> ## Documentation Index
> Fetch the complete documentation index at: https://developer.vanta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# List risk scenarios

> List risk scenarios.



## OpenAPI

````yaml /reference/manage-vanta.json get /risk-scenarios
openapi: 3.0.0
info:
  title: Manage Vanta
  version: 1.0.0
  description: >-
    The REST API lets customers query and mutate Vanta's data. Use this API to
    automate bulk actions, query data for custom workflows and dashboards, and
    bolster your security operations


    **Note for Vanta Gov (FedRAMP) customers:** Select `Vanta Gov (FedRAMP)`
    from the server dropdown to issue requests against
    `https://api.vanta-gov.com`. The OAuth token URL shown below defaults to the
    commercial host — replace it with `https://api.vanta-gov.com/oauth/token`.
  termsOfService: https://www.vanta.com/terms
  license:
    name: UNLICENSED
  contact:
    name: API Support
    url: https://help.vanta.com/
    email: support@vanta.com
servers:
  - url: https://api.vanta.com/v1
    description: Vanta (Commercial)
  - url: https://api.vanta-gov.com/v1
    description: Vanta Gov (FedRAMP)
security: []
paths:
  /risk-scenarios:
    get:
      tags:
        - Risk Scenarios
      summary: List risk scenarios
      description: List risk scenarios.
      operationId: ListRiskScenario
      parameters:
        - in: query
          name: pageSize
          required: false
          schema:
            $ref: '#/components/schemas/PageSize'
        - in: query
          name: pageCursor
          required: false
          schema:
            $ref: '#/components/schemas/PageCursor'
        - in: query
          name: includeIgnored
          required: false
          schema:
            type: boolean
        - description: Use "No owner" to filter scenarios without owner assigned.
          in: query
          name: ownerMatchesAny
          required: false
          schema:
            items:
              type: string
            type: array
        - in: query
          name: searchString
          required: false
          schema:
            type: string
        - description: Use "Uncategorized" to filter scenarios without any category.
          in: query
          name: categoryMatchesAny
          required: false
          schema:
            items:
              type: string
            type: array
        - description: >-
            Use "Uncategorized" to filter scenarios with none of
            Confidentiality, Integrity or Availability assigned.
          in: query
          name: ciaCategoryMatchesAny
          required: false
          schema:
            type: array
            items:
              anyOf:
                - $ref: '#/components/schemas/CIA'
                - $ref: '#/components/schemas/UNCATEGORIZED'
        - description: >-
            Use "No treatment type" to filter scenarios without treatment
            specified.
          in: query
          name: treatmentTypeMatchesAny
          required: false
          schema:
            type: array
            items:
              anyOf:
                - $ref: '#/components/schemas/Treatment'
                - $ref: '#/components/schemas/NO_TREATMENT_TYPE'
        - in: query
          name: inherentScoreGroupMatchesAny
          required: false
          schema:
            type: array
            items:
              $ref: '#/components/schemas/ScoreGroup'
        - in: query
          name: residualScoreGroupMatchesAny
          required: false
          schema:
            type: array
            items:
              $ref: '#/components/schemas/ScoreGroup'
        - in: query
          name: reviewStatusMatchesAny
          required: false
          schema:
            type: array
            items:
              $ref: '#/components/schemas/ReviewStatus'
        - description: >-
            Filter by risk scenario type. Defaults to "Risk Scenario".

            Only returns enterprise risks when explicitly set to "Enterprise
            Risk".
          in: query
          name: type
          required: false
          schema:
            $ref: '#/components/schemas/RiskScenarioType'
        - description: Default to order by description alphabetically.
          in: query
          name: orderBy
          required: false
          schema:
            type: string
            enum:
              - description
              - createdAt
      responses:
        '200':
          description: Ok
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PaginatedResponse_RiskScenario_'
              examples:
                Example 1:
                  value:
                    results:
                      data:
                        - riskId: assets-not-identified-and-protected
                          description: >-
                            Assets are not identified and protected according to
                            company requirements.
