About Recast Rules

On the Recast page in both the Vulnerabilities and Web Applications tabs, you can create Recast rules. Recast rules can modify the severity of all findings that correspond to a criteria query. These rules do not modify scan results.

Why would I use Recast rules?

Scenario: Risk Adjustment

Imagine a scanner detects a Critical vulnerability on a legacy server. However, your organization has placed that server on an isolated network with no internet access, significantly reducing the likelihood of exploitation.

Because the real-world risk is lower than the technical CVSS score suggests, you can use a Recast rule to change the severity from Critical to Low. This ensures your remediation team prioritizes vulnerabilities that pose the highest immediate threat to your environment.

Rule Limits: This feature shares a global 25,000-rule capacity with other rule types. For more information,see Rule Capacity and Global Limits.

Recast Rules

Recast rules target findings determined by the query that is shown in the Criteria column on the tables in both the Vulnerabilities and Web Applications tabs in Recast.

You can set recast rules to expire. When recast rules expire, findings revert to their original severity. See Add Recast, Change Result, and Accept Rules for more information.

Important: Recast impact on scoring

  • VPR is Immutable: The Vulnerability Priority Rating (VPR) is a dynamic score calculated by Tenable for the vulnerability itself. It is never altered by any recast rule that you apply.

  • Impact on AES and Vulnerability Density: (Requires Tenable One / Tenable Lumin license) Recasting a finding changes its effective severity, which influences the count of vulnerabilities by severity (Vulnerability Density) used in the Asset Exposure Score (AES) calculation. For example, if an asset has a high density of vulnerabilities (for example, more than 20 findings), recasting only one finding will likely only result in a negligible change to the overall AES score. Accept rules do not alter the AES score.

  • Impact on CES: (Requires Tenable One / Tenable Lumin license) The Cyber Exposure Score (CES) is an aggregated, organizational score. While recast adjusts the AES of an individual asset, the likelihood of a small set of recast rules causing a noticeable shift in the overall CES is small.

View Findings and Assets Affected by Recast Rules

Once a recast rule is active, you can view the specific findings and assets that it impacts. This is the most effective way to verify that your recast query criteria (filters) are targeting the correct data set.

You can view findings and assets affected by a recast rule in three ways:

  • Inspect individual recast rules in the recast rule table.

  • Use the Recast Rule Details pane.

  • Identify findings in Explore > Findings by querying the findings table.

View Affected Findings or Assets from the Recast Table

To view findings or assets that are affected by a recast rule via the recast table:

  1. Select either the Vulnerabilities or Web Applications tabs in Recast.

  2. Look for any row with Recast in the Rule Type column.

  3. On the left side of the row click the button.

    A table appears.

  4. Click the Assets or Findings tab.

    A table appears with the list of findings that meet the criteria for that rule.

View Affected Findings or Assets from the Recast Rule Details Pane

To view findings or assets that are affected by a recast rule via the recast details pane:

  1. Select either the Vulnerabilities or Web Applications tabs in Recast.

  2. Look for any row with Recast in the Rule Type column.

  3. Double-click on any row of the table.

    A recast rule details pane appears with the Summary tab showing by default.

  4. Click the Assets tab or the Findings tab.

    A table appears with either the list of assets or the list of findings that meet the criteria for that rule.

    For more information, see Recast Rule Details.

View Affected Findings or Assets from Explore

To view findings or assets that are affected by a recast rule via Explore:

  1. In the left navigation, click Explore > Findings.

    The Findings page appears.

  2. Click on the query builder bar.

  3. Build this query in the query builder: Risk Modified is equal to Recast.

    A table appears with the list of findings whose severity has been modified by a recast rule. These findings show a recast icon (such as ) along with a tooltip (such as High-Recast) in the Severity column of the findings table.

Example Recast Rule

Let's say you have a group of internal servers that use self-signed SSL certificates. Your scans report vulnerabilities from plugin 51192, SSL Certificate Cannot Be Trusted, which has a Medium severity. You know the servers use self-signed certificates, so you create the following rule to lower the severity:

  • Action — Recast

  • Criteria— Plugin ID is equal to 51192

  • New Severity — Info

  • Expires — 12 / 05 / 2025