Triage open findings

Triage is the routine you run weekly (and on day one of a new tenant). The goal is not "close everything", it is "close the things that matter and decide consciously about the rest".

Step 1, scope

Open the Findings page. Filter:

Status = OPEN.
Severity = CRITICAL, HIGH. Skip MEDIUM and LOW for the first pass.
Project = your current project. (You should already be on it; if not, switch.)

This is your priority list. Typical fresh tenants have 30 to 100 entries here.

Step 2, sort by toxic-combo participation

Click Group by, Toxic combination membership. Findings that sit on at least one chain bubble to the top. These are your highest-leverage fixes.

For each row in the On a toxic combination group:

Click to open the detail panel.
Open the Toxic combinations tab in the panel.
Read the chain. Decide the cheapest break-point (often the public exposure or the leaked secret).
Apply the remediation. The finding moves to RESOLVED automatically on the next scan.

Closing one finding here often closes 3 to 5 OPEN findings transitively, because the chain disappears.

Step 3, triage the rest by category

Switch to the CSPM module page. Filter Status: OPEN, Severity: CRITICAL, HIGH. Group by Category.

For each category in turn (IAM, Storage, Network, Database, ...):

Skim the rules.
For findings with an obvious fix, apply the fix.
For findings that are genuine accepted risk, mark IGNORED with a reason.
For everything else, leave OPEN. The next triage session will pick them up.

Repeat for KSPM, DSPM, HCR, IaC, Secrets, Vulnerabilities. Most teams budget 5 to 10 minutes per detector.

Step 4, verify

Go to the Dashboard. Verify:

The Critical and High counts dropped.
The Findings trend line for the day is downward.
Toxic Combinations count dropped (each closed chain).

If a finding moves to RESOLVED and re-opens shortly after, the fix did not take. Re-read the remediation, try again.

Step 5, schedule the next pass

Triage is recurring. A weekly cadence is typical for active tenants. Add a calendar reminder. The goal of each session is to keep the OPEN-CRITICAL count low and the trend flat or downward.

Tips

Avoid mass IGNORE. It feels productive and is technical debt. Each ignore should have a reason and (ideally) a TTL.
Track recurring re-opens. A finding that re-opens every week is a process problem, not a technical one. Investigate the deployment pipeline that keeps re-creating it.
Pair with engineers. When triaging KSPM or IaC findings, work with the team that owns the manifest. Knowledge transfer per session beats one-shot fixes.

What's next

Resolve a toxic combination, the deep dive
Suppress or ignore a finding

Triage open findings#

Step 1, scope#

Step 2, sort by toxic-combo participation#

Step 3, triage the rest by category#

Step 4, verify#

Step 5, schedule the next pass#

Tips#

What's next#