What is scanner output severity normalisation?

Severity normalisation is the discipline of translating scanner-emitted severity values from many different scales into one workspace severity that the team uses to prioritise, schedule remediation, and report to leadership and auditors. Nessus emits Critical, High, Medium, Low, and Info; Burp Suite emits High, Medium, Low, and Informational; SARIF emits error, warning, and note; OpenVAS emits numeric thresholds and named bands; SAST tools emit vendor-defined severities that mix exploitability and code quality; SCA tools emit CVSS scores against the CVE for the dependency, not against the application context. Normalisation does not erase the source severity (the original value stays on the record); it produces one defensible canonical severity that survives a consolidated findings view, a leadership trend chart, and an audit observation. Programmes that skip normalisation end up with a findings list where the same issue carries High in one tool and Medium in another, and the prioritisation decision quietly defaults to whichever number was loudest.

Why is severity normalisation a different problem from finding deduplication?

Deduplication answers the question of whether two records describe the same underlying vulnerability and how to collapse them without losing evidence. Severity normalisation answers the question of what number to attach to the merged record once the records are collapsed. The two disciplines are sequential. Deduplication runs first and produces a canonical finding; normalisation runs against that canonical finding and produces a canonical severity. A programme that deduplicates without normalising ends up with merged records whose severity is whichever value the merge happened to keep. A programme that normalises without deduplicating ends up with five records carrying five normalised severities for the same underlying issue. The disciplines reinforce each other, but neither one substitutes for the other.

Why not just use the CVSS score the scanner already emits?

Scanner-emitted CVSS scores are not interchangeable across tools and not always meaningful for the asset they were emitted against. An SCA tool emits the CVSS of the upstream CVE against the dependency at the version it found, not against the deployed application; the same CVE in your application can be unreachable, reachable but not exploitable, or reachable and exploitable, and the SCA-emitted CVSS does not know which. A DAST tool emits a vendor severity derived from heuristics over the request and response pattern, occasionally accompanied by a vendor CVSS that is not the same calculation the National Vulnerability Database used. A SAST tool emits a severity that mixes exploitability with code-quality signals (style violations, complexity warnings) that do not map cleanly to a CVSS scale. The disciplined pattern is to keep the scanner CVSS on the record as evidence, and produce the canonical workspace severity by recalculating CVSS for the deployed asset with the vector that reflects exploitability in context.

What does a defensible severity translation table look like?

A defensible translation table is a policy artefact, not an opinion. It names the source scanner, the source severity values, the workspace severity band each value maps into by default, and the conditions under which the mapping is overridden by analyst review. The default mapping is documented and applied automatically at import. The override conditions are documented and applied only by a named role with manage_findings permission. Both the default mapping and any override events are recorded on the finding record so the audit reads back why a given severity ended up where it did. The failure mode is teams that apply a mapping informally (analyst memory, tribal preference, ticket convention) and lose the audit trail when the analyst changes or the convention drifts. The audit-grade mapping is the one a new team member could apply correctly on day one.

How should you handle disagreement between scanner severities for the same issue?

Disagreement is the signal that drives the normalisation; suppression of disagreement is the failure. When two scanners surface the same underlying vulnerability with different severities, the workspace severity resolves to the value supported by reproducible evidence rather than to the higher or lower number by default. A SAST finding rated Medium and a DAST finding rated High on the same issue resolves to High if the High rating is supported by a successful exploit attempt in the test environment, and resolves to Medium with a note explaining the SAST evidence weight if the DAST rating cannot be reproduced under realistic conditions. The disagreement itself stays on the record. The rationale for the chosen severity is captured at the time of resolution, named to the analyst who resolved it, and surfaces in the finding history so the next reviewer sees the basis. Programmes that resolve disagreement by silently keeping the loudest number bias their findings list toward over-severity and burn analyst credibility with the remediation owner.

How does CVSS 3.1 differ from CVSS 4.0 for normalisation purposes?

