Manage the Remediation Lifecycle

Objective

Move beyond simply "finding" bugs. Group vulnerabilities into actionable projects, assign them to owners, and verify the fix.

Prerequisites

  • Integration with a ticketing system (Jira/ServiceNow) is recommended but not required.

  • Scan permissions are required to validate fixes.

Step 1: Group by Solution

IT administrators patch software, not CVEs. Grouping findings saves time.

  1. Log in to Tenable Exposure Management.

  2. In the left navigation menu, click Inventory > Findings.

    The Findings page appears, including a list of all your findings.

  3. Filter the findings list by one, several, or all of the following:

    • Property > VPR Score

    • Property > Risk Factor

    • Property > Risk Severity Level

  4. Optionally, use the Group By drop-down menu to group the list by asset or weakness.

  5. Identify a high-value solution (e.g., "Upgrade Apache Tomcat").

    Tip: One solution entry may address 50+ individual CVEs across multiple servers.

Step 2: Initiate Remediation

  1. In the findings list, select the check box next to each finding on which you want to initiate remediation.

  2. In the upper-right corner of the page, from the Take Action menu, select one of the following:

  3. Configure the ticket and project details with the appropriate remediation information, for example:

    • Name — For example, "Q3 Apache Patch Cycle".

    • Owner — Select the relevant IT Admin or Team Lead.

    • Due Date — Set a realistic deadline based on your SLA (for example, 7 days for Critical).

  4. Click Create Ticket.

    Tenable Exposure Management notifies the assignee and creates a ticket in the selected ticketing system.

Step 3: Verify the Remediation Effort

Once the IT team reports the task as "Complete," you must verify the fix.

Note: You must have access to Tenable Vulnerability Management to run a remediation scan.

  1. Log in to Tenable Vulnerability Management.

  2. Launch a remediation scan on the assets whose vulnerabilities are fixed.

    Note: A remediation scan is faster than a full scan; it only checks the specific plugins associated with the vulnerability.

  3. Review results:

    • If Fixed: The State of the finding in Tenable Exposure Management changes to Fixed and disappears from the active list.

    • If Not Fixed: The State of the finding in Tenable Exposure Management remains Active. If the ticket has been closed by the assignee, you can re-open the ticket and add notes (for example, "Registry key was updated, but the service was not restarted").