Skip to main content

Triage

Triage is AISafe's AI-powered finding analysis pass. After an assessment's agents discover potential vulnerabilities, the triage phase confirms which represent real vulnerabilities, deduplicates by root cause, assigns confidence scores, and prepares findings for human review.

What triage does

The triage pass performs several critical functions that turn raw agent output into an actionable backlog:

  • Confirmation: validates that each finding represents a real vulnerability. The triage agent re-examines the evidence, checks for mitigating factors, and assigns a confidence score (1–100). The triage agent flags findings with low confidence so you can review them first.
  • Deduplication: identifies findings that share the same root cause and marks duplicates, linking them to a canonical finding. This prevents your team from triaging the same issue multiple times and keeps the backlog focused on distinct problems.
  • Severity refinement: adjusts the initial severity rating based on exploitability, impact, and context. The triage agent might downgrade a finding that looks critical in isolation if it requires an improbable precondition, or upgrade it if the agent discovers a more serious impact.
  • Evidence enrichment: ensures each finding has complete evidence: locations, taint flows, proof-of-concept, steps to reproduce, and suggested fixes. The triage agent fills in missing evidence so each finding is ready for human review.

Triage runs as the final stage of each assessment. You do not need to trigger it. By the time you open the findings list, the triage pass has completed and the findings are ready for your review.

Human-in-the-loop

Triage produces recommendations. Your team retains full control over finding status. From the dashboard, you can apply any of the following triage actions to a finding. Each action updates the finding's status and moves it through your remediation workflow:

ActionWhat it means
ConfirmYou agree with the triage assessment. You accept the finding as a real vulnerability and it stays in the active backlog for remediation.
False positiveYou override the triage decision and mark the finding as a false positive. You must provide a reason so your team has context for the override.
Accepted riskYou acknowledge the vulnerability but choose not to fix it (for example, it is low impact, mitigated elsewhere, or out of scope). You must provide a reason.
DuplicateYou mark the finding as a duplicate of another finding and link it to the canonical one. This keeps your backlog clean and avoids double work.
FixedYou mark the finding as remediated. This happens after you patch the code and verify the fix.

Severity levels

AISafe assigns each finding a severity level that reflects the potential impact and exploitability of the vulnerability. AISafe uses five severity levels:

  • Critical: the vulnerability allows an attacker to execute arbitrary code, access sensitive data without authentication, or take over the application. You should remediate these first.
  • High: the vulnerability has a significant impact (e.g. privilege escalation, data exposure) but requires some precondition or is harder to exploit. Prioritize these in your current sprint.
  • Medium: the vulnerability has a moderate impact (e.g. information disclosure, limited injection) that an attacker could exploit under specific circumstances. Plan to remediate in a reasonable timeframe.
  • Low: the vulnerability has a minor impact (e.g. verbose error messages, missing security headers) that an attacker has little chance of exploiting on its own but contributes to overall risk.
  • Info: the finding is an observation or best-practice recommendation. Use these to improve your security posture over time.

The triage agent may adjust the initial severity rating based on exploitability, impact, and context. The agent might downgrade a finding that looks critical in isolation if it requires an improbable precondition. When severity is adjusted after assessment, AISafe preserves the original AI rating, the adjusted value, the actor, and any required justification in the finding's severity history.

Use severity as a starting point for prioritization. Consider your application's specific context: threat model, exposure, and business impact when deciding what to fix first.

Triage in the dashboard

The findings list in the dashboard is your triage queue. Filter by severity or status to focus on what matters. Each finding shows the triage agent's reasoning alongside the evidence, so you can make informed decisions.

You can triage findings one at a time or in bulk. Select multiple findings and apply the same action to all of them at once. This is useful when the triage agent has flagged a cluster of duplicates or a group of low-severity issues you want to accept as risk together. The dashboard logs each action you take, so your team has an audit trail of who confirmed, rejected, or accepted each finding.

The dashboard shows the triage agent's confidence score for each finding. Use this to prioritize your review: high-confidence findings are ready to confirm, while low-confidence findings deserve a closer look before you act on them.

You can export triaged findings to issue trackers like Jira or Linear, so remediation work flows into your engineering workflow without manual copy-paste.