CVSS 3.1 produces a base score from eight base metrics (attack vector, attack complexity, privileges required, user interaction, scope, confidentiality, integrity, availability) on a 0 to 10 scale, with bands at None, Low, Medium, High, Critical. CVSS 4.0 reshapes the metrics into four groups (base, threat, environmental, supplemental), introduces explicit attack requirements and provider responsibility metrics, and produces four separate scores (CVSS-B, CVSS-BT, CVSS-BE, CVSS-BTE) rather than one base number. Normalising across the two versions requires capturing which version produced each emitted score, recording the vector string (not just the number) so the score is reconstructable, and choosing a workspace-level reporting score that is consistent across the audit observation period. Mixing CVSS 3.1 and CVSS 4.0 base scores in the same severity column without naming the version produces a leadership chart that misreads as trend when it is actually scoring methodology change. The pragmatic pattern during transition is recording both vectors on every finding (when both apply) and reporting on one chosen score consistently.

How should SCA findings be normalised given they emit upstream CVSS by default?

SCA findings carry the CVSS of the upstream CVE against the dependency at the version found. That number is real (the CVE is a real vulnerability) but it is not the severity the application carries until reachability and exploitability in context are considered. The defensible normalisation pattern records the upstream CVSS on the finding as evidence, records the SCA tool that emitted it for traceability, and resolves the workspace severity through a documented reachability assessment. If the vulnerable function is unreachable from any code path your application exercises, the workspace severity drops below the upstream CVSS with a documented rationale. If the function is reachable but not exploitable from realistic input, the severity sits below the upstream CVSS with the rationale. If the function is reachable and exploitable, the severity sits at or above the upstream CVSS. Programmes that mirror upstream CVSS into workspace severity without reachability analysis produce a backlog where unreachable vulnerabilities consume remediation capacity that should go to reachable issues.

What evidence does severity normalisation leave for auditors?

Auditors read severity normalisation through three artefacts. The workspace severity policy (the translation table, the override rules, the named roles, the version) is the policy evidence; it is reviewed at audit kickoff and read as the operating discipline that produces consistent severity across the observation period. The finding-level history (source severity, default mapped severity, any override events with rationale, the resulting workspace severity, the named user who resolved any disagreement) is the operating evidence; it is sampled at audit fieldwork and read as proof the policy was applied. The trend evidence (severity distribution across the observation period, severity migration as remediation occurs, severity calibration after policy review) is the programme evidence; it is read as proof the severity model produces a coherent risk picture rather than tool-specific noise. ISO 27001 Annex A 8.8 (technical vulnerability management), SOC 2 CC4.1 (monitoring controls), PCI DSS 6.3.1 (vulnerability identification and risk ranking), and NIST 800-53 RA-5 (vulnerability monitoring and scanning) all read severity through these three artefacts.

How often should the severity translation table be reviewed?

Severity translation tables drift as scanners change, asset classes change, and the workspace operating risk appetite evolves. A defensible review cadence is annual at minimum, with off-cycle review triggered by named events. Scanner vendor severity scale change (a vendor renames a band, adds a band, or rebases its scoring) triggers a re-mapping for that scanner. New asset class onboarded into the programme (a new product line, a new cloud account, a new dependency category) triggers a review of whether the default mappings still produce sensible severities for that asset class. CVSS version migration triggers a review of which version each scanner emits and how the workspace reporting score is constructed. Policy violation patterns (the same scanner-emitted severity being overridden frequently to the same workspace severity) trigger an inspection of whether the default mapping should be changed rather than relying on repeat overrides. Programmes that review the translation table only after an audit finding lose the operational signal between reviews.

How does severity normalisation interact with SLA assignment and remediation scheduling?

SLA assignment runs on the workspace severity, not on the source-emitted severity. If the workspace severity policy translates a Nessus High into a workspace Medium for a non-internet-facing asset class, the SLA clock anchors to Medium, not High. If the workspace severity is overridden upward through analyst review, the SLA clock anchors to the overridden severity from the moment the override is recorded. The audit defence is that severity drives SLA, SLA drives remediation cadence, and remediation cadence reads as evidence the severity policy operates end to end. Programmes that assign SLAs from source severity (because the scanner is the only source of severity in their workflow) produce inconsistent remediation cadence across scanners and lose the operating evidence that the severity model is a workspace decision rather than a vendor decision. The cleanest pattern is treating SLA assignment as a downstream consequence of the normalised severity, not as an upstream input into severity selection.

