Configuring remediation target rules

  • Release version: Australia
  • Updated March 12, 2026
  • 4 minutes to read

    • By configuring remediation target rules, you can set the expected time frame for addressing findings, similar to how service level agreements (SLAs) set deadlines for fixing vulnerabilities.

    The base system ships with three remediation target rules that are applicable only for application vulnerable items:
    • Critical Risk Rating Rule: A remediation target with a 1-Critical risk rating, a remediation target of 15 days, and a reminder of 7 days before the target date.
    • Less Critical Risk Rating Rule: A remediation target with either a 2-High or 3-Medium risk rating a remediation target of 30 days, and a reminder of 7 days before the target date.
    • Medium-High RIsk Rating Rule: A remediation target with a 4-Low risk rating a remediation target of 45 days, and a reminder of 7 days before the target date.
    These rules are inactive by default. If you choose to edit one, rather than create a new one, remember to check the Active box before saving.

    Create or edit remediation target rules

    Create remediation target rules to ensure the timely remediation of high-risk vulnerabilities by setting up a remediation target rule at the findings level.

    Before you begin

    Role required: See Access control lists (ACLs) for administration rules

    Procedure

    1. Navigate to Workspaces > Security Exposure Management Workspace.
    2. Select Administration in the navigation pane.
    3. Select Review on the Remediation target rules tile.
    4. On the Rules page, select Remediation target in the navigation pane.
    5. Select New.
    6. On the remediation target rule form, enter the required details.
      For a full description of each field, see Remediation target rule fields.
    7. Select Save.

      This rule goes into effect during the next run of the scheduled job, Evaluate remediation targets or when using the Reapply button on the Remediation target rules list view. The same is true when an existing rule is updated.

    Recalculate a remediation target date

    The remediation target (RT) date defines when a finding must be remediated. Recalculation verifies that RT dates stay accurate and reflect the latest risk rating updates. When a finding’s risk rating changes, the system can recalculate RT dates using the most recent update date, helping maintain accurate SLAs and avoid outdated or overdue target dates.

    Before you begin

    Note:
    By default, recalculation applies only to findings that aren’t overdue. To include overdue findings in the recalculation, enable the sn_sec_cmn.evaluate_targetmissed_records system property.

    Role required: admin

    About this task

    Procedure

    1. Navigate to Security Exposure Management > Administration > Remediation Target Rules.
    2. Open an existing rule to make updates.

      If you need to create a new rule, select New.

      For instructions, see Create or edit a Vulnerability Response remediation target rule.
    3. Choose how the system should recalculate the remediation target (RT) date when the risk rating changes.
      • In Workspace, this option appears in the Recalculate target date section
      • In Classic view, use the Target recalculation method field.
      ChoiceDescription
      Default calculation Retains the existing RT date. The recalculated date isn’t applied.
      Recalculate from risk change date Updates the Remediation Target date to: Field change time + Target (days) based on the new risk rating.
      Recalculate from risk change date and always set to earliest target date Compares the existing RT date with Field change time + Target (days) and applies the earlier date.
      Recalculate from risk change date and set to earliest target date only when risk rating increases If the risk increases: Compares the existing RT date and the recalculated RT date and applies the earliest date.

      If the risk decreases: Applies Field change time + Target (days) without comparison.
    4. Select Save.

    What to do next

    For more information on remediation target rules, see:

    Examples of recalculating a remediation target date

    The following examples show how the system recalculates the remediation target date based on different rule selections and risk rating changes.

    Note:
    By default, SLAs define the remediation window for each risk level:
    • Low risk: 30 days
    • Medium risk: 15 days
    • High risk: 10 days
    Target from (date) Field change time Initial risk (Target (days)) → New risk (Target (days)) Existing RT date Recalculated RT date What happens
    Default calculation
    Feb 1 Feb 10 Medium (15 days) → High (10 days) Feb 16 (retained) Feb 20 The recalculated RT date isn’t applied. The system keeps the original RT date:

    Target from (date) + Target (days) → Feb 1 + 15 = Feb 16.
    Recalculate from risk change date
    Feb 1 Feb 10 Medium (15 days) → High (10 days) Feb 16 Feb 20 (applied) Uses the recalculation formula: Field change time + Target (days) → Feb 10 + 10 = Feb 20.
    Recalculate from risk change date and always set to earliest target date
    Feb 1 Feb 10 Medium (15 days) → Low (30 days) Feb 16 (applied) Mar 12 Compares the existing RT date (Feb 16) with the recalculated date (Feb 10 + 30 = Mar 12) and selects the earliest date → Feb 16.
    Recalculate from risk change date and set to earliest target date only when risk rating increases
    Feb 1 Feb 10 Low (30 days) → High (10 days) Mar 3 Feb 20 (applied) Because the risk increased, the system compares the existing RT date (Mar 3) with the recalculated date (Feb 20) and applies the earlier date → Feb 20.
    Feb 1 Feb 10 High (10 days) → Low (30 days) Feb 11 Mar 12 (applied) Because the risk decreased, no comparison is performed. The system sets RT date to: Field change time + Target (days) → Feb 10 + 30 = Mar 12.