Prioritize Remediation

The Remediation tab provides a prioritized action plan generated from the attack graph analysis. Instead of presenting a flat list of vulnerabilities and misconfigurations, it ranks remediation actions by their actual impact on your attack surface -- which single fix breaks the most attack paths and dissolves the most toxic combinations.

How Remediation Priorities Work

Traditional security tools rank findings by individual severity (CVSS score, compliance level). AttackLens goes further: it calculates the cascading effect of each remediation action across the entire attack graph.

A medium-severity CVE on a chokepoint node that participates in 3 toxic combinations will rank higher than a critical CVE on an isolated, non-internet-facing test server -- because fixing the first one eliminates dozens of attack paths while fixing the second eliminates one.

Key Principle

Remediation priority answers: "What single action gives me the greatest security improvement?": not just "What is the most severe individual issue?"

Remediation List

The Remediation tab displays a ranked table of remediation actions:

Columns

Column	Description
Rank	Priority position (1 = most impactful)
Target	The resource that needs remediation, with type and label. Click to open Node Details.
Action	The specific remediation action (e.g., Patch CVE, Restrict permissions, Enable MFA, Segment network)
Priority	Critical, High, Medium, or Low
Impact Score	Composite score representing the total risk reduction
Paths Broken	Number of attack paths eliminated by this action
Effort	Estimated complexity of the fix (Low, Medium, High)
Flags	Indicator badges for special conditions

Flags

Each remediation item may carry one or more flags:

Flag	Meaning
CISA KEV	The action addresses a vulnerability in the CISA Known Exploited Vulnerabilities catalog
Chokepoint	The target node is a chokepoint, meaning the fix has a multiplier effect
Toxic	The action resolves one or more toxic combinations
Crown Jewel	The action protects a resource marked as a crown jewel asset

TIP

Look for actions that carry multiple flags. An action flagged with both Chokepoint and Toxic resolves a structural weakness and a dangerous misconfiguration pattern simultaneously.

How Priorities Are Calculated

The RemediationPrioritizer computes the priority of each action using four weighted factors:

1. Chokepoint Analysis

Actions targeting chokepoint nodes receive a significant boost because fixing them breaks many paths at once.

Chokepoint Impact	Priority Boost
50%+ of paths pass through this node	Major boost
25%--49% of paths	Moderate boost
10%--24% of paths	Minor boost
Below 10%	No boost

2. Toxic Combination Resolution

Actions that dissolve toxic combinations receive additional priority because toxic combinations represent risks that are invisible to finding-level analysis.

Toxic Combinations Resolved	Priority Boost
3 or more	Major boost
1--2	Moderate boost
0	No boost

3. Vulnerability Severity

The severity of the vulnerability or misconfiguration being remediated, incorporating three metrics:

Metric	How It Factors In
CVSS Score	Base severity of the vulnerability (0.0--10.0)
EPSS Score	Probability of exploitation in the next 30 days (0.0--1.0). High EPSS means attackers are more likely to use this vulnerability.
CISA KEV Status	Confirmed active exploitation in the wild. KEV vulnerabilities receive the highest priority within this factor.

4. Asset Criticality

The business importance of the affected asset:

Asset Classification	Priority Impact
Crown jewel	Highest priority -- these are your organization's most critical resources
Production	High priority
Staging / Pre-production	Medium priority
Development / Test	Lower priority

The four factors are combined into a composite impact score that determines the final ranking.

Remediation Action Types

The prioritizer generates different types of actions depending on the root cause:

Patch Vulnerabilities

Action	Details
Patch CVE-XXXX-XXXXX	Install the fixed version of the affected package
Upgrade OS	Replace an end-of-life operating system that no longer receives security patches
Update runtime	Update a framework or runtime to a non-vulnerable version

Restrict Access

Action	Details
Restrict IAM permissions	Reduce overprivileged roles to least-privilege
Remove unused access keys	Delete inactive or unnecessary API access keys
Enable MFA	Require multi-factor authentication for the identity
Restrict Kerberos delegation	Change unconstrained delegation to constrained delegation
Limit cross-account trust	Reduce the scope of cross-cloud or cross-account trust relationships

Harden Configuration

Action	Details
Enable host firewall	Activate the operating system firewall
Disable password authentication	Switch SSH to key-only authentication
Close unnecessary ports	Remove unneeded security group rules allowing inbound traffic
Enable encryption	Enable encryption at rest for databases and storage accounts
Configure secret rotation	Set up automated rotation for secrets and credentials

Network Segmentation

Action	Details
Add network security group	Apply NSG/security group rules to filter traffic
Segment subnet	Split a large subnet into smaller segments to limit lateral movement
Remove public IP	Remove direct internet exposure and route through a load balancer or WAF
Restrict source CIDRs	Tighten security group rules to allow only specific source IPs

Improve Monitoring

Action	Details
Deploy EDR	Install endpoint detection and response on the asset
Enable audit logging	Turn on audit logs for the resource
Configure alerts	Set up alerting for suspicious activity
Connect to SIEM	Forward logs to your security information and event management system

Effort Estimation

Each action includes an estimated effort level:

Effort	Meaning	Examples
Low	Can be completed quickly with minimal risk of disruption	Enable MFA, remove unused access key, enable audit logging
Medium	Requires planning and a maintenance window	Patch a CVE, update security group rules, configure secret rotation
High	Significant effort with potential impact on availability	Upgrade OS, redesign network segmentation, replace shared service account with per-service identities

Quick Wins

Sort the remediation list by Effort: Low and look for items with high impact scores. These are your quick wins -- actions that deliver significant security improvement with minimal operational disruption.

Working with the Remediation List

Export

Click Export to download the remediation list as a CSV or JSON file for use in ticketing systems, change management workflows, or executive reporting.

Track Progress

As you remediate issues, trigger a graph Recompute to see the updated remediation list. Completed actions disappear from the list, and priority rankings adjust to reflect the new state of your environment.

Integrate with Issue Trackers

If you have Issue Integrations configured (Jira, Azure DevOps, etc.), click Create Issue on any remediation item to push it directly to your project management tool with full context including the attack paths affected, risk score, and suggested fix.

Remediation Impact Over Time

After remediating items and recomputing the graph, the Dashboard shows your risk trend:

• Average risk score: Should decrease as you remediate
• Path count: Total attack paths should decrease
• Toxic combination count: Should decrease as patterns are broken
• Chokepoint count: May decrease as you address structural bottlenecks

Continuous Improvement

The remediation list is regenerated with every graph computation. As you fix issues, new items may emerge as previously hidden risks become the new top priorities. This is expected and reflects genuine continuous exposure management.

Next Steps

• Understand the Attack Graph -- Review how the graph is built
• Understand Chokepoints -- Deep dive into the highest-impact targets
• Understand Toxic Combinations -- Understand the dangerous patterns driving priority
• Dashboard -- Monitor your risk trend over time