Question 1

What is remediation economics by finding source archetype?

Accepted Answer

Remediation economics by finding source archetype is the analytical frame that prices the cost of closing a vulnerability finding against the source the finding came from, instead of pricing all findings on the same per-finding line. The frame separates six common enterprise finding sources (penetration testing, automated scanning, bug bounty, self-attestation, threat-intelligence-driven advisory, and supply-chain advisory) and reads remediation cost against each as a distinct cost shape with its own dominant components, its own evidence requirements, and its own cycle-time signature. The point of the frame is not to argue that one source is more valuable than another. It is to price remediation honestly so the programme can fund the work that each source actually generates, rather than treating remediation as a uniform queue that absorbs source-specific cost as unexplained variance.

Question 2

Why does the source of the finding change the remediation cost?

Accepted Answer

Source changes remediation cost because each source produces findings with different evidence quality, different scope clarity, different reproduction overhead, different stakeholder expectations, and different time pressure on the closure. A pentest finding arrives with hand-curated evidence, narrative context, and a defensible severity rationale; remediation cost is dominated by fix design and verification rather than triage. A scanner finding arrives with raw output, machine severity, and partial reproduction context; remediation cost is dominated by triage, deduplication, and asset binding before any engineering work begins. A bug bounty finding arrives with adversarial proof-of-exploit but variable scope clarity; remediation cost includes researcher-coordination overhead. A self-attestation finding arrives with internal evidence but bounded reproduction; remediation cost depends on whether the attestation can be replayed against a live target. A threat-intelligence-driven advisory arrives with external pressure and a date the closure must beat; remediation cost includes prioritisation churn against the open backlog. A supply-chain advisory arrives with vendor-disclosed evidence and a patch path; remediation cost is dominated by dependency-upgrade work and asset enumeration. The six sources produce six different cost stacks even when the finding underneath looks superficially identical.

Question 3

How is this frame different from generic per-finding remediation cost reporting?

Accepted Answer

Generic per-finding remediation cost reporting rolls every finding into one cost line and reports a single per-finding average, sometimes broken down by severity or asset class. The single line is operationally useful for budgeting but loses the diagnostic shape that source-archetype reporting surfaces. Source-archetype reporting reads the same total cost as six (or more) cost stacks side by side, each with its own dominant component (triage cost for scanners, coordination cost for bug bounty, dependency-upgrade cost for supply-chain) and its own intervention path. Programmes that see the source-archetype stack notice that scanner intake is driving 60 percent of triage spend, or that supply-chain remediation is consuming 40 percent of engineering hours despite representing only 15 percent of finding count. Generic per-finding reporting hides these patterns inside the average and produces uniform interventions that under-invest in some sources and over-invest in others.

Question 4

What are the six finding source archetypes?

Accepted Answer

Penetration testing produces findings from time-bounded human assessment with hand-curated evidence and a named severity rationale. Automated scanning (SAST, DAST, SCA, container, IaC, cloud configuration, external attack-surface) produces high-volume findings from rule engines with raw evidence and machine severity. Bug bounty produces findings from third-party researchers with adversarial proof-of-exploit and variable scope clarity. Self-attestation produces findings from internal teams (developer-flagged security risks, post-incident root-cause findings, threat-modelling outputs, security-review notes) with internal evidence and bounded reproduction. Threat-intelligence-driven advisories produce findings driven by external signals (CISA KEV inclusion, vendor advisories, exploit-in-the-wild reports, EPSS score jumps) with prioritisation pressure on existing finding records or net-new entries. Supply-chain advisories produce findings from upstream vendor disclosures (npm, PyPI, container base images, third-party SaaS, open-source dependency CVEs) with vendor-supplied evidence and a patch path that depends on dependency-upgrade work. The six archetypes are not the only possible sources, but they cover the bulk of enterprise finding inflow and produce six different remediation cost shapes.

Question 5

What does the cost stack look like for pentest findings?

