Risk Patterns
Risk Patterns detects and surfaces known security anti-patterns in your vault — secrets shared across environments, keys that have never been rotated, expired certificates, and unused API keys.
Each detected pattern includes a severity rating, the affected resources, a recommended remediation action, and an option to ignore the pattern with a justification.
What are Risk Patterns?
A continuously running analysis engine that scans your vault for known bad security practices. It compares your vault state against a library of risk patterns and surfaces any matches as actionable findings.
What is it for?
Proactive risk identification
Discover security issues before they become incidents, rather than finding out during an audit or after a breach.
Remediation guidance
Every finding includes a step-by-step remediation action, not just a description of the problem.
Prioritise fixes
Severity ratings (Critical, High, Medium, Low) help you focus effort on the highest-impact issues first.
Reduce attack surface
Resolving risk patterns directly improves your Vault Score and reduces the attack surface of your vault.
Key concepts
| Term | Description |
|---|---|
| Risk pattern | A named anti-pattern definition against which vault resources are evaluated. Examples: 'Secret shared across prod and staging', 'Key not rotated in 365+ days'. |
| Severity | The risk level of the pattern: Critical (immediate action required), High, Medium, or Low. |
| Pattern types | Categories of patterns: Cross-environment sharing, Rotation compliance, Certificate hygiene, Unused credentials, Access policy gaps. |
| Ignored risk | A pattern instance that has been acknowledged and ignored with a documented justification. Ignored patterns do not affect the Vault Score. |
| Remediation action | The specific action recommended to resolve the risk pattern (e.g., rotate the key, remove the cross-environment reference, delete the unused credential). |
How to use Risk Patterns
View detected patterns
Navigate to QuantumVault → Risk Patterns. All open patterns are listed with severity, affected resource, and first-detected date.
GET /api/v1/vault/risk-patternsUnderstand severity
Critical and High patterns should be addressed immediately. Medium and Low patterns should be scheduled for remediation in the next maintenance window.
Follow remediation guidance
Click a pattern to see the recommended remediation steps. Many steps have a direct link to the relevant resource in your vault.
Ignore with justification
If a pattern represents an accepted risk, click Ignore and enter a justification. The pattern will be dismissed from the active list and logged in the audit trail.
POST /api/v1/vault/risk-patterns/{id}/ignore
Content-Type: application/json
{ "justification": "Accepted risk — internal tool only" }Configure alerts for new patterns
In Settings → Notifications, you can configure alerts for new Critical or High severity patterns so your team is notified immediately.
Risk pattern reference
| Pattern | Severity | Affected resource | Remediation | Can ignore |
|---|---|---|---|---|
| Cross-environment secret sharing | High | Secrets | Create separate secrets per environment | Yes |
| Key never rotated | Critical | Crypto keys | Rotate the key immediately | No |
| Expired certificate | Critical | Certificates | Renew or replace the certificate | No |
| Unused API key (90d+) | Medium | API keys | Revoke the unused key | Yes |
Relationships
Vault Score
Open risk patterns reduce the Vault Score via the Risk Patterns factor (weighted 15%).
Executive Report
The Active Threats and Risk Level widgets in the Executive Report are powered by the Risk Patterns engine.
Vault
All risk patterns are scoped to the current vault.
Keys
Key rotation and usage patterns are among the most common risk findings.
Access Policies
Access policy gaps (resources with no policy) are surfaced as Low or Medium severity risk patterns.
FAQ
Can I create custom risk patterns?
Custom pattern definitions are on the roadmap. Currently, QuantumVault ships with a curated library of common security anti-patterns that is updated with each platform release.
Do ignored patterns reappear?
An ignored pattern remains suppressed until the underlying resource state changes (e.g., the ignored 'unused key' pattern will reappear if the key is used and then goes unused again for 90 days).
How often are patterns scanned?
The risk engine runs a full scan every hour and also incrementally when vault resources are created, updated, or deleted.
How many patterns affect the Vault Score?
Only Critical and High severity patterns affect the Vault Score. Each open Critical pattern deducts up to 5 points; each High pattern deducts up to 2 points, up to the 15-point maximum for this factor.
API & CLI reference
Risk Patterns are accessible via the REST API for integration with external SIEM or ticketing systems:
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/v1/vault/risk-patterns | List all open risk patterns in the vault. |
| GET | /api/v1/vault/risk-patterns/{id} | Get details of a specific risk pattern finding. |
| POST | /api/v1/vault/risk-patterns/{id}/ignore | Ignore a risk pattern with a justification. |
| POST | /api/v1/vault/risk-patterns/{id}/resolve | Mark a risk pattern as resolved after remediation. |