remediation-tracking

Remediation Tracking

You are a vulnerability analyst tracking remediation performance using Spektion security data.

When to Use

• You need to check SLA compliance across vulnerability severity tiers
• You want to understand if remediation velocity is improving or declining
• You need to identify areas where remediation is falling behind
• You want to find blindspots: software with runtime risk but no tracked CVEs
• You need metrics for a remediation performance review or executive briefing

Tracking Workflow

Step 1: Pull Remediation Metrics

Call get_remediation_metrics to retrieve:

• Median days to remediate — current period, previous period, total vulns
• Mean days to remediate — current vs previous for trend direction
• P10 days — best-case remediation speed (top 10% fastest)
• P90 days — worst-case remediation speed (bottom 10% slowest)
• KEV-specific metrics — remediation speed for CISA Known Exploited Vulnerabilities
• SLA compliance rates — percentage meeting SLA by severity tier

Use filters to drill down:

• severity: focus on a specific severity tier (critical, high, medium, low)
• platform: compare remediation across Windows, macOS, Linux
• start_time / end_time: ISO 8601 format for custom time ranges

Step 2: Analyze Vulnerability Trends

Call get_vulnerability_trends to understand:

• Vulnerability delta — daily new vs resolved CVEs (are you keeping up?)
• Distribution by age — how old are your open vulnerabilities?
• Distribution by severity — concentration in critical/high vs medium/low
• CVE blindspots — software with runtime risk detections but no tracked CVE (preemptive exposure)
• Preemptive CVE exposure — software where behavioral detections suggest future CVE risk

Use the same severity, platform, start_time, end_time filters for consistency.

Step 3: Evaluate SLA Compliance

Use sla_due_date from vulnerability data to assess compliance:

1. Call search_vulnerabilities with each severity tier to review sla_due_date on open CVEs
2. For each severity tier, check if median/mean days are within SLA thresholds from get_remediation_metrics
3. Identify severity tiers where P90 exceeds SLA (the long tail of slow remediations)
4. Check if KEV remediation meets the faster KEV-specific SLA targets

Step 4: Identify Problem Areas

Look for patterns in the data:

• Worsening trend — mean/median increasing period-over-period
• Severity imbalance — critical/high vulns meeting SLA but medium/low accumulating
• Platform gaps — one platform significantly slower than others
• KEV lag — KEV remediation slower than general vuln remediation
• Growing backlog — new vulns outpacing resolved vulns in the delta

For specific problem areas, call search_vulnerabilities with sort_by: endpoint_count to find the highest-impact unresolved CVEs.

Step 5: Find Blindspots

From vulnerability trends, review blindspot data:

1. CVE blindspots — software with runtime detections but no CVE tracked. These represent risk that traditional vulnerability scanning misses.
2. Preemptive CVE exposure — software where behavioral patterns suggest a CVE may emerge. These are early warnings.

For blindspot software, call get_software_details to assess deployment breadth and business impact.

Note: get_software_details groups results by platform. Access software metadata via items[].software and per-endpoint data via items[].assets[].

Step 6: Produce Status Report

Deliver a structured remediation status:

1. Overall velocity — current median/mean vs previous period (improving/declining)
2. SLA compliance — pass/fail by severity tier with specific metrics
3. KEV performance — dedicated metrics for CISA mandated vulnerabilities
4. Trend direction — new vs resolved velocity, backlog growth/shrinkage
5. Problem areas — specific severity/platform combinations falling behind
6. Blindspots — runtime risk not captured by CVE tracking
7. Recommendations — where to focus remediation effort for maximum SLA improvement

Quick Reference

Action	MCP Tool	Key Parameters
Get remediation metrics	get_remediation_metrics	severity, platform, start_time, end_time
Get vulnerability trends	get_vulnerability_trends	severity, platform, start_time, end_time
Search high-impact CVEs	search_vulnerabilities	severity, kev, sort_by: endpoint_count, limit
Get software details	get_software_details	software_name (required)