{% if domain %}{% endif %} Triage Prioritization - Finite State Report
{% if logo_path %}
{% else %}
{% endif %}

Triage Prioritization Report

{% if folder_path %} Folder: {{ folder_path }}{% if is_single_project and single_project_name %} / Project: {{ single_project_name }}{% endif %} — Risk-Based Vulnerability Triage & Prioritization {% elif is_single_project and single_project_name %} Project: {{ single_project_name }} — Risk-Based Vulnerability Triage & Prioritization {% else %} Risk-Based Vulnerability Triage & Prioritization {% endif %}
Report: {{ recipe_name }} | Generated: {{ generated_at }} | {% if metadata and metadata.start_date and metadata.end_date %} Period: {{ metadata.start_date }} to {{ metadata.end_date }} | {% endif %} Records: {{ metadata.transformed_count if metadata and metadata.transformed_count else 'N/A' }}
{% if portfolio_summary %}
{{ portfolio_summary.CRITICAL|default(0) }}
CRITICAL
{{ portfolio_summary.HIGH|default(0) }}
HIGH
{{ portfolio_summary.MEDIUM|default(0) }}
MEDIUM
{{ portfolio_summary.LOW|default(0) }}
LOW
{{ portfolio_summary.INFO|default(0) }}
INFO
{{ portfolio_summary.total|default(0) }}
TOTAL
{% endif %}

📊 Priority Band Distribution

Distribution of findings across risk priority bands.

🔀 Gate Classification Funnel

How findings flow through Gate 1 (Reachable+Exploit), Gate 2 (Strong Signal), and additive scoring.

🔥 CVSS Severity vs Priority Band

Each horizontal band represents a priority level — red (CRITICAL) at the top, gray (INFO) at the bottom. CVSS severity runs left-to-right. Bubbles that appear off the diagonal highlight where CVSS alone would misclassify risk — e.g., a CVSS Medium that lands in the CRITICAL band due to reachability and active exploitation.

🏆 Top 15 Riskiest Components

Components with the highest average triage scores, with band breakdown.

🎯 Risk Factor Profiles

Radar chart comparing risk factor profiles (Reachability, Exploits, Attack Vector, EPSS, CVSS) across top projects.

{% if project_summary_df is defined and project_summary_df|length > 0 %}

📋 Project Risk Summary

Per-project breakdown showing band counts. Projects sorted by CRITICAL count descending.

{% endif %}

Scoring Methodology

This report uses a tiered-gates scoring model that prioritizes findings based on real-world exploitability rather than theoretical CVSS scores alone.

{% if scoring_config and scoring_config.gates %} {% for gate in scoring_config.gates %}

{{ gate.name | replace('_', ' ') | title }} — {{ gate.band }} (score={{ gate.score }})

{% endfor %} {% endif %} {% if scoring_config and scoring_config.weights %}

Additive Scoring (Remaining Findings)

Bands: HIGH ≥ {{ scoring_config.weights.band_high_threshold }}, MEDIUM ≥ {{ scoring_config.weights.band_medium_threshold }}, LOW ≥ {{ scoring_config.weights.band_low_threshold }}, INFO < {{ scoring_config.weights.band_low_threshold }}

{% if scoring_config.weights.vex_resolved %}

VEX Status Penalty

{% endif %} {% endif %}

Reachability Interpretation

{% if ai_portfolio_prompt %}

AI Prompts

Copy and paste into any LLM for remediation guidance. No API key required. Project, component, and finding prompts are in the tables below.

Portfolio Remediation Prompt 
{{ ai_portfolio_prompt }}
{% endif %} {% if ai_portfolio_summary and not is_single_project %}

🤖 AI Portfolio Remediation Summary

{% endif %} {% if ai_project_summaries %}

🤖 AI Project Remediation Guidance

{% for project_name, summary in ai_project_summaries.items() %}

{{ project_name }}

{% endfor %}
{% endif %} {% if ai_component_guidance %}

🤖 AI Component Remediation Guidance

Detailed fix guidance for Critical and High priority components. Fix version data derived from NVD API where available.

{% for comp_key, guidance in ai_component_guidance.items() %} {% endfor %} {% if ai_component_guidance|length > 10 %} {% endif %}
Component Fix Version Rationale Guidance Workaround Code Search Confidence
{{ comp_key }} {{ guidance.fix_version|default('—') }} {{ guidance.rationale|default('—') }} {{ guidance.guidance|default('—') }} {{ guidance.workaround|default('—') }} {{ guidance.code_search_hints|default('—') }} {{ guidance.confidence|default('—') }}
{% endif %} {% if ai_finding_guidance %}

🤖 AI Finding Triage Guidance

Per-finding triage and remediation guidance for Critical and High priority findings. Fix version data derived from NVD API where available.

