workflows

  • Apply vulnerability and policy context to access requests during the change process

Why this matters

  • Prevent high-risk changes before they reach production.

  • Identify policy violations and exposure risks during the change process.

  • Integrate policy violation and exposure analysis into pre-deployment workflow stages.

  • Support risk-aware change evaluation before approval and implementation.

Who this is for
  • Security operation managers responsible for monitoring and validating risk analysis assessments.
  • Risk managers responsible for correlating vulnerabilities with policy data.

  • Change managers responsible for overseeing workflow execution and approvals.

  • Operational managers responsible for ensuring workflow adoption across teams.

Key capabilities

Prerequisites

Step 1: USP-based risk analysis

In addition to risk analysis using an external scanner, you can run risk analysis for access requests against the defined USP matrices. Configure the workflow behaviour to align with your organization's security posture.

Use SecureTrack's Workflows to implement risk analysis for access requests.

  1. Select an existing or create a new Access Request workflow.

  2. Configure the step for risk analysis:

    1. Set the step mode:

      • Auto: Runs risk analysis automatically and enforces the configured workflow logic, for example, denying the request if the risk exceeds the defined threshold.

      • Manual: Allows the step handler to review the result and decide whether to proceed.

    2. Based on the step mode you selected, enable risk analysis:

      • Auto: Select Run Risk analysis

      • Manual: In the Access request field properties, select Risk Analysis tool and  Notify the following users when risk is manually disregarded.

See:

Using the Risk Analysis tool

Create Access Request workflow

Configure Access Request field in access request workflows

Step 2: Configure VCA for Risk Analysis

In this step, you configure the Vulnerability-based Change Automation App (VCA) to enrich Access Request workflows with vulnerability data from third-party vulnerability management tools. Depending on the integration settings, VCA either retrieves existing vulnerability results for the source and destination assets in the ticket or starts a new scan.

  • Use the Vulnerability-based Change Automation application from Extensions.

Configure SecureChange connection settings in VCA

After installing VCA, connect it to SecureChange so it can retrieve Access Request workflow information and add the required risk analysis scripts.

Configure:

  • SecureChange connection

    • The IP or hostname of the SecureChange server.

    • Login credentials for SecureChange user with the permission - "Create and handle tickets on behalf of another user (via API only)"

  • Email notification: Configure the SMTP server details to enable notifications for detected risk alerts.

Leave the other settings unchanged.

See Configuring VCA.

Integrate vulnerability scanners in VCA

To retrieve vulnerability data for risk calculation, connect one or more external vulnerability scanners or vulnerability management systems (VMS) that scan your network assets.

For each scanner, enter the required connection details. You can connect multiple scanners, but each workflow integration uses one scanner.

See Connecting to Vulnerability Management Tools.

Configure SecureChange workflows in VCA

For each Access Request workflow that uses external risk analysis, configure a workflow integration in VCA.

Workflow settings

For every SecureChange workflow to integrate, configure the following settings:

  • Workflow type

  • Workflow step: The step where VCA runs.

  • Scanner

  • Risk threshold: The minimum acceptable risk score which when exceeded flags or stops tickets.

  • Email notification settings

Scan mode

Configure active scan or passive risk analysis.

  • Active scan: Trigger a real-time scan of all source and destination IPs in the workflow step.

    • Can be scheduled or executed during the step execution.

    • Allowed Networks must be defined to limit the scan scope.

  • Passive Risk Analysis: Useful for quicker response times or when scanning live assets isn't feasible.

    • VCA fetches historical vulnerability data for the source/destination IPs based on existing scanner data.

    • Risk results are correctly linked to the corresponding SecureChange ticket.

See Adding workflow integrations.

Validate risk analysis reports in VCA

The Reports tab in VCA provides vulnerability findings per request, which can be :

  • CVE details, severity scores, and affected IPs

  • Mapped SecureChange ticket IDs.

You can download the reports for audits or operational use.

See Accessing request reports.