Potential vs. preferred solutions

Potential solution: Any solution that could address a vulnerability. A single vulnerability often has multiple potential solutions.

Preferred solution: The single solution designated for remediating a specific vulnerability or vulnerable item (VIT). It communicates clear intent and enables precise deployment tracking across your environment.

Preferred solution selection logic

The system selects preferred solutions in the following priority order. A higher-priority selection is never overridden by a lower one:

Solution supersedence

A superseding solution fully replaces a prior release — for example, a Service Pack superseding a hotfix. Solution Management tracks these chains automatically.

Key behaviors:

• If an older vulnerability is detected, any higher-superseding solution can address it.
• The system prefers the highest (most cumulative) superseding solution.
• Supersedence chains are automatically constructed during MSRC import and reflected in the related list on each solution record.

Scanner-sourced solutions (v24.0.6+)

Beginning with v24.0.6, solutions from scanners can be ingested in addition to vendor solutions. The following integrations are supported:

• Tenable.sc Plugin Integration
• Tenable.io Plugin Integration
• Qualys Knowledge Base (Backfill)
• Microsoft TVM Machine Vulnerabilities Integration (Full Import)
• Microsoft TVM Machine Vulnerabilities Integration (Delta Import)

For Microsoft TVM specifically, solutions are created at the detection level, allowing preferred solutions to be populated directly on vulnerable items without additional processing steps.

Remediation status metrics

Navigate to the Vulnerability Solution [sn_vul_solution] table, select a specific vulnerability solution, and open the Remediation Status tab. This tab reports the following fields:

Solution risk score and risk rating

Each solution record carries a risk score that estimates the risk reduction achievable by deploying it. The calculation is:

• Start with 85% of the highest Risk score among all active VITs that list this as a potential solution.
• Add bonus points based on the total number of affected VITs:

For example, a solution with a max VIT risk score of 80 starts at 68 (80 × 0.85). With 200 active VITs, 10 points are added, yielding a final Risk score of 78 (High).

The risk rating translates the Risk score into a severity label (applies from v16.1 onward):

Performance optimization: update status flag

An Update status column was introduced in the Vulnerability Solution table to reduce unnecessary processing. When only remediation status metrics must be recalculated (no roll-up or preferred solution population required), solutions are no longer queued. Instead, the Update status flag is set to true directly.

This optimization applies in the following scenarios:

• When the preferred solution changes on a vulnerability
• When VITs are created or deleted
• When a VIT import is completed

Processing architecture

Process Vulnerability Solution Metrics Queue Job

This scheduled job evaluates and assigns preferred solutions to vulnerability records ingested via MSRC and Red Hat. It executes solution roll-down to associated VITs and recalculates remediation status metrics on solution records. It processes all solutions — while only MSRC and Red Hat integrations are available in the base system, you can also activate Suse and Cisco solutions or create your own CSAF or CVRF integrations.

This job is resource-intensive given the potential scale of processing hundreds of thousands of vulnerability records. Initial solution ingestion or high-volume imports of solutions or third-party vulnerabilities or vulnerable items may take substantially longer than steady-state runs.

Split Processing Jobs (v26.5.3+)

Running both jobs concurrently significantly improves overall throughput.