diff --git a/metrics/ApplicationSecurity/PasswordHashAlgorithmAllowed/PasswordHashAlgorithmAllowed.yaml b/metrics/ApplicationSecurity/PasswordHashAlgorithmAllowed/PasswordHashAlgorithmAllowed.yaml
new file mode 100644
index 00000000..cec7c94e
--- /dev/null
+++ b/metrics/ApplicationSecurity/PasswordHashAlgorithmAllowed/PasswordHashAlgorithmAllowed.yaml
@@ -0,0 +1,16 @@
+# ====== Metadata ======
+id: f4159401-68d4-4292-843e-251187346edf
+name: PasswordHashAlgorithmAllowed
+description: >
+ This rule assesses whether an [Application] that offers the property
+ [Functionalities.CryptographicHash] uses a [p1:algorithm] suitable for
+ password hashing.
+category: ApplicationSecurity
+version: "v1"
+comments: Using modern password hashing algorithms (e.g., Argon2id, bcrypt, scrypt)
+ improves resistance to offline cracking.
+# ====== Configuration ======
+configuration:
+ p1:
+ operator: "allIn"
+ targetValue: ["Argon2id", "bcrypt", "scrypt"]
diff --git a/metrics/ApplicationSecurity/PasswordHashAlgorithmAllowed/data.json b/metrics/ApplicationSecurity/PasswordHashAlgorithmAllowed/data.json
new file mode 100644
index 00000000..1a29c685
--- /dev/null
+++ b/metrics/ApplicationSecurity/PasswordHashAlgorithmAllowed/data.json
@@ -0,0 +1,4 @@
+{
+ "operator": "allIn",
+ "target_value": ["Argon2id", "bcrypt", "scrypt"]
+}
diff --git a/metrics/ApplicationSecurity/PasswordHashAlgorithmAllowed/metric.rego b/metrics/ApplicationSecurity/PasswordHashAlgorithmAllowed/metric.rego
new file mode 100644
index 00000000..684f8dc1
--- /dev/null
+++ b/metrics/ApplicationSecurity/PasswordHashAlgorithmAllowed/metric.rego
@@ -0,0 +1,39 @@
+package cch.metrics.password_hash_algorithm_allowed
+
+import data.cch.compare
+import rego.v1
+import input as app
+
+default applicable = false
+
+default compliant = false
+
+hashes := [func | func := app.functionalities[_]; func.cryptographicHash]
+
+applicable if {
+ app.type[_] == "Application"
+}
+
+compliant if {
+ count(violations) == 0
+}
+
+message := "The analyzed resource uses approved password hashing algorithms." if {
+ compliant
+} else := "The analyzed resource contains evidence of weak password hashing algorithms." if {
+ not compliant
+}
+
+results := [
+ mapped |
+ func := app.functionalities[_]
+ mapped := {
+ "property": "cryptographicHash.algorithm",
+ "value": func.cryptographicHash.algorithm,
+ "target_value": data.target_value,
+ "operator": data.operator,
+ "success": compare(data.operator, data.target_value, func.cryptographicHash.algorithm),
+ }
+]
+
+violations := [x | y := results[_]; y.success == false; x = y]
diff --git a/metrics/ApplicationSecurity/VulnerabilitiesNotExploitable/VulnerabilitiesNotExploitable.yaml b/metrics/ApplicationSecurity/VulnerabilitiesNotExploitable/VulnerabilitiesNotExploitable.yaml
new file mode 100644
index 00000000..4c8b56dc
--- /dev/null
+++ b/metrics/ApplicationSecurity/VulnerabilitiesNotExploitable/VulnerabilitiesNotExploitable.yaml
@@ -0,0 +1,14 @@
+# ====== Metadata ======
+id: e0f1b6f2-13f5-482e-924e-c9e29145d7e5
+name: VulnerabilitiesNotExploitable
+description: >
+ This rule assesses whether a [Resource] has no [Vulnerability] or only
+ [Vulnerability] entries with [p1:exploitable] set to false.
+category: ApplicationSecurity
+version: "v1"
+comments: Ensuring detected vulnerabilities are not exploitable reduces the risk of active compromise.