Accepted Answer

Pentest findings carry a remediation cost stack dominated by fix design and verification rather than by triage. Triage cost is bounded because the pentest tester has already eliminated false positives, set severity against an organisational rubric, and described reproduction steps in narrative form. Investigation cost is moderate because the affected scope is named in the report. Remediation cost is concentrated in engineering hours on the fix itself; this is the dominant component. Verification cost is concentrated in retest work that proves the original exploit path is blocked rather than merely that the surface behaviour changed. Stakeholder review cost is bounded because the report has already articulated the risk. The pentest archetype produces a cost stack that is approximately fifteen percent triage, ten percent investigation, fifty to sixty percent remediation, fifteen to twenty percent verification, and five percent stakeholder review. The dominant cost is engineering effort on the fix; programmes that under-fund pentest remediation engineering hours absorb the variance as missed SLA windows on critical and high findings.

Question 6

What does the cost stack look like for scanner findings?

Accepted Answer

Scanner findings carry a remediation cost stack dominated by triage rather than by fix design. Triage cost is the largest component because scanner output is high-volume, includes machine severity that often needs recalibration, and contains duplicates across modules. Deduplication, scanner-output severity normalisation, and false-positive suppression absorb engineer time before any remediation work begins. Asset binding cost is significant because scanner output rarely names the canonical asset owner. Investigation cost varies: SCA findings on dependency upgrades are mechanically simple, SAST findings on developer-managed code are moderate, and DAST findings on production behaviour require reproduction against a live target. Remediation cost is concentrated in dependency upgrades or configuration changes rather than custom fix design. Verification cost is the smallest component when the next scheduled scan confirms the closure in absence. The scanner archetype produces a cost stack that is approximately thirty-five to forty-five percent triage and deduplication, ten to fifteen percent asset binding, fifteen to twenty percent investigation, twenty to twenty-five percent remediation, and five percent verification. The dominant cost is intake hygiene rather than engineering work; programmes that under-fund triage absorb the variance as inflated open queues, scanner fatigue, and developer mistrust of scanner output.

Question 7

What does the cost stack look like for bug bounty findings?

Accepted Answer

Bug bounty findings carry a remediation cost stack with a notable researcher-coordination component that does not appear in any other archetype. Triage cost is moderate because the researcher has supplied proof-of-exploit but may have submitted against an out-of-scope target, claimed a duplicate of an existing finding, or asserted higher severity than the rubric supports. Researcher-coordination cost covers the back-and-forth required to confirm scope, set the payout band, agree on the severity rating, and time the disclosure. Reward cost is the payout itself, which scales with severity. Investigation cost is bounded because the researcher has supplied the exploit path. Remediation cost is concentrated in engineering hours on the fix. Verification cost includes researcher-side retest where the programme has agreed to validate the closure with the researcher before payout. Stakeholder review cost is moderate when legal, communications, or executive review is involved on high-severity disclosures. The bug bounty archetype produces a cost stack that is approximately fifteen percent triage, ten to fifteen percent researcher coordination, ten to twenty percent reward payout (which sits outside engineering labour but is a real cost line), forty to fifty percent remediation, ten to fifteen percent verification, and five percent stakeholder review. The dominant cost is engineering effort plus a coordination overhead unique to the source.

Question 8

What does the cost stack look like for self-attestation findings?

Accepted Answer

Self-attestation findings (developer-flagged risks, threat-modelling outputs, post-incident root-cause findings, internal security-review notes) carry a remediation cost stack with a high reproducibility variance because the original evidence is internal and bounded. Triage cost is variable: a developer-flagged finding may be self-prioritised, or may need security-review consensus. Investigation cost is concentrated in re-establishing the original observation against a current target, because self-attestation findings often lack the captured artefacts that scanner or pentest output supplies. Remediation cost is concentrated in engineering hours, often on the same codebase the developer who filed the finding is already working in. Verification cost is bounded when the developer can self-verify; higher when an independent verification is required for audit defensibility. Stakeholder review cost is bounded for routine self-attestation findings and higher for post-incident root-cause findings that require leadership and legal review. The self-attestation archetype produces a cost stack that is approximately ten to fifteen percent triage, twenty to thirty percent investigation (reproduction work), forty to fifty percent remediation, ten to fifteen percent verification, and ten to fifteen percent stakeholder review (higher than average for post-incident findings). The dominant cost is engineering work, but the investigation component is unusually high because the source does not supply the reproducible evidence that other archetypes do.

