About Recast and Accept Rules
On the 
Recast page in both the Vulnerabilities and Web Applications tabs, you can create both Recast and Accept rules. While recast rules can modify the severity of all findings that correspond to a criteria query, Accept rules hide the findings instead. These rules do not modify scan results.
Why would I use these?
Imagine you have an asset with a vulnerability on an FTP service. You no longer need FTP, so you shut down the service. Now, Tenable Vulnerability Management cannot verify the vulnerability as patched, so it continues to appear in your Findings list. You can use a recast or accept rule to ignore this vulnerability finding without needing to delete the asset and begin a fresh scan.
Recast Rules
Recast rules target findings determined by the query that is shown in the Criteria column on the tables in both the Vulnerabilities and Web Applications tabs in Recast.
You can set recast rules to expire. When recast rules expire, findings revert to their original severity. See Add Recast Rules for more information.
Findings Affected by a Recast Rule
To view findings affected by a recast rule, do one of the following:
-
To view findings affected by a recast rule via the Recast page:
-
Select either the Vulnerabilities or Web Applications tabs in Recast.
-
In the recast table, select the check box for the recast rule.
-
On the left side of the row click the
button.A table appears.
-
Click the
Findings tab.A table appears with the list of findings that meet the Criteria for that rule.
-
-
To view findings affected by a recast rule via the recast rule details page:
-
Select the Findings tab in the details view of any recast rule. For more information, see Recast Rule Details.
-
) along with a tooltip (such as High-Recast) in the Severity column of the finding.Example Recast Rule
Let's say you have a group of internal servers that use self-signed SSL certificates. Your scans report vulnerabilities from plugin 51192, SSL Certificate Cannot Be Trusted, which has a Medium severity. You know the servers use self-signed certificates, so you create the following rule to lower the severity:
-
Action — Recast
-
Criteria— Plugin ID is equal to 51192
-
New Severity — Info
-
Expires — 12 / 05 / 2025
Accept Rules
Accept rules work the same way as recast rules, but accept the risk and hide the findings. You can set Accept rules to expire. When Accept rules expire, their findings reappear on the Explore > Findings table.
To view findings that are hidden due to Accept rules, use the Risk Modified filter on the Explore > Findings table with a value of Accepted. Accepted findings appear with 
in the Severity column and, at the top-left corner of the Findings Details page, with an Accepted label.
Example Accept Rule
For the same internal servers using self-signed SSL certificates, let's say you want to hide any findings for plugin 51192. Instead of lowering the severity of the vulnerability, you create the following rule:
-
Action — Accept
-
Name — Accept - Plugin ID: 51192
-
Critera — Plugin ID is equal to 51192
-
Expires — Never
Recast and accept rules both allow you to manage exceptions, but they have distinct impacts on your vulnerability metrics and reporting within Tenable Vulnerability Management. The following table compares the impact of recast and accept rules.
| Feature | Recast Rule | Accept Rule |
|---|---|---|
| Primary Function | Changes the visible CVSS-based severity of a finding (e.g., Critical to Low) to reflect an adjusted risk level. | Hides the finding from active views and moves it to a permanent or temporary accepted risk state. |
| Vulnerability Count | Finding is still counted in your total vulnerability count, but with the new severity level. | Finding is not counted in your active vulnerability totals, dashboards, or reports by default. |
| Risk Score Impact | VPR (Vulnerability Priority Rating) is not impacted and retains its original value. The change in severity, however, affects the vulnerability density count, which influences the Asset Exposure Score (AES) and Cyber Exposure Score (CES) calculation for the asset. | The VPR, AES, and CES scores of accepted findings are not altered. The underlying risk of a finding is still preserved even if it is accepted. |
| Visibility | The finding remains visible on dashboards, workbenches, and will appear in standard reports with the modified severity label. | The finding is hidden by default across all workbenches, dashboards, and will NOT appear in standard reports (unless you specifically filter for accepted findings). |
| Remediation Workflow | Re-prioritization. The finding remains in the active queue, but its new severity level adjusts its priority in remediation plans, allowing teams to either elevate or de-escalate its urgency. | Risk Acceptance. The finding is explicitly marked as an accepted business risk, signaling that no immediate remediation is planned or required. |
| Audit Trail? | Yes. The rule creation, application, and original data (severity and VPR) are shown in Activity Logs. |
Yes. The rule creation, application (with justification and expiration), and original finding data are preserved in Activity Logs. |
VPR is Immutable: The Vulnerability Priority Rating (VPR) is a dynamic score calculated by Tenable for the vulnerability itself. It is never altered by any recast or accept rule you apply.
Impact on AES and Vulnerability Density: Recasting a finding changes its effective severity, which influences the count of vulnerabilities by severity (Vulnerability Density) used in the Asset Exposure Score (AES) calculation. For example, if an asset has a high density of vulnerabilities (for example, more than 20 findings), recasting only one finding will likely only result in a negligible change to the overall AES score. Accept rules do not alter the AES score.
Impact on CES: The Cyber Exposure Score (CES) is an aggregated, organizational score. While recast adjusts the AES of an individual asset, the likelihood of a small set of recast rules causing a noticeable shift in the overall CES is small. Accept rules do not alter the CES score.