Accepted risks

An accepted risk is a formal decision not to remediate a finding right now. Accepting a risk records why you’ve made that call and keeps the finding out of your active Remediation Queue so it doesn’t clutter your day-to-day work.

Accepting a risk

When you accept a risk on a finding, you record:

• A reason explaining the decision.
• An optional expiration date.
• An optional supporting document for context or compliance evidence.

Once accepted, the finding is excluded from the active remediation pipeline.

Managing accepted risks

You can review your accepted risks in their own area. Application and Vortex findings are kept in a separate list from network findings, so review each as appropriate. From there you can:

• View the list of accepted risks, with their reasons and expirations.
• Revoke an acceptance, which returns the finding to the active pipeline.
• Export the list — useful as evidence during an audit or compliance review.

Things to know

Caution

An expiration date is informational. An acceptance that has passed its expiration is not revoked automatically — you still need to review and revoke it yourself. Treat the date as a reminder, not an enforcement mechanism.

Note

Revoking an acceptance doesn’t re-trigger remediation. It returns the finding to the active pipeline, where you can then choose to fix it with AI, create a ticket, or accept the risk again.

For how findings flow through the pipeline once they’re active, see the Remediation Queue.