                          detailedDescription: null
                          isSensitive: false
                          likelihood: 4
                          impact: 4
                          residualLikelihood: 2
                          residualImpact: 1
                          categories:
                            - Access control
                          ciaCategories:
                            - Confidentiality
                          treatment: Avoid
                          owner: null
                          note: null
                          riskRegister: Default
                          customFields: []
                          isArchived: false
                          reviewStatus: DRAFT
                          requiredApprovers: []
                          type: Risk Scenario
                          identificationDate: '2024-03-07T18:46:05.944Z'
                      pageInfo:
                        hasNextPage: false
                        hasPreviousPage: false
                        startCursor: '1'
                        endCursor: '1'
      security:
        - bearerAuth: []
components:
  schemas:
    PageSize:
      type: integer
      format: int32
      default: 10
      description: >-
        Controls the maximum number of items returned in one response from the
        API.
      minimum: 1
      maximum: 100
    PageCursor:
      type: string
      description: >-
        A marker or pointer, telling the API where to start fetching items for
        the subsequent page in a paginated dataset.

        Note that the requested page will not include the item that corresponds
        to this cursor but will start from the one immediately

        after this cursor.
    CIA:
      type: string
      enum:
        - Confidentiality
        - Integrity
        - Availability
    UNCATEGORIZED:
      type: string
      enum:
        - Uncategorized
      nullable: false
    Treatment:
      type: string
      enum:
        - Mitigate
        - Transfer
        - Avoid
        - Accept
    NO_TREATMENT_TYPE:
      type: string
      enum:
        - No treatment type
      nullable: false
    ScoreGroup:
      type: string
      enum:
        - Very low
        - Low
        - Med
        - High
        - Critical
    ReviewStatus:
      type: string
      enum:
        - APPROVED
        - DRAFT
        - NOT_REVIEWED
        - AWAITING_SUBMISSION
        - PENDING_APPROVAL
        - REQUESTED_CHANGES
    RiskScenarioType:
      type: string
      enum:
        - Risk Scenario
        - Enterprise Risk
    PaginatedResponse_RiskScenario_:
      properties:
        results:
          properties:
            data:
              items:
                $ref: '#/components/schemas/RiskScenario'
              type: array
            pageInfo:
              $ref: '#/components/schemas/PageInfo'
          required:
            - data
            - pageInfo
          type: object
      required:
        - results
      type: object
      additionalProperties: false
    RiskScenario:
      properties:
        riskId:
          type: string
          description: >-
            The unique ID of the risk specified by the user. Used to reference
            and update existing risks.
        description:
          type: string
          description: >-
            This describes an actual or potential risk to your organization's
            people, processes, technology, data, and facilities.

            Document actual issues or likely scenarios based on your specific
            environment or a potential vulnerability.


            Naming note: in the UI, `description` is labelled "Title" and

            `detailedDescription` is labelled "Description". The field names

            are preserved for backwards compatibility with the public REST API

            and existing data.
        detailedDescription:
          type: string
          nullable: true
          description: >-
            Optional long-form description providing extended context for the
            risk scenario.

            Maximum 10000 characters.


            Naming note: in the UI, `description` is labelled "Title" and

            `detailedDescription` is labelled "Description". The field names

            are preserved for backwards compatibility with the public REST API

            and existing data.
        isSensitive:
          type: boolean
          nullable: true
          description: >-
            If set to true this risk can only be seen by its owner or users with
            Admin, RiskSensitiveManage or RiskSensitiveView permissions.
          deprecated: true
        likelihood:
          type: integer
          format: int32
          nullable: true
          description: >-
            Represents the probability of an incident occurring due to this risk
            or vulnerability, expressed as a numerical score.

            Defaults to a range of 1-5, where higher values indicate greater
            likelihood. The range can be customized in the Risk Management
            settings.

            A value of `null` indicates that no score has been assigned.
        impact:
          type: integer
          format: int32
          nullable: true
          description: >-
            Represents the potential severity of harm to your organization’s
            operations if this risk is exploited, expressed as a numerical
            score.

            Defaults to a range of 1-5, where higher values indicate greater
            impact. The range can be customized in the Risk Management settings.

            A value of `null` indicates that no score has been assigned.
        residualLikelihood:
          type: integer
          format: int32
          nullable: true
          description: >-
            Represents the adjusted probability of this risk being exploited or
            affecting operations after implementing risk treatments, such as
            controls or mitigations.

            Expressed as a numerical score, defaulting to a range of 1-5. The
            range can be customized in the Risk Management settings.

            A value of `null` indicates that no score has been assigned.
        residualImpact:
          type: integer
          format: int32
          nullable: true
          description: >-
            Represents the adjusted severity of harm to your organization’s
            operations if this risk is exploited after implementing risk
            treatments, such as controls or mitigations.

