Remediation
Tracking remediation
Once the work is packaged and assigned, Remediation is where you drive it to completion and prove it happened. This page covers a work package's lifecycle and fix verification, the SLA tab, the Exceptions tab, the Compliance tab, and the Reports tab.
What it's for
- Move work through its stages — from draft, to locked, to in progress, to validated, to closed.
- Verify the fix really landed — rescan the affected systems and let ThreatWeaver check the findings back automatically.
- Stay inside your deadlines — see which packages are on track, at risk, or in breach of their SLA.
- Handle what you can't fix yet — request and approve time-boxed exceptions with compensating controls.
- Report on your posture — assess against frameworks and generate reports.
Moving a work package through its lifecycle
Open a campaign on the Campaigns tab and expand a package to work it. A package moves through a fixed set of statuses:
Draft → Locked → In progress → Validating → Closed
A package can also branch off this line into Exception Approved: if an exception request is tied to a Work Package ID and a reviewer approves it, that package automatically flips to Exception Approved instead of continuing through the normal flow. See the Exceptions section below.
The expanded package shows its Owner, Team, number of Items (the findings inside), when it was Locked, and when it was Created, followed by a table of its findings (CVE / plugin, severity, risk score, hostname). The action row lets you advance and verify the work:
| Control | What it does |
|---|---|
| Lock | Freezes a draft package's contents so the scope can't drift once work begins. |
| Status buttons | Advance the package to its next stage (for example in progress, then validating, then closed). |
| Auto-Validate | Checks the package's findings against your latest scan data and reports how many are Fixed, how many Remaining, and whether it's Ready to Close. |
| Trigger Scan | Kicks off a general scan trigger — it's not scoped to this package's hosts, so use it as a broad "run a scan now" nudge rather than a targeted rescan. |
| Verify Fix | Runs a fix-verification scan scoped specifically to this package's affected hosts. |
| Match Playbooks | Surfaces reusable playbooks that fit this package's vulnerability class and operating system. |
Verifying a fix
Auto-Validate is the quickest check: it compares the package's findings to what your scanners currently report and shows a Total / Fixed / Remaining breakdown with a progress bar. When nothing remains, it marks the package Ready to Close. If you need fresh scan data first, use Verify Fix to rescan specifically the package's affected hosts (or the broader, unscoped Trigger Scan if you just want a scan run in general), then Auto-Validate again. The Scan Status panel shows the scan's progress while it runs.
SLA: staying inside your deadlines
The SLA tab tracks every work package against the maximum time you allow to remediate a finding of a given severity.
Summary and actions
Four cards summarize your position: Total SLAs (tracked packages), On Track, At Risk (approaching the deadline), and Breached (past due). Check SLAs re-evaluates every package against the policy, and Export CSV downloads the current breaches.
The SLA policy
The SLA Policy card shows the number of days allowed to remediate by severity — Critical, High, Medium, and Low. Click Update Policy to change those day counts; the new deadlines apply the next time SLAs are checked.
The breaches table
Any package past its deadline appears in SLA Breaches, with its Work Package ID, Severity, Due Date, Breached At time, Escalation Level, and who it was Escalated To.
Exceptions: risk you're accepting for now
When you can't fix a finding immediately, an exception records a time-boxed, reviewed decision to accept the risk — with the compensating controls you have in place.
The toolbar
| Control | What it does |
|---|---|
| Status filter | Shows Pending, Approved, Rejected, Expired, or Extended exceptions. |
| Refresh | Reloads the list. |
| Export CSV | Downloads the exceptions. |
| Request Exception | Opens the request form. |
Requesting an exception
The form captures the CVE ID, the Asset ID / Hostname, and a Reason — all three are required, and the Submit button stays disabled until each is filled in. You can also record the Compensating Controls in place, and optionally a Work Package ID and Instance Key to tie the request to specific work.
Reviewing exceptions
Each row shows the Reason, Status, who Requested and Reviewed it, when it Expires, and when it was Created. Expand a row to see the full request, the compensating controls, any reviewer note, a timeline, and — when the request came with one — a Questionnaire Responses block. Reviewers can Approve, Reject (a note is required), or Extend an approved exception by a number of days. You can also select several pending requests and Approve All or Reject All at once. For a pending request, the AI Exception Assistant can Generate Recommendation — an advisory analysis based on the finding's severity and the stated controls, which you review before deciding.
Compliance: measuring your posture
The Compliance tab assesses your environment against security frameworks and keeps a history of the results.
- Select Framework and Run Assessment to score your posture against a framework's controls.
- Export CSV and Export PDF save the assessment results to share.
- Administrators can Seed Default Frameworks to load standard frameworks.
The Compliance Frameworks list shows each framework's Name, Version, number of Controls, and whether it's Active. Assessment Results shows each run's Framework, Date, Score, and how many controls Passed, Failed, or were N/A.
Reports
The Reports tab generates remediation reports — Executive Summary, Detailed Technical, Compliance Status, Trend Analysis, and SLA Performance — and lets you view what's been generated and see the scheduled templates. Administrators can also Seed Templates to load a set of default report templates. For the full guide to building, scheduling, and sharing reports, see the Reports section.
Common workflows
Workflow: verify a fix and close the package
-
On the Campaigns tab, expand the campaign and open the package your team just finished.
Step 1 — opening a completed work package -
Click Verify Fix to rescan the package's affected systems specifically, and wait for the Scan Status panel to finish.
Step 2 — rescanning the package's systems to confirm the fix -
Click Auto-Validate. When the breakdown shows 0 remaining and Ready to Close, advance the package's status to closed.
Step 3 — Auto-Validate confirms the findings are fixed and the package is ready to close
Workflow: accept a risk you can't fix yet
- On the Exceptions tab, click Request Exception and fill in the CVE, the asset, the reason, and your compensating controls.
- A reviewer opens the request, optionally clicks Generate Recommendation for an AI second opinion, then Approve or Reject it.
- If more time is needed later, the reviewer Extends the approved exception by a number of days.