About Recast Rules

On the Recast page in both the Vulnerabilities and Web Applications tabs, you can create Recast rules. Recast rules can modify the severity of all findings that correspond to a criteria query. These rules do not modify scan results.

Why would I use a Recast rule?

Imagine you have an asset with a vulnerability on an FTP service. You no longer need FTP, so you shut down the service. Now, Tenable Vulnerability Management cannot verify the vulnerability as patched, so it continues to appear in your Findings list. You can use a recast rule to ignore this vulnerability finding without needing to delete the asset and begin a fresh scan.

Recast Rules

Recast rules target findings determined by the query that is shown in the Criteria column on the tables in both the Vulnerabilities and Web Applications tabs in Recast.

You can set recast rules to expire. When recast rules expire, findings revert to their original severity. See Add Recast, Change Result, and Accept Rules for more information.

Important: Recast impact on scoring

  • VPR is Immutable: The Vulnerability Priority Rating (VPR) is a dynamic score calculated by Tenable for the vulnerability itself. It is never altered by any recast rule that you apply.

  • Impact on AES and Vulnerability Density: Recasting a finding changes its effective severity, which influences the count of vulnerabilities by severity (Vulnerability Density) used in the Asset Exposure Score (AES) calculation. For example, if an asset has a high density of vulnerabilities (for example, more than 20 findings), recasting only one finding will likely only result in a negligible change to the overall AES score. Accept rules do not alter the AES score.

  • Impact on CES: The Cyber Exposure Score (CES) is an aggregated, organizational score. While recast adjusts the AES of an individual asset, the likelihood of a small set of recast rules causing a noticeable shift in the overall CES is small.

View Findings and Assets Affected by Recast Rules

Once a recast rule is active, you can view the specific findings and assets that it impacts. This is the most effective way to verify that your recast query criteria (filters) are targeting the correct data set.

You can view findings and assets affected by a recast rule in three ways:

  • Inspect individual recast rules in the recast rule table.

  • Use the Recast Rule Details pane.

  • Identify findings in Explore > Findings by querying the findings table.

View Affected Findings or Assets from the Recast Table

To view findings or assets that are affected by a recast rule via the recast table:

  1. Select either the Vulnerabilities or Web Applications tabs in Recast.

  2. Look for any row with Recast in the Rule Type column.

  3. On the left side of the row click the button.

    A table appears.

  4. Click the Assets or Findings tab.

    A table appears with the list of findings that meet the criteria for that rule.

View Affected Findings or Assets from the Recast Rule Details Pane

To view findings or assets that are affected by a recast rule via the recast details pane:

  1. Select either the Vulnerabilities or Web Applications tabs in Recast.

  2. Look for any row with Recast in the Rule Type column.

  3. Double-click on any row of the table.

    A recast rule details pane appears with the Summary tab showing by default.

  4. Click the Assets tab or the Findings tab.

    A table appears with either the list of assets or the list of findings that meet the criteria for that rule.

    For more information, see Recast Rule Details.

View Affected Findings or Assets from Explore

To view findings or assets that are affected by a recast rule via Explore:

  1. In the left navigation, click Explore > Findings.

    The Findings page appears.

  2. Click on the query builder bar.

  3. Build this query in the query builder: Risk Modified is equal to Recast.

    A table appears with the list of findings whose severity has been modified by a recast rule. These findings show a recast icon (such as ) along with a tooltip (such as High-Recast) in the Severity column of the findings table.

Example Recast Rule

Let's say you have a group of internal servers that use self-signed SSL certificates. Your scans report vulnerabilities from plugin 51192, SSL Certificate Cannot Be Trusted, which has a Medium severity. You know the servers use self-signed certificates, so you create the following rule to lower the severity:

  • Action — Recast

  • Criteria— Plugin ID is equal to 51192

  • New Severity — Info

  • Expires — 12 / 05 / 2025