A finding is a promise, not a fact
A scanner that produces alerts isn't a program — it's noise with a timestamp. The work starts when a finding lands and someone has to decide what it means, who owns it, and how you'll know it's actually gone. Most teams are good at discovery and terrible at everything after, which is how backlogs balloon while the genuinely dangerous issues sit untouched.
A findings workflow is just the discipline of moving every issue through one lifecycle — discovery, triage, ownership, remediation, and verified closure — without letting anything fall into the gap between "we saw it" and "we fixed it."
Rank by risk, not by count
The instinct to "get the number down" pushes teams to close easy lows while criticals rot. Rank worst-first by combining severity with reachability and what the issue protects — the same exploitability-over-CVSS logic behind vulnerability management that scales. A medium on an internet-facing service with customer data outranks a critical on an internal box nobody can reach. This is why a per-product worst-of view beats a flat 2,000-row export, where the important items always hide in the middle.
Aging is the metric that tells the truth
A finding's age is the most honest signal you have. Open count flatters you — close ten lows, open one critical, and the total barely moves. Aging doesn't lie: a critical open for forty days is forty days of exposure no matter how busy the team looked. Track three numbers and nothing fancier:
- Open count by severity — the shape of the backlog.
- Mean time to remediate — keeping up, or falling behind?
- Oldest open critical — your single worst exposure, named.
If the oldest-critical number is climbing, you have a capacity or ownership problem, and no tool fixes that. It's the same slope-over-snapshot thinking behind a defensible security posture score.
Closing the loop means proving it
The most common lie in security operations is "fixed." Someone marks a finding resolved, the patch didn't take, and it resurfaces next scan as a "new" critical that's actually months old. Make closure require a re-check and an evidence artifact — a clean re-scan, a config diff, a screenshot of the enforced setting.
- Resolve records who closed it, when, and with what evidence — appended to the log, never overwritten.
- Reopen fires automatically when a "resolved" issue reappears, so a failed fix can't quietly vanish.
That trail is the same material an auditor samples, so a disciplined workflow doubles as audit evidence collected continuously instead of reconstructed in a panic.
The goal isn't an empty queue — it's a queue where nothing dangerous is old, nothing closed is faked, and every finding has a name next to it.