Question 9

What does the cost stack look like for threat-intelligence-driven findings?

Accepted Answer

Threat-intelligence-driven findings (CISA KEV inclusion, vendor advisories, exploit-in-the-wild reports, EPSS jumps, sector-specific intel) carry a remediation cost stack dominated by prioritisation churn and time-pressured response. Triage cost is bounded because the intel source has already established the urgency. Prioritisation cost is significant because the open backlog has to be re-sequenced to fit the new pressure; this involves negotiating with engineering teams already committed to other work. Investigation cost is moderate when the intel ties to an already-detected finding and high when the intel surfaces a previously-unknown finding. Remediation cost is the engineering effort itself. Verification cost includes external pressure to demonstrate the closure publicly (vendor confirmation, customer notification, regulatory disclosure). Stakeholder review cost is unusually high because executive, legal, and communications involvement is often required on KEV-listed or actively-exploited findings. The threat-intelligence archetype produces a cost stack that is approximately five percent triage, ten to twenty percent prioritisation churn, ten to fifteen percent investigation, thirty to forty percent remediation, ten to fifteen percent verification, and twenty to twenty-five percent stakeholder review and external coordination. The dominant cost is the prioritisation churn plus the elevated stakeholder review burden, which produces a real economic cost that programmes under-budget when they treat KEV findings as ordinary high-severity findings.

Question 10

What does the cost stack look like for supply-chain advisory findings?

Accepted Answer

Supply-chain advisory findings (npm vulnerabilities, PyPI advisories, container base image CVEs, third-party SaaS vulnerabilities, open-source dependency disclosures) carry a remediation cost stack dominated by dependency-upgrade work and asset enumeration rather than custom fix design. Triage cost is bounded because the vendor has supplied evidence. Asset enumeration cost is significant because the same dependency may sit in dozens or hundreds of repositories, container images, or build artefacts; reachability analysis and SBOM consultation absorb engineer time before any upgrade work begins. Investigation cost is concentrated in determining whether the call path actually reaches the vulnerable function (reachability) and whether the upgrade introduces breaking changes. Remediation cost is dependency-upgrade engineering rather than custom code fix; the cost shape depends on whether the upgrade is a patch version, minor version, or major version. Verification cost is bounded when SCA scanning confirms the upgrade. Coordination cost across multiple owning teams can be significant when the same dependency sits across team boundaries. The supply-chain archetype produces a cost stack that is approximately five percent triage, fifteen to twenty-five percent asset enumeration and reachability analysis, fifteen percent investigation, forty to fifty percent remediation (dependency-upgrade work), five to ten percent verification, and ten to fifteen percent cross-team coordination. The dominant cost is dependency-upgrade engineering plus the asset-enumeration overhead that scales with how widely the dependency is deployed.

Question 11

How should the per-archetype cost shapes guide budget allocation?

Accepted Answer

The per-archetype cost shapes guide budget allocation by surfacing where the dominant cost sits inside each source rather than treating all sources as the same labour line. A programme funding scanner intake at the same per-finding cost as pentest findings will starve the triage and deduplication function that absorbs most scanner cost, and under-spend on the remediation engineering that pentest findings actually require. The defensible budget reads against each archetype independently: scanner archetype budget concentrates on intake hygiene (deduplication, normalisation, asset binding, false-positive suppression) and dependency-upgrade engineering; pentest archetype budget concentrates on engineering hours on the fix and on verification; bug bounty archetype budget concentrates on engineering hours plus researcher coordination plus reward payouts; self-attestation archetype budget concentrates on reproduction work and engineering hours; threat-intelligence archetype budget concentrates on prioritisation capacity and stakeholder review; supply-chain archetype budget concentrates on asset enumeration, reachability analysis, and dependency-upgrade engineering. The defensible discipline is to report per-archetype cost stacks on the operational dashboard so the budget shape reads against the inflow shape rather than against a uniform per-finding line.

Question 12

How does inflow volume interact with per-archetype cost?