How does SecPortal handle scanner output severity normalisation?

SecPortal stores findings with a structured severity field on the canonical record, with the source-emitted severity preserved on the originating evidence so the audit chain from scanner output to workspace severity stays intact. Bulk finding import accepts Nessus, Burp Suite, and CSV exports against an engagement; the imported records arrive as drafts the workspace triage promotes into canonical findings with workspace severity attached. The 300+ finding templates ship with pre-set CVSS 3.1 vectors so the severity assignment for known vulnerability classes is anchored to a recalculable vector rather than an analyst opinion. The CVSS calculator handles 3.1 and 4.0 vectors for analyst-driven severity adjustments. The findings management view surfaces severity at the engagement and across engagements so the workspace severity model produces a consistent prioritisation picture rather than tool-specific noise. The activity log records every severity change with the acting user and timestamp so the audit trail reconstructs why a given finding carries the severity it carries. The branded client portal surfaces the canonical workspace severity rather than the raw scanner output, so the client report represents the workspace severity policy rather than the scanner that happened to flag the issue.

What is the role of the named severity policy owner?

A severity policy needs an owner the way a credential lifecycle needs an owner. The named role is the person responsible for keeping the translation table aligned to scanner vendor changes, for chairing the review when default mappings drift, and for signing off on overrides that change the workspace severity for a specific finding. In small teams the role often sits with the AppSec lead or the vulnerability management lead; in larger programmes it sits in security engineering with input from the assessment team. The owner does not personally apply every severity decision; the owner is accountable for the model the team applies. The audit-grade pattern names the owner in the policy document, names the alternate (deputy) for continuity, and ensures rotation events when the owner role changes are recorded the same way other governance changes are recorded. Programmes that operate severity normalisation without a named owner lose the model continuity the first time the analyst who built the translation table leaves.

← Back to Scanner Information

Scanner guide17 min read

Scanner Output Severity Normalisation: A Practical Guide

Every multi-scanner programme inherits a severity translation problem the moment the second scanner ships output into the same findings record. Nessus emits five bands, Burp Suite emits four, SARIF emits three, SAST tools mix exploitability with code quality, and SCA tools emit upstream CVSS against the dependency rather than the deployed asset. Without a documented normalisation policy, the consolidated findings list quietly defaults to whichever number was loudest, the SLA clock anchors to inconsistent severities across tools, and the audit trail cannot reconstruct why a given finding carries the severity it carries.

This guide covers how to design a defensible severity translation table, how to record the source severity alongside the workspace severity, how to resolve disagreement between scanners on the same underlying issue, how SCA, SAST, DAST, and network scanner output differ in what their severities actually mean, how CVSS 3.1 and CVSS 4.0 reconcile during migration, how compliance frameworks read severity as operating evidence, and how internal security, AppSec, vulnerability management, and security engineering teams operate severity as a workspace policy rather than as a vendor opinion.

Why scanner severities do not align by default

Scanner vendors design severity scales for their own product context, not for cross-tool consolidation. The scales differ in granularity, in the boundaries between bands, in whether they include an informational tier, and in how they treat exploitability versus theoretical impact. A finding that one tool labels High can land at Medium in another tool against the same underlying issue purely because the boundaries are drawn differently, not because the issue itself is different.

The structural reasons compound. Nessus assigns severity from a vulnerability database heuristic that weights known exploitability and CVE metadata; Burp Suite assigns severity from a runtime pattern match weighted by confidence; SARIF (used by Semgrep, CodeQL, and other SAST tools) uses a three-band system where error covers what most other scanners would split into Critical, High, and parts of Medium. SCA tools rely on the upstream CVE CVSS, which scores the dependency rather than your application is use of it. Network scanners assign severity per-service rather than per-asset, so the same misconfiguration on two ports of the same host produces two findings at two severities.

