search
Ctrlk

AI Triage

Xygeni AI Triage applies AI-driven analysis to security findings to reduce alert fatigue. For each issue, AI Triage produces three outputs that help teams decide what to fix and when:

  • Verdict — whether the issue is a real vulnerability, a likely false positive, or needs human review.

  • Remediation Urgency — when a confirmed vulnerability should be addressed.

  • Remediation Complexity — how much effort the fix is expected to take.

AI Triage is currently available for the following issue kinds:

  • SAST (code vulnerabilities)

  • IaC (infrastructure-as-code flaws)

  • Secrets

  • SCA (open-source vulnerabilities) — no verdict, only priority and complexity. False-positive detection for SCA is handled by Reachability, not by AI Triage.

  • DAST (dynamic application security testing)

  • Malware — internal scan-time scoring only. See AI Triage for Malware below.

The triage output and the entry points are not identical for every issue kind. The next sections describe the differences.

hashtag
Triage outputs

hashtag
Verdict

Stage label in the UI: AI Triage Result

Internal value
UI label
Meaning

TRUE_POSITIVE

Potential True Positive

The AI is confident the issue is a real vulnerability based on the code context.

FALSE_POSITIVE

Potential False Positive

The AI is confident the issue is not a real vulnerability — for example, the data is sanitized, the path is unreachable, or the rule does not apply in this context.

NEEDS_REVIEW

Needs Review

The AI did not have sufficient context to reach a confident conclusion. A human reviewer should inspect the issue.

NOT_CALCULATED

Not Calculated

AI Triage has not been executed for the issue.

hashtag
Remediation Urgency

Only meaningful when the verdict is Potential True Positive.

Internal value
UI label
Meaning

IMMEDIATE

Immediate

Requires attention right now — actively exploitable, publicly reachable, or critical business risk.

ASAP

Next Sprint

Must be addressed in the current cycle.

PLANNED

Planned

Should be included in the next planning cycle.

BACKLOG

Backlog

Real but low urgency — address when capacity allows.

hashtag
Remediation Complexity

Only meaningful when the verdict is Potential True Positive.

Internal value
UI label
Meaning

TRIVIAL

Easy

One-line fix or a straightforward API replacement with no architectural impact.

MEDIUM

Medium

Moderate refactor that touches multiple methods or classes but remains localized.

HARD

Hard

Significant rework — cross-cutting changes, architectural impact, or dependency on external factors.

hashtag
How AI Triage runs

AI Triage can be executed in four ways:

  1. Per issue from the UI — review the AI assessment for a single issue from the issue slide-out panel.

  2. In bulk from the UI — select multiple issues in any risks table and trigger triage as a batch action.

  3. From the CLI on demandxygeni util ai-triage triages an existing report. See AI Triage (CLI).

  4. Right after a scan — pass --triage to a scan command to triage findings as soon as the scan finishes. See Single scan.

The four execution paths apply to SAST, IaC, Secrets, SCA, and DAST. Malware triage is currently scan-time only and consumed internally — see AI Triage for Malware.

hashtag
Individual triage in the UI

Open any SAST, IaC, or Secrets issue from the risks table to display the issue slide-out. When AI Triage results are available, a dedicated AI Triage section is shown with:

  • The verdict (Potential True Positive, Potential False Positive, or Needs Review).

  • The Remediation Urgency and Remediation Complexity values when the verdict is Potential True Positive.

  • The AI reasoning — a plain-text explanation grounded in the code context that justifies the verdict and the urgency/complexity assessment.

  • The triage timestamp.

The same values are also surfaced as tags in the issues list so teams can filter and group by them at a glance.

SAST issue slide-out with the AI Triage section and the triage tags in the header

hashtag
Batch triage in the UI

Bulk triage is available from any risks table — both the global per-project view and the product-specific tables (SAST, IaC, Secrets).

  1. Open the risks table and select the checkbox on the left for each issue you want to triage.

  2. Open the Actions menu (active once at least one issue is selected).

  3. Choose AI Triage.

The selected issues are sent to the triage engine, and once finished the verdict, urgency, complexity, and reasoning are written back to each issue and become available in the issue slide-out and as tags.

circle-info

The Actions tab is only enabled once at least one issue has been selected.

Risks table with an issue selected, ready to run AI Triage as a bulk action

hashtag
Triage tags

After triage, every triaged issue is tagged with the resolved values so you can filter the risks table or build saved views around them:

Verdict tags

  • ai-triage:potential-true-positive

  • ai-triage:potential-false-positive

  • ai-triage:needs-review

Remediation Urgency tags

  • remediation-urgency:immediate

  • remediation-urgency:next-sprint

  • remediation-urgency:planned

  • remediation-urgency:backlog

Remediation Complexity tags

  • remediation-complexity:easy

  • remediation-complexity:medium

  • remediation-complexity:hard

hashtag
AI Triage in the SAST prioritization funnel

The default SAST Prioritization Funnel includes AI Triage as part of its standard stages so the triage outcome directly shapes what reaches the developer. Two AI Triage outputs become funnel stages:

Remediation Complexity is also produced by AI Triage but is not part of the funnel — it is shown in the issue slide-out and as a tag on each triaged issue, so you can sort, filter, and plan around it.

