Scanner ingestion model

Ingestion contract

• Inputs are staged per tenant and assessed before finalize.
• Authority metadata is required for lifecycle-safe assessment ingestion decisions.
• Finalize is blocked when validation rules or policy guardrails fail.
• Sensitive ingestion transitions emit append-only audit evidence.

Result classification

Ingestion should classify scanner outputs into four operational buckets to reduce triage noise and preserve decision quality:

• Vulnerability: confirmed or high-confidence weakness suitable for tracked lifecycle.
• Exposure signal: configuration or posture signal that raises risk context but is not exploit proof.
• Informational/noise: low-confidence or non-actionable output retained for context only.
• Negative result: explicit no-finding/scan-complete evidence used for coverage history.

Asset linkage model

Keep target and finding linkage explicit: source target, normalized host/service/component, and mapped tenant asset should be captured separately. This enables blast-radius and exposure analysis without collapsing scanner evidence into ambiguous asset identity.

Operator triage workflow

• Prioritize confirmed vulnerabilities and high-confidence exploit evidence first.
• Review exposure signals as risk-context amplifiers, not direct closure triggers.
• Use canonical dedupe/linking to prevent duplicate vulnerability proliferation.
• Preserve negative and informational outcomes for trend quality and scan coverage evidence.

Fingerprint and version normalization

Findings derived from version correlation, service fingerprinting, or inferred component identity should retain source attribution and confidence context. Inferred signals should stay in their evidence class and should not be promoted to confirmed exploitability without verification evidence from approved workflows.