The defensible read is that scanner severity is a signal from the tool, not the answer to the prioritisation question. A consolidated findings record needs one workspace severity that translates the tool signals into a coherent decision basis, and that translation is a workspace policy decision rather than a passive inheritance from whichever scanner happened to fire first.^1,4,5,6

Severity scales across common scanners

The first input into a defensible normalisation policy is an inventory of the source severity scales the workspace ingests. The table below sets a starting reference for scanners common in internal security, AppSec, vulnerability management, and security engineering stacks. Teams tune the mapping to the asset classes the workspace covers and the risk appetite the leadership sets.

Scanner class	Native severity scale	What the severity actually represents
Nessus / Tenable.io	Critical, High, Medium, Low, Info	CVSS-derived severity bands per plugin, anchored to NVD CVSS where available.
Burp Suite (DAST)	High, Medium, Low, Informational	Runtime pattern severity paired with a confidence value (Certain, Firm, Tentative).
SARIF (Semgrep, CodeQL, generic SAST)	error, warning, note	Three-band SARIF level that maps loosely across tools and rule sets.
OpenVAS / Greenbone	Critical, High, Medium, Low, Log	CVSS-derived bands; numeric thresholds documented by the engine.
SCA tools (dependency analysis)	Critical, High, Medium, Low (typically upstream CVSS bands)	CVE-level severity against the dependency at the version found; does not reflect reachability in your application.
CVSS (vendor-neutral)	0.0 None, 0.1-3.9 Low, 4.0-6.9 Medium, 7.0-8.9 High, 9.0-10.0 Critical	Numeric base score with documented vector; CVSS 4.0 produces four scores (B, BT, BE, BTE).
SSVC (decision-tree alternative)	Track, Track*, Attend, Act	Decision categories from a stakeholder-specific tree, not a severity number; complementary rather than competing.

The table is a starting inventory, not the translation policy itself. The translation policy is the next step: each source severity needs a default workspace severity mapping, and each mapping needs the override rules the workspace operates under.^1,2,5,6,7,16

Designing the workspace severity translation table

A defensible translation table is short, opinionated, and audit-ready. It produces a default mapping at import, names the override conditions that can change the default, and routes both the default and the override events into the finding record so the audit chain reads cleanly.

One canonical workspace scale. Pick five bands (Critical, High, Medium, Low, Info) or four (drop Info if the workspace does not track non-actionable findings as findings) and stick with the choice. Workspaces that mix four and five bands across teams produce inconsistent leadership trend charts.
Per-scanner default mapping at import.Every supported scanner has a documented mapping from source severity to workspace severity. The mapping applies automatically at import; analysts do not pick the workspace severity manually for default cases.
Named override conditions. The conditions that justify overriding the default are documented: reproducible exploit in test environment, reachability proven via code review, asset criticality higher than the scanner assumes, compensating control reducing exploitability. Each override condition is named in the policy and recorded on the finding when applied.
Source severity preserved. The original scanner-emitted severity stays on the finding evidence section so the audit can read back the original signal without recovering it from the raw scanner export.
Override actor and rationale recorded.Every override carries the user who applied it, the timestamp, the override condition that justified it, and a free-text rationale. Bare overrides (no rationale) are not acceptable under the policy.
Version on the policy. The translation table carries a version, an effective date, and a change log so the audit reads against the policy that was in force at the time the finding was severity-assigned.

The policy is not a one-page table on a wiki. It is a workspace artefact that drives automation at import, drives analyst behaviour at triage, and drives audit defence at review. Programmes that hold the policy informally inherit the policy of whoever happened to triage the finding, and that informal policy does not survive team change.^8,9,10,15

Sample default mapping table

The mapping below is a starting reference for a workspace that uses five canonical bands and ingests output from Nessus, Burp Suite, SARIF SAST tools, and SCA tools. The workspace tunes the defaults based on asset class (internet-facing vs internal, production vs non-production), evidence requirements, and any compensating controls already in place.

