Remediation
Building a fix plan
A fix plan starts by ranking your findings by real-world risk, then turning the top of that list into work someone can actually pick up. This page covers the Prioritization, Campaigns, Playbooks, and Teams tabs — everything you need to go from "here's the risk" to "here's the plan, and here's who owns it."
What it's for
- Rank findings by risk, not just severity — so the finding that's exploited in the wild on a production server rises above the theoretical one on a test box.
- Bundle related work into remediation packages and campaigns you can hand off.
- Assign ownership — every package can have a team and an owner with a due date.
- Hand the work to your tracker — push a campaign to Jira or ServiceNow in one step.
Prioritization: ranking your findings
The Prioritization tab lists every scored finding, highest risk first. Each finding gets a single composite score that blends its severity, its exploitability, whether a patch exists, and how important the affected system is to your business.
The filters and toolbar
| Control | What it does |
|---|---|
| Severity | Limits the list to Critical, High, Medium, or Low findings. |
| Patchable filter | Shows All Vulnerabilities, Patchable Only (a fix exists), or Unpatchable Only. |
| Min Score | Hides anything below the risk score you type in (0–100). |
| Export CSV | Downloads the current filtered list as a spreadsheet. |
| Recompute Scores | (Administrators only.) Re-runs the scoring engine so the ranking reflects your latest findings and settings. |
The score table
Each row is one finding on one system. The columns are:
| Column | What it shows |
|---|---|
| # | The finding's rank in the current list. |
| Instance | The unique finding-on-asset it refers to. |
| CVE | The public vulnerability identifier, where one exists. |
| Severity | Critical / High / Medium / Low. |
| CVSS | The industry base severity score. |
| EPSS | The probability the vulnerability will be exploited, as a percentage. |
| KEV | A badge when it's on the public "Known Exploited Vulnerabilities" list. |
| Patch | Whether a fix is available. |
| Business Context | The importance tag inherited from the asset (for example crown jewel or production), which raises or lowers the score. |
| Score | The composite risk score, shown as a bar and a number. Hover to see how business context adjusted it. |
| Scanner | The source that reported the finding. |
| AI Actions | One-click AI helpers for this finding (see below). |
AI actions on a finding
In the AI Actions column, each finding has three shortcuts that open the AI assistant with the finding's context already filled in:
- Generate Fix Plan — a suggested, step-by-step remediation.
- Write Ticket — a ready-to-paste ticket draft. From the drafted ticket you can also click Push to Jira or Push to ServiceNow to create the ticket directly for that finding — ThreatWeaver shows the created ticket ID with a link to open it. This is separate from the campaign-level Push to Jira / Push to ServiceNow described below, which creates tickets for a whole campaign's packages at once.
- Analyze Root Cause — an explanation of why the finding exists and what's behind it.
Administrators also see a Scoring Weights panel below the table, showing how much each factor contributes to the composite score.
Campaigns: packaging and assigning the work
A campaign is a tracked initiative — for example Q1 Critical Remediation — that holds one or more remediation packages. Each package is a bundle of related findings you can assign, work, and close as a unit.
The toolbar
| Control | What it does |
|---|---|
| Status filter | Shows All Statuses, Active, Completed, or Cancelled campaigns. |
| Refresh | Reloads the list. |
| New Campaign | Opens the create dialog. |
The campaign list
Each row shows the campaign Name, Status, Target Date, a Progress bar, its number of Packages, and when it was Created. Click a row to expand it and reveal its packages, actions, and detail.
Creating a campaign
The New Campaign dialog asks for a Campaign Name (required), an optional Description, and an optional Target Date.
Generating packages into a campaign
Expand a campaign and click Generate Packages to build remediation packages from your scored findings. The dialog lets you shape exactly what goes in:
| Field | What it does |
|---|---|
| Severity Filter | Only include findings of a chosen severity. |
| Minimum Risk Score | Only include findings at or above this score. |
| Group By | How findings are split into packages — by Severity, Asset, Owner, or Plugin Family. |
| CVE Filter | Restrict to specific vulnerabilities. |
| Plugin Name / Keyword | Restrict by a scan-check name or keyword (for example Log4j, OpenSSL). |
| Plugin Family | Restrict to a family of scan checks. |
| Assign Team | The team the new packages are assigned to. |
| Assign Owner | The individual owner for the new packages. |
| Generate & Link | Creates the packages and adds them to this campaign. |
Working with the packages
Inside an expanded campaign you can:
- Export CSV — download the campaign's packages and their findings.
- Ask AI — open the assistant with the campaign's progress as context.
- Push to Jira / Push to ServiceNow — create tickets in your tracker for the campaign's packages. When it succeeds, ThreatWeaver shows how many tickets (and any parent epic) were created, with a link to open them.
Each package shows its owner and status. From a package you can Lock it to freeze its contents before work starts, or remove it from the campaign. Moving a package through its lifecycle and verifying the fix is covered in Tracking remediation.
Playbooks: reusable remediation procedures
The Playbooks tab holds step-by-step procedures you can reuse and match to a class of vulnerability — for example Windows Server OS Patching. The list table shows each playbook's Name, Vuln Class, OS Family, App Family, number of Steps, and when it was last Updated.
The toolbar
| Control | What it does |
|---|---|
| Search | Finds playbooks by name. |
| Vuln Class filter | Filters by class — OS Patch, App Patch, Config Change, Firmware, Certificate, or End of Life. |
| OS Family filter | Filters by Windows, Linux, macOS, Network, or Other. |
| Seed Defaults | Loads a set of starter playbooks. |
| New Playbook | Opens the playbook editor. |
Creating a playbook
The editor captures a Playbook Name, its Vuln Class, OS Family, and App Family, then a set of ordered Remediation Steps. Each step has a title, a command, and a description; use Add Step to add more and the arrows to reorder them. You can also record a Rollback Procedure and Validation Steps so anyone running it knows how to undo it and how to confirm it worked. Playbooks can be edited or deleted from the list.
When you're working a package, Match Playbooks surfaces the playbooks that fit that package's vulnerability class and operating system.
Teams: who does the work
The Teams tab is where you create the teams you assign packages to. Use Create Team to name a team, give it a description and an owner, and add members; each team appears as a card showing its owner and members, with controls to edit or delete it. Refresh reloads the list.
Common workflows
Workflow: from the riskiest findings to an assigned campaign
-
Open the Prioritization tab and set Min Score (for example
70) and Severity to focus on the findings that matter most.Step 1 — filtering the prioritization list to the highest-risk findings -
Switch to Campaigns and click New Campaign. Give it a name and a target date, then create it.
Step 2 — creating a campaign with a target date -
Expand the new campaign and click Generate Packages. Set a Minimum Risk Score, choose how to Group By, and pick an Assign Team and Assign Owner, then click Generate & Link.
Step 3 — generating owned packages into the campaign -
With packages in place, click Push to Jira or Push to ServiceNow to create the tickets your team will work from.
Step 4 — pushing the campaign's packages to your ticket tracker