{% for finding_id, guidance in ai_finding_guidance.items() %} {% endfor %} {% if ai_finding_guidance|length > 10 %} {% endif %}
Finding Priority Action Rationale Fix Version Workaround Code Search Confidence
{{ finding_id }} {{ guidance.priority|default('—') }} {{ guidance.action|default('—') }} {{ guidance.rationale|default('—') }} {{ guidance.fix_version|default('—') }} {{ guidance.workaround|default('—') }} {{ guidance.code_search_hints|default('—') }} {{ guidance.confidence|default('—') }}
{% endif %} {% if project_summary_df is defined and project_summary_df|length > 0 %}

Project Risk Summary

{% if folder_path %}{% endif %} {% if ai_project_prompts %}{% endif %} {% for row in project_summary_df %} {% if folder_path %}{% endif %} {% if ai_project_prompts %} {% endif %} {% endfor %} {% if project_summary_df|length > 10 %} {% endif %}
FolderProject CRITICAL HIGH MEDIUM LOW INFO Total Avg ScoreAI Prompt
{{ row.folder_name if row.folder_name is defined else '' }} {% if domain and row.project_id %} {{ row.project_name }} {% else %} {{ row.project_name }} {% endif %} {% if row.CRITICAL|default(0) > 0 %}{{ row.CRITICAL }}{% else %}0{% endif %} {% if row.HIGH|default(0) > 0 %}{{ row.HIGH }}{% else %}0{% endif %} {% if row.MEDIUM|default(0) > 0 %}{{ row.MEDIUM }}{% else %}0{% endif %} {{ row.LOW|default(0) }} {{ row.INFO|default(0) }} {{ row.total_findings|default(0) }} {{ row.avg_score|default(0) }} {% if row.project_name in ai_project_prompts %}
View 
{{ ai_project_prompts[row.project_name] }}
{% else %}—{% endif %}
{% endif %} {% if top_components is defined and top_components|length > 0 %}

Top Riskiest Components

{% if ai_component_prompts %}{% endif %} {% for row in top_components %} {% if ai_component_prompts %} {% endif %} {% endfor %} {% if top_components|length > 10 %} {% endif %}
Component Version CRITICAL HIGH MEDIUM LOW Total Avg Score Max ScoreAI PromptActions
{{ row.component_name }} {{ row.component_version }} {% if row.CRITICAL|default(0) > 0 %}{{ row.CRITICAL }}{% else %}0{% endif %} {% if row.HIGH|default(0) > 0 %}{{ row.HIGH }}{% else %}0{% endif %} {% if row.MEDIUM|default(0) > 0 %}{{ row.MEDIUM }}{% else %}0{% endif %} {{ row.LOW|default(0) }} {{ row.total_findings|default(0) }} {{ row.avg_score }} {{ row.max_score }} {% set comp_key = row.component_name ~ ':' ~ row.component_version %} {% if comp_key in ai_component_prompts %}
View 
{{ ai_component_prompts[comp_key] }}
{% else %}—{% endif %} 		{% set c_key = row.component_name ~ ':' ~ row.component_version %} {% set c_guidance = ai_component_guidance.get(c_key, {}) if ai_component_guidance is defined and ai_component_guidance else {} %} {% set c_summary_parts = [] %} {% if c_guidance.get('fix_version') %}{% if c_summary_parts.append('Fix: ' + c_guidance.fix_version) %}{% endif %}{% endif %} {% if c_guidance.get('guidance') %}{% if c_summary_parts.append(c_guidance.guidance) %}{% endif %}{% endif %} {% if c_guidance.get('workaround') %}{% if c_summary_parts.append('Workaround: ' + c_guidance.workaround) %}{% endif %}{% endif %} {% set c_summary = c_summary_parts | join('\n\n') if c_summary_parts else (row.total_findings | string ~ ' findings (' ~ row.CRITICAL | string ~ ' CRITICAL, ' ~ row.HIGH | string ~ ' HIGH) in ' ~ row.component_name ~ ' ' ~ row.component_version) %} {% set c_band = 'CRITICAL' if (row.CRITICAL|default(0)) > 0 else ('HIGH' if (row.HIGH|default(0)) > 0 else ('MEDIUM' if (row.MEDIUM|default(0)) > 0 else 'LOW')) %}
{% endif %} {% if findings_df is defined and findings_df|length > 0 %}

Findings Detail (Top 100 by Priority)