            Expressed as a numerical score, defaulting to a range of 1-5. The
            range can be customized in the Risk Management settings.

            A value of `null` indicates that no score has been assigned.
        categories:
          items:
            type: string
          type: array
          description: The list of categories this risk scenario belongs to.
        ciaCategories:
          items:
            $ref: '#/components/schemas/CIA'
          type: array
          description: >-
            A list of the following for the type of risk documented:

            - Confidentiality: Risk to data stores, customer/sensitive
            information, etc.

            - Integrity: Risk to accuracy or integrity of system settings and/or
            data

            - Availability: Risk to normal service operations and critical
            system functionality
        treatment:
          allOf:
            - $ref: '#/components/schemas/Treatment'
          nullable: true
          description: >-
            Indicate how your leadership team wants to address an identified
            risk. Please note: not all risks need to be addressed immediately
            (or at all). Your Risk Treatment decision will depend on multiple
            factors, such as your organization's risk tolerance and the value of
            the asset that the risk is associated with. The options are:

            - Mitigate: Identify controls to put in place or tasks to be done
            that will reduce the risk score.

            - Transfer: Move risk outside of your organization's set of
            responsibilities e.g. get cyber liability insurance.

            - Avoid: Stop doing the activity which is causing the risk to your
            organization and its assets.

            - Accept: Decide to live with the risk and take no further actions.
            - Accept: decide to live with the risk; this may be because it is
            highly unlikely, has a low financial or operational impact, or the
            cost and effort to treat the risk far exceeds the value of the asset
        owner:
          type: string
          nullable: true
          description: >-
            The email of the person responsible for tracking and mitigating this
            risk scenario.
        note:
          type: string
          nullable: true
          description: >-
            Additional context about the risk scenario and why it has specific
            impact and likelihood scores.
        riskRegister:
          type: string
          nullable: true
          description: Name of the risk register associated with this scenario.
        customFields:
          items:
            $ref: '#/components/schemas/CustomAttribute'
          type: array
          description: >-
            The list of custom fields.

            You can reference existing custom fields in the Risk Management
            settings and/or create new ones.

            The format is:

            - {label: "field-name", value: "string-representation"} for text,
            date, number and currency fields

            - {label: "field-name", value: ["option1", "option2"]} for picklist
            fields
        isArchived:
          type: boolean
          description: Whether this scenario is archived.
        reviewStatus:
          $ref: '#/components/schemas/ReviewStatus'
          description: The current review status of this risk scenario
        requiredApprovers:
          items:
            type: string
          type: array
          description: The list of required approvers for this risk scenario.
        type:
          $ref: '#/components/schemas/RiskScenarioType'
          description: |-
            The type of risk scenario.
            - "Risk Scenario": Standard risk scenario
            - "Enterprise Risk": Enterprise-level risk
        identificationDate:
          type: string
          format: date-time
          description: >-
            The date this risk was identified. Matches the "Identified Date"
            field in the Vanta UI. Set by the customer when a risk is created;
            defaults to the scenario's creation time when not explicitly
            provided.
      required:
        - riskId
        - description
        - isSensitive
        - likelihood
        - impact
        - residualLikelihood
        - residualImpact
        - categories
        - ciaCategories
        - treatment
        - owner
        - note
        - riskRegister
        - customFields
        - isArchived
        - reviewStatus
        - requiredApprovers
        - type
        - identificationDate
      type: object
      additionalProperties: false
    PageInfo:
      description: Provides information about the pagination of a dataset.
      properties:
        endCursor:
          type: string
          nullable: true
          description: >-
            The cursor that points to the end of the current page, or null if
            there is no such cursor.
        hasNextPage:
          type: boolean
          description: Indicates if there is another page after the current page.
        hasPreviousPage:
          type: boolean
          description: Indicates if there is a page before the current page.
        startCursor:
          type: string
          nullable: true
          description: >-
            The cursor that points to the start of the current page, or null if
            there is no such cursor.
      required:
        - endCursor
        - hasNextPage
        - hasPreviousPage
        - startCursor
      type: object
      additionalProperties: false
    CustomAttribute:
      properties:
        label:
          type: string
        value:
          anyOf:
            - type: string
            - items:
                type: string
              type: array
      required:
        - label
        - value
      type: object
      additionalProperties: false
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer

````