Read your first finding
A few minutes after you connect a cloud account, the Findings page starts populating. This walkthrough explains what you are looking at.
The Findings page
The unified Findings page lists every open finding across every detector, sorted by severity then recency.
| Column | What it tells you |
|---|---|
| Severity | CRITICAL, HIGH, MEDIUM, LOW. |
| Finding | The rule name (e.g. Public S3 bucket). |
| Resource | The cloud resource the rule matched on. |
| Cloud | Logo + region. |
| Status | OPEN, IGNORED, or RESOLVED. |
| Found | First-seen timestamp. |
Filter, group, sort, and export, every column is interactive. The exact same UX is on the per-detector pages (CSPM, KSPM, ...) if you prefer to scope by detector type.
The detail panel
Click any finding row. A panel slides in from the right with everything we know about it:
- Description, what the rule looks for and why it matters.
- Remediation, step-by-step fix, with tabs for Console / Terraform / CLI when the cloud supports all three.
- References, links to vendor docs, NVD entries, MITRE ATT&CK techniques.
- Resource graph, a small slice of the cloud graph centred on the affected resource: what it is connected to, and whether it sits on any toxic combination.
- Status history, every status change with the timestamp.
Severity, explained
Severity is set by the rule:
- CRITICAL, direct impact: data exfiltration possible, account takeover, RCE on a workload. You drop everything for these.
- HIGH, meaningful exposure. Public exposure without immediate exploit, or a strong configuration drift from a compliance baseline.
- MEDIUM, hardening: configurations that are not dangerous on their own but reduce defence in depth.
- LOW, best-practice nudge. Often noise; filter out of your default view if your team is small.
Status workflow
Every finding moves through three states:
| Status | How it gets there |
|---|---|
OPEN | Set when the rule first matches a resource. |
IGNORED | Set by you, with a reason. Used for accepted risks and false positives. |
RESOLVED | Set automatically on the next scan once the rule no longer matches. |
You don't mark anything RESOLVED yourself. Apply the fix in your cloud, wait for the
next scan, and Ctadel moves the finding to RESOLVED. If the fix didn't take, the
finding stays OPEN.
What to do with your first finding
- Read the description. Most findings are obvious once you understand the impact.
- Check the resource graph. If the finding sits on a toxic combination, fix that path first, it will resolve multiple findings at once.
- Apply the remediation in your cloud console or via Terraform.
- Wait for the next scan. Ctadel marks the finding
RESOLVEDwhen the issue is gone.
If the finding is genuinely a false positive, mark it IGNORED with a reason.
What's next
- Quickstart: triage to remediation, end-to-end walk
- Triage open findings, efficient at-scale workflow
- Toxic combinations & attack paths, why grouping by path beats listing