Default SAST prioritization funnel with the AI Triage Result and Remediation Urgency stages
circle-info

AI Triage funnel stages are currently available for SAST only.

hashtag
AI Triage for SCA

For SCA findings, AI Triage produces:

  • Verdict — fixed at Potential True Positive. False-positive detection for SCA is handled by Reachability, not by AI Triage.

  • Remediation Urgency — derived from exploitation-risk signals: EPSS score, public exploit availability, CVSS, Reachability, CWE, direct vs transitive scope, and whether the dependency is part of application code.

  • Remediation Complexity — derived from the candidate upgrade(s) for the vulnerable component: source/binary compatibility with the project, bump type (patch/minor/major), and whether a fix exists. A patch-level upgrade that is source-compatible with the project is Easy; an incompatible major bump (or a finding with no fix available) is Hard.

  • AI reasoning — cites the CVE, the exploitation signals that drove the urgency, and the candidate upgrade chosen for the complexity assessment.

The Urgency and Complexity values come from the standard tables above.

hashtag
Where SCA triage is available

  • Scan-time — pass --triage to a scan that produces SCA findings: xygeni deps --include-vulnerabilities --triage, xygeni scan --include-vulnerabilities --triage. The flag is rejected on xygeni deps and on xygeni scan when --include-vulnerabilities is not set.

  • CLI on demandxygeni util ai-triage accepts a deps report produced with --include-vulnerabilities, an sca report, or the SCA portion of a combined scan report. See AI Triage (CLI).

  • Dashboard — single and bulk on-demand triage from the SCA risks table and the SCA issue slide-out, exactly like SAST.

In the SCA risks table the AI Triage values are exposed as filters (Urgency, Complexity); the AI Triage panel in the issue slide-out shows the full reasoning.

hashtag
AI Triage for DAST

For DAST findings, AI Triage produces the same outputs as SAST: Verdict (Potential True Positive / Potential False Positive / Needs Review / Not Calculated), Remediation Urgency, and Remediation Complexity. The reasoning is grounded in the HTTP request/response evidence, the vulnerability type, the endpoint criticality, and any WAF or scanner-heuristic signals captured during the scan.

DAST triage is particularly aimed at identifying common DAST false-positive patterns from evidence alone:

  • WAF or middleware interception — the attack was blocked upstream and the scanner mistook the block-page response for a vulnerable response.

  • Benign reflection — the payload is reflected in the response but is HTML-encoded (or otherwise neutralised), so the application is not actually vulnerable.

  • Scanner heuristic misfires — custom error pages, redirects, or unusual content types that match the scanner's vulnerable-response pattern by coincidence.

When the evidence is ambiguous (partial reflection, unclear WAF behaviour, low-confidence heuristic), AI Triage returns Needs Review rather than guessing.

hashtag
Where DAST triage is available

  • Scan-time — pass --triage to the DAST scan command.

  • CLI on demandxygeni util ai-triage accepts a DAST report.

  • Dashboard — single and bulk on-demand triage from the DAST risks table and the DAST issue slide-out.

hashtag
DAST prioritization funnel

The DAST Prioritization Funnel gains two filter categories derived from the AI Triage output and the DAST evidence, in addition to the AI Triage Result and Remediation Urgency stages:

  • AuthenticationAuthenticated (the endpoint requires authentication) vs Public.

  • ExposureExposed (the attack reached the application — not blocked by WAF/middleware) vs Protected (intercepted upstream).

These categories combine with the AI Triage filters and with each other (for example, Potential True Positive with Immediate urgency on Public Exposed endpoints). Raw scanner attributes (vulnerability type, scanner heuristic, confidence level) remain available as list filters but are not funnel stages.

hashtag
AI Triage for Malware

For Malware scans, AI Triage v1 is scan-time only and consumed internally. When you pass --triage to a malware scan, the AI assesses the confidence of each evidence produced by the scanner, and the resulting signal feeds directly into the project-level maliciousness score.

A scan with many low-confidence evidences yields a lower triage-adjusted score than a scan with a few high-confidence ones, even if the raw evidence count is the same.

circle-info

v1 does not expose per-evidence verdicts, on-demand triage, or xygeni util ai-triage for malware findings. The only user-visible effect is the calibrated project-level maliciousness score. Per-finding triage and dashboard integration are planned for a later release.

When the AI Triage service is unavailable, the malware scan falls back to the existing non-triaged scoring, emits a warning, and completes successfully — the scan does not fail because of triage outages.

hashtag
Related

PreviousAuto-fixNextGuardrails Management

Last updated