Accepted Answer

Inflow volume varies sharply across archetypes. Scanner inflow is typically the highest by count, often producing 60 to 80 percent of the total open queue. Supply-chain advisory inflow has been rising fastest year-over-year as SBOM adoption increases. Pentest inflow is the lowest by count but among the highest by per-finding cost. Bug bounty inflow varies by programme scope and reward design. Self-attestation inflow tracks engineering culture. Threat-intelligence inflow is sporadic but each entry can be high-cost. Reading inflow volume alongside per-archetype cost surfaces the gap between count-share and cost-share: scanner findings may account for 70 percent of count but only 35 percent of programme cost, while pentest findings may account for 5 percent of count but 25 percent of cost. Programmes that report total cost per source rather than per-finding cost catch this asymmetry; programmes that report only per-finding cost flatten the asymmetry and produce budget allocations that mismatch the actual cost shape.

Question 13

What metrics should leadership read alongside per-archetype cost?

Accepted Answer

Five paired metrics outperform total-cost-only reporting. Per-archetype cost stack (the six cost components, named per archetype) reads the dominant component rather than the total. Per-archetype inflow vs closure rate (whether closure is keeping up with discovery, source by source) reads whether the programme is converging or diverging on each source. Per-archetype SLA performance (in-window closure rate, broken out by source) reads whether the cost is buying the closure cadence the programme committed to. Per-archetype exception rate (administrative closures as a share of total closures) reads where risk acceptance is absorbing the variance. Per-archetype reopen rate (closures re-discovered within 90 days) reads whether the closures are durable across sources. Programmes that adopt the five paired metrics replace the single per-finding-cost debate with a per-source operational picture that survives audit scrutiny and leadership review.

Question 14

What framework citations expect documented remediation regardless of source?

Accepted Answer

Most enterprise frameworks expect documented remediation, documented evidence, and a defensible closure record regardless of the source the finding came from. PCI DSS v4.0 Requirement 6.3.3 reads vulnerabilities addressed and remediation verified. ISO 27001:2022 Annex A 8.8 reads management of technical vulnerabilities including identification, evaluation, and remediation of technical vulnerabilities. SOC 2 Trust Services Criteria CC7.1 reads identification and remediation of security events with documented evidence. NIST SP 800-53 Revision 5 RA-5 reads vulnerability monitoring and scanning with documented remediation; SI-2 reads flaw remediation across software components; SR-3 reads supply chain controls. NIST CSF 2.0 ID.RA reads risk assessment across identified vulnerabilities; PR.PS reads platform security including patching; RS.MI reads incident mitigation. CIS Controls v8.1 Safeguard 7.7 reads remediation of detected vulnerabilities. HIPAA 164.308(a)(1)(ii)(B) reads risk management including documented verification. DORA Article 5 reads ICT risk management; Article 28 reads ICT third-party risk management. The pattern is consistent: each framework expects the closure record to read against captured evidence regardless of source. Per-archetype cost reporting does not replace the framework citations; it surfaces where the programme is funding the documentation discipline the citations expect, source by source.

Question 15

How does SecPortal support per-archetype remediation cost discipline?

Accepted Answer

SecPortal pairs every finding to the same engagement record regardless of source: pentest findings, bulk-imported scanner output, code scan results, manually entered self-attestation findings, and CVE-enriched supply-chain advisories all sit on the same finding model with CVSS 3.1 vector, severity band, owner, evidence, status, and activity log. Findings management captures the source metadata so per-archetype cost stacks can be reported against the actual finding population rather than against an assumed mix. Bulk finding import accepts Nessus (.nessus), Burp Suite (.xml), and CSV with custom column mapping so scanner archetype findings carry the intake hygiene discipline the cost shape requires. Authenticated scanning (16 modules), external scanning (also multi-module), and code scanning via Semgrep on connected GitHub, GitLab, or Bitbucket repositories generate the scanner archetype inflow inside the same workspace. Retesting workflows preserve the finding identity through verification regardless of source. Activity log captures every state change with named actor, timestamp, and entity reference and exports to CSV so per-archetype cycle time and per-archetype cost decomposition are reproducible. Compliance tracking across 21 framework templates carries the finding-to-control mapping so the audit chain reads against the same finding regardless of source. The platform does not pick the cost model for the programme, does not auto-classify per-archetype budgets, and does not push to ticketing systems; it keeps every source on one live engagement record so per-archetype cost reporting is reproducible at any moment between reporting cycles.