+# ====== Configuration ======
+configuration:
+ p1:
+ operator: "=="
+ targetValue: False
diff --git a/metrics/ApplicationSecurity/VulnerabilitiesNotExploitable/data.json b/metrics/ApplicationSecurity/VulnerabilitiesNotExploitable/data.json
new file mode 100644
index 00000000..bf987f3c
--- /dev/null
+++ b/metrics/ApplicationSecurity/VulnerabilitiesNotExploitable/data.json
@@ -0,0 +1,4 @@
+{
+ "operator": "==",
+ "target_value": false
+}
diff --git a/metrics/ApplicationSecurity/VulnerabilitiesNotExploitable/metric.rego b/metrics/ApplicationSecurity/VulnerabilitiesNotExploitable/metric.rego
new file mode 100644
index 00000000..095d333b
--- /dev/null
+++ b/metrics/ApplicationSecurity/VulnerabilitiesNotExploitable/metric.rego
@@ -0,0 +1,35 @@
+package cch.metrics.vulnerabilities_not_exploitable
+
+import data.cch.compare
+import rego.v1
+import input.vulnerabilities as vul
+
+default applicable = false
+
+default compliant = false
+
+applicable if {
+ true
+}
+
+compliant if {
+ not vul
+}
+
+compliant if {
+ vul
+ every v in vul {
+ compare(data.operator, data.target_value, v.exploitable)
+ }
+}
+
+message := "No vulnerabilities were detected for the resource." if {
+ compliant
+ not vul
+} else := "All detected vulnerabilities are marked as not exploitable." if {
+ compliant
+ vul
+} else := "At least one detected vulnerability is exploitable." if {
+ applicable
+ not compliant
+}
diff --git a/metrics/NetworkSecurity/NetworkEndpointAuthenticationRequired/NetworkEndpointAuthenticationRequired.yaml b/metrics/NetworkSecurity/NetworkEndpointAuthenticationRequired/NetworkEndpointAuthenticationRequired.yaml
new file mode 100644
index 00000000..ab30647b
--- /dev/null
+++ b/metrics/NetworkSecurity/NetworkEndpointAuthenticationRequired/NetworkEndpointAuthenticationRequired.yaml
@@ -0,0 +1,14 @@
+# ====== Metadata ======
+id: b792af37-8154-425b-90c7-73c53c137132
+name: NetworkEndpointAuthenticationRequired
+description: >
+ This rule assesses whether a [NetworkService] has [Authenticity] with
+ [p1:noAuthentication] set to false.
+category: NetworkSecurity
+version: "v1"
+comments: Basic access control requires network endpoints to avoid [NoAuthentication].
+# ====== Configuration ======
+configuration:
+ p1:
+ operator: "=="
+ targetValue: False
diff --git a/metrics/NetworkSecurity/NetworkEndpointAuthenticationRequired/data.json b/metrics/NetworkSecurity/NetworkEndpointAuthenticationRequired/data.json
new file mode 100644
index 00000000..bf987f3c
--- /dev/null
+++ b/metrics/NetworkSecurity/NetworkEndpointAuthenticationRequired/data.json
@@ -0,0 +1,4 @@
+{
+ "operator": "==",
+ "target_value": false
+}
diff --git a/metrics/NetworkSecurity/NetworkEndpointAuthenticationRequired/metric.rego b/metrics/NetworkSecurity/NetworkEndpointAuthenticationRequired/metric.rego
new file mode 100644
index 00000000..803a4ca9
--- /dev/null
+++ b/metrics/NetworkSecurity/NetworkEndpointAuthenticationRequired/metric.rego
@@ -0,0 +1,29 @@
+package cch.metrics.network_endpoint_authentication_required
+
+import data.cch.compare
+import rego.v1
+import input.authenticity as auth
+
+default applicable = false
+
+default compliant = false
+
+applicable if {
+ auth
+}
+
+auth_no_authentication := true if {
+ auth.noAuthentication
+} else := true if {
+ auth.no_authentication
+} else := false
+
+compliant if {
+ compare(data.operator, data.target_value, auth_no_authentication)
+}
+
+message := "Authentication is required for the network endpoint." if {
+ compliant
+} else := "The network endpoint allows unauthenticated access." if {
+ not compliant
+}
diff --git a/ontology/v1/core/functionality.owx b/ontology/v1/core/functionality.owx
index e80e5b1b..bfcc4b03 100644
--- a/ontology/v1/core/functionality.owx
+++ b/ontology/v1/core/functionality.owx
@@ -310,6 +310,9 @@
+
+
+
@@ -1579,6 +1582,13 @@
+
+
+
+
+
+
+
@@ -2543,6 +2553,16 @@
prop:criticality
criticality: Contains the criticality of a vulnerability, e.g., low, medium, high, critical
+
+
+ prop:exploitable
+ exploitable: Indicates whether a vulnerability is known to be exploitable
+
+
+
+ prop:exploitable
+ exploitable
+
core:cve
diff --git a/ontology/v1/ontology-merged.owx b/ontology/v1/ontology-merged.owx
index 95d9708d..4bb112c2 100644
--- a/ontology/v1/ontology-merged.owx
+++ b/ontology/v1/ontology-merged.owx
@@ -1136,6 +1136,9 @@
+
+
+
@@ -4666,6 +4669,13 @@
+
+
+
+
+
+
+
@@ -7689,6 +7699,16 @@ name = metadata.name
/properties/enforced
enforced
+
+
+ /properties/exploitable
+ exploitable: Indicates whether a vulnerability is known to be exploitable
+
+
+
+ /properties/exploitable
+ exploitable
+
/properties/field
diff --git a/ontology/v1/ontology.proto b/ontology/v1/ontology.proto
index e094d349..b8b94bda 100644
--- a/ontology/v1/ontology.proto
+++ b/ontology/v1/ontology.proto
@@ -4090,6 +4090,8 @@ message Vulnerability {
string cve = 205;
repeated string cwe = 18325;
string description = 10690;
+ // exploitable: Indicates whether a vulnerability is known to be exploitable
+ bool exploitable = 15966;
string url = 11925;
}