# VM Prioritization

{% columns %}
{% column %}
Prioritise VMs by **attacker reachability**.

Focus on workloads on real paths to impact.

Alma combines sensors, cloud context, and runtime telemetry.

It builds a reachability graph and ranks VMs by likely impact.
{% endcolumn %}

{% column %}
![Alma sensors + cloud context + runtime telemetry → reachability graph → VM prioritisation.](/files/0VcAwbKqQW7ZtHLJTAgZ)
{% endcolumn %}
{% endcolumns %}

### What “reachability” means

Reachability is the likelihood an attacker can reach a VM and cause impact.

Alma bumps priority when a VM is:

* internet reachable (direct or via ingress/LB)
* a strong pivot for lateral movement
* on a path to sensitive systems (DB, identity, secrets, CI/CD)
* confirmed by observed runtime flows

{% hint style="info" %}
Reachability is path-based. A public IP alone doesn’t define priority.
{% endhint %}

### Signals Alma uses

Alma combines **cloud posture** with **runtime telemetry**.

* Cloud: security groups/firewalls, routes/peering, gateways, LBs/ingress, tags and roles
* Runtime: observed inbound/outbound flows, service call patterns, protocol visibility, workload role

<figure><img src="/files/w8USKB1ahgWhORIidpN1" alt=""><figcaption><p>Declared exposure vs observed runtime exposure.</p></figcaption></figure>

### What drives the score

* **Exposure**: internet/ingress reachable. Weak network boundaries.
* **Lateral movement**: hub position. Many reachable internal systems.
* **Criticality**: prod vs dev. Crown-jewel labels. Ownership tags.
* **Data + identity**: paths to sensitive stores. Elevated roles. Risky integrations.
* **Runtime confidence**: observed flows raise confidence. Stale/noisy signals drop it.

### What you see in Alma

* Ranked VM list with “why prioritised” highlights
* Clickable inbound/outbound paths
* “If compromised → then what?” path simulation
* Next actions: tighten ingress, segment paths, lock down identity, patch high-impact nodes first

### Example: same VM build, different risk

* **VM-1 (high):** behind an internet LB. Talks to auth. Path to a prod DB.
* **VM-2 (low):** no inbound flows. Isolated subnet. Only talks to non-prod logging.

### FAQ

**Is this just exposure?**\
No. Exposure is one signal. Alma prioritises end-to-end paths, confirmed by runtime.

**Does priority change?**\
Yes. Routing, services, traffic, and identities change. Priorities update automatically.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.alma-security.com/integrations/vm-prioritization.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.