Archetype	Source signature	Evidence shape
Penetration testing	Time-bounded human assessment by internal or external testers; scope agreed; severity rubric applied; narrative report.	Hand-curated evidence with reproduction steps, request and response pairs, screenshots, and severity rationale.
Automated scanning	Rule-engine output across SAST, DAST, SCA, container, IaC, cloud configuration, and external attack surface modules.	Raw machine evidence, machine severity, often duplicated across modules, partial reproduction context.
Bug bounty	Third-party researcher submission via a coordinated programme with a defined scope and reward band.	Adversarial proof-of-exploit, variable scope clarity, researcher-asserted severity, written reproduction.
Self-attestation	Internal sources: developer-flagged risks, threat-modelling outputs, post-incident root-cause findings, security-review notes.	Internal evidence, bounded reproduction context, often missing artefacts that other archetypes supply.
Threat-intelligence-driven	External signal: CISA KEV inclusion, vendor advisory, exploit-in-the-wild reports, EPSS jump, sector-specific intel.	External evidence, urgency context, often ties to an existing finding or creates a new one.
Supply-chain advisory	Upstream vendor disclosure: npm, PyPI, container base images, third-party SaaS, open-source dependency CVEs.	Vendor-supplied evidence, defined patch path, asset enumeration question across the dependency footprint.

Component	Approximate share	Where it lands
Triage	10 to 15 percent	Severity confirmation against rubric; assigning owner; reading the report.
Investigation	5 to 10 percent	Affected scope is named; investigation cost is bounded.
Remediation (engineering)	50 to 60 percent	Dominant component; fix design, fix implementation, regression testing, deployment.
Verification	15 to 20 percent	Retest proving the original exploit path is blocked, with captured evidence.
Stakeholder review	5 percent	Report has already articulated the risk; review is bounded.

Component	Approximate share	Where it lands
Triage and deduplication	35 to 45 percent	Dominant component; cross-module dedup, severity recalibration, false positive suppression.
Asset binding	10 to 15 percent	Mapping the finding to the owning team and the canonical asset; cross-scanner asset name reconciliation.
Investigation	15 to 20 percent	Reproduction against a live target (DAST), call-path analysis (SAST), reachability (SCA).
Remediation	20 to 25 percent	Concentrated in dependency upgrades or configuration changes; less custom fix design than pentest.
Verification	5 percent	Smallest component when the next scheduled scan confirms the closure in absence.

Component	Approximate share	Where it lands
Triage	15 percent	Scope confirmation, duplicate check against existing findings, severity recalibration.
Researcher coordination	10 to 15 percent	Unique to this archetype; back-and-forth on scope, severity, disclosure timing.
Reward payout	10 to 20 percent	Sits outside engineering labour but is a real budget line; scales with severity.
Remediation	40 to 50 percent	Dominant engineering component; researcher has supplied exploit path so investigation is bounded.
Verification	10 to 15 percent	Includes researcher-side retest where the programme validates the closure before payout.
Stakeholder review	5 percent	Higher on disclosures requiring legal, communications, or executive involvement.

Component	Approximate share	Where it lands
Triage	10 to 15 percent	Confirmation that the attestation describes an actionable finding rather than a backlog idea.
Investigation (reproduction)	20 to 30 percent	Re-establishing the original observation against a current target; often the dominant component on stale attestations.
Remediation	40 to 50 percent	Engineering hours on the fix; often on the same codebase the filer was working in.
Verification	10 to 15 percent	Bounded when the developer can self-verify; higher when independent verification is required for audit defensibility.
Stakeholder review	10 to 15 percent	Bounded on routine attestations; higher on post-incident root-cause findings with leadership and legal review.

