Remediation Urgency

Of the AI-confirmed vulnerabilities, which ones must be fixed now, which can wait for the next sprint, and which can be deferred?

Remediation Urgency is a SAST prioritization stage that assigns a business-driven urgency level to vulnerabilities classified as Potential True Positive by AI Triage. The urgency is derived from the AI's semantic understanding of the code — endpoint exposure, authentication requirements, compensating controls, reachability of the vulnerable path, and business impact — not from a direct mapping of the scanner's severity.

Values for Remediation Urgency

Immediate: Requires attention right now — the vulnerability is actively exploitable, publicly reachable, or represents a critical business risk.
Next Sprint: Must be addressed in the current cycle. Real risk that cannot wait for the next planning round.
Planned: Should be included in the next planning cycle. A genuine vulnerability without immediate exploitability.
Backlog: Real but low urgency. Address when capacity allows.

Default behavior in the SAST funnel

In the default SAST prioritization funnel, the Remediation Urgency stage shows:

Immediate
Next Sprint

Planned and Backlog are hidden by default so the active backlog stays focused on what needs to be fixed soon. They remain available if you want to widen the funnel.

Remediation Urgency is part of the default SAST funnel and is also available as a stage / filter on the SCA and DAST funnels (where AI Triage produces an urgency value for each finding).

Do not confuse Remediation Urgency with the scanner's severity. Severity describes the technical impact of a vulnerability class; Remediation Urgency reflects how that vulnerability behaves in your specific code and deployment context, as assessed by AI Triage.

PreviousAI Triage Result NextGuardrails

Last updated 19 hours ago

hashtagRemediation Urgency

hashtagValues for Remediation Urgency

hashtagDefault behavior in the SAST funnel