Platform

Vulnerability lifecycle

Findings surface through assessments and evolve into tracked vulnerabilities with clear ownership, remediation milestones, and verification accountability. Every stage is auditable.

Findings and assessments

Vulnerabilities begin as findings scoped to a specific assessment. Assessments provide the structured context — scope, timeline, and methodology — that anchors findings to a point in time. This prevents findings from floating loose in the backlog without provenance.

Once an assessment is ingested or submitted, its findings are available for triage, prioritisation, and lifecycle management within your workspace.

Lifecycle states

Each tracked vulnerability moves through a defined set of states. Transitions are intentional — they require an action by an authorised user — and each transition is recorded for accountability.

StateWhat it meansWho acts
OpenFinding is active and unresolved. Counts toward your posture score.
Client FixedYour team has applied a fix and is declaring readiness for verification.Tenant team
CyberSec VerifiedAn independent verification confirms the fix is effective. Closed from the risk backlog.CyberSec analyst
Risk AcceptedYour organisation has made a documented decision to accept the residual risk. Removed from active remediation tracking.Authorised stakeholder
False PositiveThe finding has been reviewed and determined to not represent a genuine risk in your environment.Authorised reviewer

Any state can be reopened if circumstances change. Reopening creates a new audit record — the original decision is not erased.

Recurrence

If a previously resolved finding reappears in a subsequent assessment, the platform surfaces it as a recurring vulnerability. Recurrence is a significant signal — it indicates a control gap that persisted across remediation cycles and may warrant escalated attention or root-cause investigation.

Recurrent findings are visually distinguished in the vulnerability backlog so they are not treated the same as net-new discoveries.

Verification workflow

The platform separates the act of claiming a fix from confirming one. Your team marks a vulnerability as Client Fixed when remediation work is complete. CyberSec can then independently assess the fix and transition it to CyberSec Verified, providing external assurance that the control is operating as intended.

This two-step model is intentional. It preserves the integrity of your risk posture reporting by ensuring closed findings genuinely reflect resolved risk, not just claimed resolution.

Evidence and traceability

Every status transition, ownership assignment, and remediation milestone is recorded as an append-only audit event. This means you can reconstruct the full history of any vulnerability — who acted, when, and what changed — without relying on memory or informal records.

Audit evidence is available to authorised team members and can support internal reviews, board reporting, and external assessments or audits.

Was this page helpful?

Trust and legal

Trust and legal baselinePrivacy notice (POPIA)PAIA manualCookie and tracking noticeWebsite termsSecurity testing authorizationPlatform termsResponsible disclosure