TLS/SSL Configuration Becomes Non-Impacting When the Asset is Taken Offline – March 28, 2025

As part of the Dynamic Remediation initiative, TLS/SSL Configuration findings that previously had to complete their lifetime when an asset is taken offline (such as removing a DNS record) are now marked as remediated. They stop impacting the rating as soon as the asset is detected to have been taken offline. Depending on the existing findings, remediation may impact (positively or negatively) the risk vector grade and the headline rating.

We are also releasing a new No: Asset taken offline finding rescan status value for the impacts risk vector grade field to better explain why a finding stops impacting the risk vector grade. This value will be applicable to both TLS/SSL Configurations and Open Ports risk vector (with no rating impact on the latter).

Frequently Asked Questions

• Is there a limit to how many times rescans can be requested?
• Can I request a rescan via the API?
• On a successful rescan, will the ratings be updated? If so, how quickly would this happen?
• Do findings from temporary cloud instances that decommission on their own still show up or do we have to request a rescan?
• What is the expected timeline for the Dynamic Remediation initiative?
• Will the finding stop impacting the risk vector grade immediately after remediation?
• How long will it take for the rescan to both start and complete?
• Are the Dynamic Remediation improvements available free-of-charge or do they require a purchase?
• How are assets that are taken offline detected?
• Will this change the frequency of the automatic scan?
• What if assets go offline and then come back?
• When should I manually rescan and will Bitsight refresh findings daily?

Q: Is there a limit to how many times rescans can be requested?

A: There’s a limit of 250 findings that can be rescanned at once. There’s also a limit of 1,000 rescan requests each day.

Q: Can I request a rescan via the API?

A: No and there are no plans for this functionality at the moment.

Q: On a successful rescan, will the ratings be updated? If so, how quickly would this happen?

A: The rating will be updated in the next day and will be reflected both in the dashboard and in the API.

Q: Do findings from temporary cloud instances that decommission on their own still show up or do we have to request a rescan?

A: They will automatically stop impacting after the lifetime expires or until the asset is rescanned by Groma in its regular scan cycle, whichever timeline occurs first. To speed up the process and stop impacting the rating once the cloud instance is decommissioned, a user-requested rescan is needed.

Q: What is the expected timeline for the Dynamic Remediation initiative?

A: Updates (such as the rescan improvements) have started in February, with more improvements continuing through July 2025. Refer to the Upcoming Product Releases and Beta Programs Log to see the timeline (you must be signed in to access this resource).

Q: Will the finding stop impacting the risk vector grade immediately after remediation?

A: Once we validate that a finding is remediated, it will stop impacting the risk vector grade the following day.

Q: How long will it take for the rescan to both start and complete?

A: This depends on the risk vector. Once the Dynamic Remediation initiative is complete, the applicable risk vectors will have the following rescan timelines:

• The rescan will start immediately and it will take a couple of minutes to be completed.
  • TLS/SSL Certificates
  • TLS/SSL Configurations
  • Open Ports
  • Server Software
  • Web Application Security
• Rescans for Mobile Application Security can take up to 11 days to complete.
• Rescans for all other risk vectors can take between 3 to 6 days to complete.

Q: Are the Dynamic Remediation improvements available free-of-charge or do they require a purchase?

A: All the Dynamic Remediation improvements will be available for all SPM users at no additional cost.

Q: How are assets that are taken offline detected?

A: They are detected depending on the type of finding:

• For an IP-based TLS/SSL Configurations finding, they are considered to be offline if the IP:Port is not reachable.
• For a domain-based TLS/SSL Configurations finding, they are considered to be offline if the DNS was deleted and the domain is not resolving. If it is still resolving, they can be considered to be offline if the IP:Port is not reachable.

Q: Will this change the frequency of the automatic scan?

A: It doesn't change the automatic scan cycle.

Q: What if assets go offline and then come back?

A: The findings will cease to impact the risk vector grade and will subsequently resume impacting the risk vector grade.

Q: When should I manually rescan and will Bitsight refresh findings daily?

A: Findings are not rescanned daily nor are they planned to be. With this and subsequent Dynamic Remediation updates, the maximum time for findings to stop impacting rating is when the lifetime expires or until the same asset is rescanned by Groma in its regular scan cycle, whichever occurs first.

To validate findings and have its impact updated as quickly as possible, request a manual rescan. We recommend requesting a rescan when:

• Bad findings were remediated.
• The IP or domain is end dated.
• The asset is taken offline as a remediation effort.