Exposure assessment for zero-day vulnerabilities, when Common Vulnerabilities and Exposures (CVEs) for the asset or configuration item is not available. It uses the software information to assess exposure, using the software discovery model.