Skip to main content

Remediation

Tracking remediation

Once the work is packaged and assigned, Remediation is where you drive it to completion and prove it happened. This page covers a work package's lifecycle and fix verification, the SLA tab, the Exceptions tab, the Compliance tab, and the Reports tab.

What it's for

  • Move work through its stages — from draft, to locked, to in progress, to validated, to closed.
  • Verify the fix really landed — rescan the affected systems and let ThreatWeaver check the findings back automatically.
  • Stay inside your deadlines — see which packages are on track, at risk, or in breach of their SLA.
  • Handle what you can't fix yet — request and approve time-boxed exceptions with compensating controls.
  • Report on your posture — assess against frameworks and generate reports.

Moving a work package through its lifecycle

Open a campaign on the Campaigns tab and expand a package to work it. A package moves through a fixed set of statuses:

Draft → Locked → In progress → Validating → Closed

A package can also branch off this line into Exception Approved: if an exception request is tied to a Work Package ID and a reviewer approves it, that package automatically flips to Exception Approved instead of continuing through the normal flow. See the Exceptions section below.

A work package expanded to show its findings and status-transition buttons

The expanded package shows its Owner, Team, number of Items (the findings inside), when it was Locked, and when it was Created, followed by a table of its findings (CVE / plugin, severity, risk score, hostname). The action row lets you advance and verify the work:

ControlWhat it does
LockFreezes a draft package's contents so the scope can't drift once work begins.
Status buttonsAdvance the package to its next stage (for example in progress, then validating, then closed).
Auto-ValidateChecks the package's findings against your latest scan data and reports how many are Fixed, how many Remaining, and whether it's Ready to Close.
Trigger ScanKicks off a general scan trigger — it's not scoped to this package's hosts, so use it as a broad "run a scan now" nudge rather than a targeted rescan.
Verify FixRuns a fix-verification scan scoped specifically to this package's affected hosts.
Match PlaybooksSurfaces reusable playbooks that fit this package's vulnerability class and operating system.

Verifying a fix

Auto-Validate is the quickest check: it compares the package's findings to what your scanners currently report and shows a Total / Fixed / Remaining breakdown with a progress bar. When nothing remains, it marks the package Ready to Close. If you need fresh scan data first, use Verify Fix to rescan specifically the package's affected hosts (or the broader, unscoped Trigger Scan if you just want a scan run in general), then Auto-Validate again. The Scan Status panel shows the scan's progress while it runs.

SLA: staying inside your deadlines

The SLA tab tracks every work package against the maximum time you allow to remediate a finding of a given severity.

SLA — the summary cards, the per-severity policy, and the breaches table

Summary and actions

Four cards summarize your position: Total SLAs (tracked packages), On Track, At Risk (approaching the deadline), and Breached (past due). Check SLAs re-evaluates every package against the policy, and Export CSV downloads the current breaches.

The SLA policy

The SLA Policy card shows the number of days allowed to remediate by severity — Critical, High, Medium, and Low. Click Update Policy to change those day counts; the new deadlines apply the next time SLAs are checked.

The breaches table

Any package past its deadline appears in SLA Breaches, with its Work Package ID, Severity, Due Date, Breached At time, Escalation Level, and who it was Escalated To.

Exceptions: risk you're accepting for now

When you can't fix a finding immediately, an exception records a time-boxed, reviewed decision to accept the risk — with the compensating controls you have in place.

Exceptions — the request list with status filters and per-row review actions

The toolbar

ControlWhat it does
Status filterShows Pending, Approved, Rejected, Expired, or Extended exceptions.
RefreshReloads the list.
Export CSVDownloads the exceptions.
Request ExceptionOpens the request form.

Requesting an exception

The form captures the CVE ID, the Asset ID / Hostname, and a Reason — all three are required, and the Submit button stays disabled until each is filled in. You can also record the Compensating Controls in place, and optionally a Work Package ID and Instance Key to tie the request to specific work.

Reviewing exceptions

Each row shows the Reason, Status, who Requested and Reviewed it, when it Expires, and when it was Created. Expand a row to see the full request, the compensating controls, any reviewer note, a timeline, and — when the request came with one — a Questionnaire Responses block. Reviewers can Approve, Reject (a note is required), or Extend an approved exception by a number of days. You can also select several pending requests and Approve All or Reject All at once. For a pending request, the AI Exception Assistant can Generate Recommendation — an advisory analysis based on the finding's severity and the stated controls, which you review before deciding.

Compliance: measuring your posture

The Compliance tab assesses your environment against security frameworks and keeps a history of the results.

Compliance — the framework selector, the frameworks list, and past assessment results
  • Select Framework and Run Assessment to score your posture against a framework's controls.
  • Export CSV and Export PDF save the assessment results to share.
  • Administrators can Seed Default Frameworks to load standard frameworks.

The Compliance Frameworks list shows each framework's Name, Version, number of Controls, and whether it's Active. Assessment Results shows each run's Framework, Date, Score, and how many controls Passed, Failed, or were N/A.

Reports

The Reports tab generates remediation reports — Executive Summary, Detailed Technical, Compliance Status, Trend Analysis, and SLA Performance — and lets you view what's been generated and see the scheduled templates. Administrators can also Seed Templates to load a set of default report templates. For the full guide to building, scheduling, and sharing reports, see the Reports section.

Common workflows

Workflow: verify a fix and close the package

  1. On the Campaigns tab, expand the campaign and open the package your team just finished.

    Step 1 — opening a completed work package
  2. Click Verify Fix to rescan the package's affected systems specifically, and wait for the Scan Status panel to finish.

    Step 2 — rescanning the package's systems to confirm the fix
  3. Click Auto-Validate. When the breakdown shows 0 remaining and Ready to Close, advance the package's status to closed.

    Step 3 — Auto-Validate confirms the findings are fixed and the package is ready to close

Workflow: accept a risk you can't fix yet

  1. On the Exceptions tab, click Request Exception and fill in the CVE, the asset, the reason, and your compensating controls.
  2. A reviewer opens the request, optionally clicks Generate Recommendation for an AI second opinion, then Approve or Reject it.
  3. If more time is needed later, the reviewer Extends the approved exception by a number of days.