Skip to main content

Remediation

Building a fix plan

A fix plan starts by ranking your findings by real-world risk, then turning the top of that list into work someone can actually pick up. This page covers the Prioritization, Campaigns, Playbooks, and Teams tabs — everything you need to go from "here's the risk" to "here's the plan, and here's who owns it."

What it's for

  • Rank findings by risk, not just severity — so the finding that's exploited in the wild on a production server rises above the theoretical one on a test box.
  • Bundle related work into remediation packages and campaigns you can hand off.
  • Assign ownership — every package can have a team and an owner with a due date.
  • Hand the work to your tracker — push a campaign to Jira or ServiceNow in one step.

Prioritization: ranking your findings

The Prioritization tab lists every scored finding, highest risk first. Each finding gets a single composite score that blends its severity, its exploitability, whether a patch exists, and how important the affected system is to your business.

Prioritization — the ranked score table with filters across the top

The filters and toolbar

ControlWhat it does
SeverityLimits the list to Critical, High, Medium, or Low findings.
Patchable filterShows All Vulnerabilities, Patchable Only (a fix exists), or Unpatchable Only.
Min ScoreHides anything below the risk score you type in (0–100).
Export CSVDownloads the current filtered list as a spreadsheet.
Recompute Scores(Administrators only.) Re-runs the scoring engine so the ranking reflects your latest findings and settings.

The score table

Each row is one finding on one system. The columns are:

ColumnWhat it shows
#The finding's rank in the current list.
InstanceThe unique finding-on-asset it refers to.
CVEThe public vulnerability identifier, where one exists.
SeverityCritical / High / Medium / Low.
CVSSThe industry base severity score.
EPSSThe probability the vulnerability will be exploited, as a percentage.
KEVA badge when it's on the public "Known Exploited Vulnerabilities" list.
PatchWhether a fix is available.
Business ContextThe importance tag inherited from the asset (for example crown jewel or production), which raises or lowers the score.
ScoreThe composite risk score, shown as a bar and a number. Hover to see how business context adjusted it.
ScannerThe source that reported the finding.
AI ActionsOne-click AI helpers for this finding (see below).

AI actions on a finding

In the AI Actions column, each finding has three shortcuts that open the AI assistant with the finding's context already filled in:

  • Generate Fix Plan — a suggested, step-by-step remediation.
  • Write Ticket — a ready-to-paste ticket draft. From the drafted ticket you can also click Push to Jira or Push to ServiceNow to create the ticket directly for that finding — ThreatWeaver shows the created ticket ID with a link to open it. This is separate from the campaign-level Push to Jira / Push to ServiceNow described below, which creates tickets for a whole campaign's packages at once.
  • Analyze Root Cause — an explanation of why the finding exists and what's behind it.

Administrators also see a Scoring Weights panel below the table, showing how much each factor contributes to the composite score.

Campaigns: packaging and assigning the work

A campaign is a tracked initiative — for example Q1 Critical Remediation — that holds one or more remediation packages. Each package is a bundle of related findings you can assign, work, and close as a unit.

Campaigns — the campaign list with progress bars, expanded to show its packages

The toolbar

ControlWhat it does
Status filterShows All Statuses, Active, Completed, or Cancelled campaigns.
RefreshReloads the list.
New CampaignOpens the create dialog.

The campaign list

Each row shows the campaign Name, Status, Target Date, a Progress bar, its number of Packages, and when it was Created. Click a row to expand it and reveal its packages, actions, and detail.

Creating a campaign

The New Campaign dialog asks for a Campaign Name (required), an optional Description, and an optional Target Date.

Generating packages into a campaign

Expand a campaign and click Generate Packages to build remediation packages from your scored findings. The dialog lets you shape exactly what goes in:

FieldWhat it does
Severity FilterOnly include findings of a chosen severity.
Minimum Risk ScoreOnly include findings at or above this score.
Group ByHow findings are split into packages — by Severity, Asset, Owner, or Plugin Family.
CVE FilterRestrict to specific vulnerabilities.
Plugin Name / KeywordRestrict by a scan-check name or keyword (for example Log4j, OpenSSL).
Plugin FamilyRestrict to a family of scan checks.
Assign TeamThe team the new packages are assigned to.
Assign OwnerThe individual owner for the new packages.
Generate & LinkCreates the packages and adds them to this campaign.

Working with the packages

Inside an expanded campaign you can:

  • Export CSV — download the campaign's packages and their findings.
  • Ask AI — open the assistant with the campaign's progress as context.
  • Push to Jira / Push to ServiceNow — create tickets in your tracker for the campaign's packages. When it succeeds, ThreatWeaver shows how many tickets (and any parent epic) were created, with a link to open them.
Assigning and moving a package

Each package shows its owner and status. From a package you can Lock it to freeze its contents before work starts, or remove it from the campaign. Moving a package through its lifecycle and verifying the fix is covered in Tracking remediation.

Playbooks: reusable remediation procedures

The Playbooks tab holds step-by-step procedures you can reuse and match to a class of vulnerability — for example Windows Server OS Patching. The list table shows each playbook's Name, Vuln Class, OS Family, App Family, number of Steps, and when it was last Updated.

Playbooks — the playbook list with class and OS-family filters

The toolbar

ControlWhat it does
SearchFinds playbooks by name.
Vuln Class filterFilters by class — OS Patch, App Patch, Config Change, Firmware, Certificate, or End of Life.
OS Family filterFilters by Windows, Linux, macOS, Network, or Other.
Seed DefaultsLoads a set of starter playbooks.
New PlaybookOpens the playbook editor.

Creating a playbook

The editor captures a Playbook Name, its Vuln Class, OS Family, and App Family, then a set of ordered Remediation Steps. Each step has a title, a command, and a description; use Add Step to add more and the arrows to reorder them. You can also record a Rollback Procedure and Validation Steps so anyone running it knows how to undo it and how to confirm it worked. Playbooks can be edited or deleted from the list.

When you're working a package, Match Playbooks surfaces the playbooks that fit that package's vulnerability class and operating system.

Teams: who does the work

The Teams tab is where you create the teams you assign packages to. Use Create Team to name a team, give it a description and an owner, and add members; each team appears as a card showing its owner and members, with controls to edit or delete it. Refresh reloads the list.

Common workflows

Workflow: from the riskiest findings to an assigned campaign

  1. Open the Prioritization tab and set Min Score (for example 70) and Severity to focus on the findings that matter most.

    Step 1 — filtering the prioritization list to the highest-risk findings
  2. Switch to Campaigns and click New Campaign. Give it a name and a target date, then create it.

    Step 2 — creating a campaign with a target date
  3. Expand the new campaign and click Generate Packages. Set a Minimum Risk Score, choose how to Group By, and pick an Assign Team and Assign Owner, then click Generate & Link.

    Step 3 — generating owned packages into the campaign
  4. With packages in place, click Push to Jira or Push to ServiceNow to create the tickets your team will work from.

    Step 4 — pushing the campaign's packages to your ticket tracker