{% if ai_finding_prompts %}{% endif %} {% for row in findings_df[:100] %} {% set _additive = (row._pts_reachability|default(0) + row._pts_exploit|default(0) + row._pts_vector|default(0) + row._pts_epss|default(0) + row._pts_cvss|default(0))|round(1) %} {% set _gate_bonus = (row.triage_score - _additive)|round(1) if row.gate_assignment != 'NONE' else 0 %} {% if ai_finding_prompts %} {% endif %} {% endfor %} {% if findings_df[:100]|length > 10 %} {% endif %}
Finding ID Severity Band Score Gate Component Project Version Reachability Score Vuln Functions Exploit KEV Vector EPSS %ile CVSSAI PromptAI Status Actions
{% if domain and row.project_id and row.project_version_id and row.internal_id %} {{ row.finding_id }} {% else %} {{ row.finding_id }} {% endif %} {{ row.severity }} {{ row.priority_band }}{{ row.triage_score }} {{ row.gate_assignment if row.gate_assignment != 'NONE' else '—' }} {% if domain and row.project_id and row.project_version_id and row.component_id %} {{ row.component_name }}{% if row.component_version %} {{ row.component_version }}{% endif %} {% elif domain and row.project_id and row.project_version_id %} {{ row.component_name }}{% if row.component_version %} {{ row.component_version }}{% endif %} {% else %} {{ row.component_name }}{% if row.component_version %} {{ row.component_version }}{% endif %} {% endif %} {% if domain and row.project_id %} {{ row.project_name }} {% else %} {{ row.project_name }} {% endif %} {% if domain and row.project_id and row.project_version_id %} {{ row.version_name if row.version_name else '—' }} {% else %} {{ row.version_name if row.version_name else '—' }} {% endif %} {% set rlabel = row.reachability_label if row.reachability_label is string else 'UNKNOWN' %}{{ rlabel }} {{ row.reachability_score|int if row.reachability_score else '—' }} {{ row.vuln_functions if row.vuln_functions else '—' }} {% if row.has_exploit %}💥 Yes{% else %}—{% endif %} {% if row.in_kev %}🔒 Yes{% else %}—{% endif %} {{ row.attack_vector }} {{ "%.1f"|format(row.epss_percentile|default(0) * 100) if row.epss_percentile else '—' }}% {{ row.risk }} {% if row.finding_id in ai_finding_prompts %}
View 
{{ ai_finding_prompts[row.finding_id] }}
{% else %}—{% endif %} 		{% if row.status is defined and row.status and row.status not in ('', 'nan', 'None') %} {{ row.status }} {% elif vex_rec_lookup is defined and vex_rec_lookup and row.finding_id in vex_rec_lookup %} {% set vrec = vex_rec_lookup[row.finding_id] %} {{ vrec.recommended_vex_status }} {% else %} — {% endif %} {% set f_guidance = ai_finding_guidance.get(row.finding_id, {}) if ai_finding_guidance is defined and ai_finding_guidance else {} %} {% set f_summary_parts = [] %} {% if f_guidance.get('fix_version') %}{% if f_summary_parts.append('Fix: ' + f_guidance.fix_version) %}{% endif %}{% endif %} {% if f_guidance.get('guidance') %}{% if f_summary_parts.append(f_guidance.guidance) %}{% endif %}{% endif %} {% if f_guidance.get('workaround') %}{% if f_summary_parts.append('Workaround: ' + f_guidance.workaround) %}{% endif %}{% endif %} {% set f_reach = row.reachability_label if row.reachability_label is string else 'UNKNOWN' %} {% set f_summary = f_summary_parts | join('\n\n') if f_summary_parts else (row.severity ~ ' vulnerability in ' ~ row.component_name ~ ' ' ~ row.component_version ~ '. Reachability: ' ~ f_reach ~ '.') %} {% if row.internal_id and row.project_version_id %} {% set vex_reason = vex_reason_lookup.get(row.finding_id, '') if vex_reason_lookup is defined and vex_reason_lookup else '' %} {% set rec_data = vex_rec_lookup.get(row.finding_id) if vex_rec_lookup is defined and vex_rec_lookup else None %} {% endif %}
{% endif %}

Generated by | {{ generated_at }}

Copyright © 2026 Finite State, Inc.

{% if ai_component_guidance or ai_finding_guidance %}
This product uses the NVD API but is not endorsed or certified by the NVD. Fix version data is derived from NVD CPE match criteria and may be reformatted. Verify fix versions against vendor advisories before deploying updates.
{% endif %} {% include '_action_buttons.html' %}