Remediation Economics by Finding Source Archetype

Why remediation cost varies by finding source

The six finding source archetypes

Archetype 1: pentest findings

Archetype 2: scanner findings

Archetype 3: bug bounty findings

Archetype 4: self-attestation findings

Archetype 5: threat-intelligence-driven findings

Archetype 6: supply-chain advisory findings

The inflow-versus-cost asymmetry

Five paired metrics for source-aware reporting

Framework citations across finding sources

For vulnerability management, AppSec, internal security, and security engineering teams

For security leadership and audit committees

How SecPortal supports per-archetype remediation cost discipline

Conclusion

Frequently Asked Questions

Sources

Run per-archetype remediation on the live engagement record

Component	Approximate share	Where it lands
Triage	5 percent	Bounded; intel source has already established urgency.
Prioritisation churn	10 to 20 percent	Re-sequencing the open backlog; negotiating with already-committed engineering teams.
Investigation	10 to 15 percent	Bounded when the intel ties to an existing finding; higher when it surfaces a net-new finding.
Remediation	30 to 40 percent	Engineering effort on the fix; usually accelerated by the time pressure.
Verification	10 to 15 percent	Includes external-facing demonstration of closure where required.
Stakeholder review and external coordination	20 to 25 percent	Unusually high; executive, legal, communications, customer-facing, and regulatory coordination.

Component	Approximate share	Where it lands
Triage	5 percent	Bounded; vendor has supplied evidence and patch path.
Asset enumeration and reachability	15 to 25 percent	Significant; mapping the dependency across the footprint; SBOM consultation; call-path analysis.
Investigation	15 percent	Determining whether the call path reaches the vulnerable function; upgrade breaking-change analysis.
Remediation (upgrade)	40 to 50 percent	Dominant component; dependency upgrade work; cost depends on patch, minor, or major version.
Verification	5 to 10 percent	Bounded when SCA scanning confirms the upgrade across the deployment footprint.
Cross-team coordination	10 to 15 percent	Significant when the same dependency sits across team boundaries; varies with the SBOM consolidation maturity.

Archetype	Typical count-share	Typical cost-share
Scanner	60 to 80 percent of total open count.	30 to 40 percent of programme cost; intake-hygiene heavy.
Supply-chain	10 to 20 percent of total open count; rising fastest year-over-year.	20 to 30 percent of programme cost; asset enumeration and upgrade engineering.
Pentest	2 to 8 percent of total open count.	15 to 25 percent of programme cost; engineering-heavy per finding.
Self-attestation	5 to 15 percent of total open count; tracks engineering culture.	5 to 15 percent of programme cost; reproduction-heavy on stale entries.
Bug bounty	1 to 5 percent of total open count; varies with scope and reward design.	5 to 15 percent of programme cost; coordination and reward overhead.
Threat-intelligence	Less than 5 percent of total open count; sporadic.	5 to 10 percent of programme cost; stakeholder review heavy.

Metric	What it reads	Diagnostic value
Per-archetype cost stack	Six cost components named per source.	Surfaces dominant component per archetype; surfaces the intervention path.
Per-archetype inflow vs closure rate	Inflow rate alongside closure rate, source by source.	Surfaces converging or diverging programmes per source; flags inflow-only growth.
Per-archetype SLA performance	In-window closure rate broken out by source.	Surfaces whether the funded cost is buying the committed cadence per source.
Per-archetype exception rate	Administrative closures as a share of total closures per source.	Surfaces where risk acceptance is absorbing the variance source by source.
Per-archetype reopen rate	Closures re-discovered within 90 days, source by source.	Surfaces durability of closures per source; flags shallow remediation.

Framework	Citation	Source-relevant expectation
PCI DSS v4.0	Requirement 6.3.3 and 11.3	Vulnerabilities addressed and remediation verified; scanner and pentest sources both documented.
ISO 27001:2022	Annex A 8.8	Management of technical vulnerabilities; identification, evaluation, and remediation across sources.
SOC 2	CC7.1	Identification and remediation of security events with documented evidence regardless of source.
NIST SP 800-53 Rev 5	RA-5, SI-2, SR-3	Vulnerability monitoring; flaw remediation; supply chain controls across software components.
NIST CSF 2.0	ID.RA, PR.PS, RS.MI	Risk assessment across identified vulnerabilities; platform security including patching; incident mitigation.
CIS Controls v8.1	Safeguard 7.7	Remediation of detected vulnerabilities with documented closure regardless of detection source.
HIPAA	164.308(a)(1)(ii)(B)	Risk management including documented verification of risk treatment across information sources.
DORA	Articles 5 and 28	ICT risk management; ICT third-party risk management including supply-chain advisory handling.