Action Plans: Risk Remediation Jessica Use the Risk Remediation page in the Security Posture Management application [ Action Plans ➔ Risk Remediation] to manage risk remediation plans (RRPs) and generate a Risk Remediation forecast. RRPs list and prioritize findings that can be fixed to improve certain risk vector grades. Plans are designed to identify and remediate high-impact findings with the goal of reaching an A grade.There are two types of plans available:Base Plan (Bitsight Authoritative Plan): The default, system-generated plan that represents the most efficient path to an A grade based on Bitsight’s proprietary methodology.Custom Plans: User-defined plans that allow you to tailor remediation strategies by excluding findings that can’t currently be addressd or are already remediated to see the next best plan.A Risk Remediation forecast generates a projection based on your selected plan (base or custom) and its associated inputs.Risk Remediation is available with some SPM packages for My Companies and MySubsidiary subscriptions.RRPs are available for the following risk vectors: TLS/SSL Certificates TLS/SSL Configurations Web Application Security Patching Cadence Desktop Software Mobile Software Web Application Headers This article covers RRP calculation, capabilities, and interpretation. To learn more, refer to the following articles: Running a Risk Remediation Plan Scheduling a Risk Remediation Plan Risk Remediation Plan Details by Risk Vector Risk Remediation Forecast Base Plan vs. Custom PlanThe Base Plan serves as the authoritative benchmark for remediation. It represents the most efficient path to achieving an A grade with no constraints.Custom Plans allow you to modify this approach by: Excluding findings that cannot be addressed immediately Prioritizing work based on internal constraints or business priorities Creating multiple scenarios to evaluate different remediation strategies You can always compare your custom plans against the Bitsight Base Plan to: Understand tradeoffs between ideal and practical remediation paths Measure how exclusions or delays impact your projected grade Ensure alignment with Bitsight’s recommended best-practice approach How It Works: Calculation and CapabilitiesRRPs are point-in-time, so outside factors like new findings, infrastructure changes, and changes in our inventory of companies can shift the outcome of the report.Patching Cadence Risk VectorThis RRP projects your future risk vector grade based on different remediation scenarios, prioritizing the most severe findings to prevent your grade from deteriorating.All Other Risk VectorsThese RRPs show the most efficient path to improve a risk vector grade to an A based on grade-impacting findings at the time of calculation. RRPs are point-in-time, so outside factors like new findings, infrastructure changes, and changes in our inventory of companies can shift the outcome of the report.RRPs are calculated with the assumption that fixed findings become or are replaced by Good findings. Good findings have the highest impact on your risk vector grades. There are many valid ways to remediate, mitigate, or improve findings, but not all result in a Good finding.In addition to findings that need to be fixed, RRPs contain findings that need to be maintained. When a plan is calculated, the weight of finding grades that need to be maintained plus the anticipated weight of findings you fix along the way is enough to improve your grade to an A.Remediating findings in the Maintain for an A group helps pad your ratio of positive to negative findings and can potentially protect your A grade from dropping as new findings occur.An RRP calculates the most efficient remediation path to an A–no more, no less. It does not take into account what happens if you don’t follow the plan. If you skip or ignore a finding that the plan has identified as part of your path, it remains on your RRP. Remediated findings remain on your RRP until they've completed their lifetime.Reading a PlanThe RRP supports multiple risk vectors. The data in each plan is laid out differently, but the overall structure remains the same: findings are listed from most to least impactful and separated into groups.Patching Cadence Risk VectorThe Patching Cadence RRP models multiple remediation scenarios and projects your future risk vector grade based on the number, severity, and age of vulnerabilities addressed.It helps answer key questions such as: How soon and by how much will the letter grade drop if current findings are not fixed? How many findings must be remediated now to maintain the current grade? What would the future grade be if additional findings were fixed today? The report estimates hypothetical 90-day scenarios, assuming a subset of current unremediated findings is remediated as of the report date. Each scenario includes the findings in that row and all rows above it, and displays the expected grade at different points in time. Previously remediated findings may continue to impact the grade for a period of time.All Other Risk VectorsGroups contain the findings that need to be fixed to improve your letter grade from the current grade to the next in sequence. This improvement is usually from one grade to the next, such as C → B, but in rare cases you may see skip-level groups such as C → A.Findings in each group are ordered from most to least impactful. In cases where findings have the same weight, they are listed alphabetically. Findings don’t have to be fixed in order, but all findings in a group must be fixed to improve the grade as seen in the RRP.Finding DetailsThe RRP includes information to help you remediate findings. Select an individual finding from the RRP to open a details sheet like the one on the Findings Table page. To open a group of findings in the Findings Table page, select View in Findings. In the Patching Cadence RRP, select a group of findings in the Findings column to open them in the Findings Table page.Most RRPs can be scheduled. If your plan is older, findings in it may no longer exist or may not impact your grade. Scheduling your plan keeps it up to date and prevents you from working with old information. The Patching Cadence RRP cannot be scheduled.Downloading a PlanDownloading plans allows you to track your progress over time using comparative reporting. We recommend scheduling and downloading plans weekly or monthly for this purpose.Active PlanSelect Download CSV in the top right of the plan page.Historical PlanSelect See Historical Plans, then select Download CSV next to the historical plan you wish to download. March 24, 2026: Security Posture Management rebrand. April 8, 2025: Risk Remediation Plan is available for Web Application Security. October 29, 2024: Reordered plan types to match the platform. Linked to the new Risk Remediation Forecast article. October 23, 2024: Added navigation instructions. Related articles Running a Risk Remediation Plan Risk Remediation Plan Details by Risk Vector What is a Finding Lifetime? How is the Web Application Headers Risk Vector Assessed? Scheduling a Risk Remediation Plan Feedback 0 comments Please sign in to leave a comment.