Source severity	Default workspace severity	Common override conditions
Nessus Critical	Critical	Downgrade if internal-only asset with documented compensating control; preserve as Critical if internet-facing or in KEV.
Nessus High	High	Upgrade to Critical if reproducible exploit in test environment; downgrade if duplicate of a previously remediated issue with re-scan evidence.
Burp Suite High (Certain confidence)	High	Upgrade to Critical if business logic flaw with revenue impact; downgrade if Tentative confidence and no reproduction in retest.
Burp Suite Medium	Medium	Upgrade if confirmed exploit chain; downgrade if Tentative confidence with no analyst reproduction.
SARIF error (SAST)	High	Downgrade to Medium if rule represents a code-quality smell rather than an exploitable issue; downgrade if function unreachable.
SARIF warning (SAST)	Medium	Upgrade to High if security-sensitive rule with confirmed reachability; downgrade if non-security rule that drifted into the security workspace.
SARIF note (SAST)	Low or Info	Often informational; treat as Info unless aggregated with other signals that elevate the issue.
SCA Critical (upstream CVE)	High	Upgrade to Critical if reachable and exploitable in deployed application context; downgrade to Medium or Low if reachability disproved.
SCA High (upstream CVE)	Medium	Upgrade to High if reachable; downgrade to Low if KEV catalog excludes the CVE and reachability is disproved.

The defaults are slightly pessimistic where the source signal is unreliable in context (SCA upstream CVSS, SAST style rules) and slightly more conservative where the source signal is strong (Nessus on internet-facing assets, Burp Suite High with Certain confidence). The policy is not the table; the policy is the table plus the override rationale, the named reviewer, and the audit trail the overrides leave.^1,7,13,14

CVSS 3.1, CVSS 4.0, and the transition window

CVSS 3.1 has been the default scoring methodology across NVD and most scanner vendors; CVSS 4.0 was released in late 2023 and is being adopted incrementally across the ecosystem. During the transition window, a workspace will receive a mix of CVSS 3.1 scores from some scanners, CVSS 4.0 scores from others, and an absence of either from tools that emit only vendor severity. The normalisation policy needs to handle the three states cleanly.

Record the version that produced each score.A CVSS 7.5 from version 3.1 and a CVSS 7.5 from version 4.0 are not the same number; the metric weighting differs. Every CVSS value on the finding carries the version alongside it so the audit reads back the methodology.
Record the vector, not just the score.The number is a hash of the vector. Without the vector string, the score is not reconstructable, and a future analyst cannot re-derive the severity if a metric assumption needs to change.
Choose one workspace reporting score.Leadership trend charts and SLA assignments anchor to one score per finding. The workspace policy names which version is canonical (commonly CVSS 3.1 during the transition because it is comparable across the existing observation window) and treats the other version as evidence rather than as the canonical score.
Plan the migration as a policy event.When the workspace moves canonical reporting to CVSS 4.0, the migration is a versioned policy change with an effective date. Findings before the date are reported on the prior score; findings after are reported on the new score. Mixing the two in the same trend chart is the failure mode that misreads scoring change as risk change.
CVSS 4.0 base, threat, environmental, supplemental.The four-score model in CVSS 4.0 (CVSS-B, CVSS-BT, CVSS-BE, CVSS-BTE) needs an explicit policy choice about which score is canonical for workspace reporting. Most programmes anchor to CVSS-B with optional environmental adjustment for asset criticality; few programmes report the BTE score across the board.

The CVSS 4.0 vs CVSS 3.1 comparison covers the metric differences in detail, the CVSS calculator handles both vector formats for analyst-driven severity adjustments, and the severity recalibration drift research covers how the same finding re-scores across scanner generations when CVSS versions migrate, rule packs revise, and vendor severity scales change over time.^1,2,3,20

Resolving severity disagreement between scanners

Disagreement between scanners on the same underlying issue is the signal that drives normalisation; suppression of disagreement is the failure mode. The defensible resolution pattern treats disagreement as a triage prompt, not as an irritant to silence.

Pattern: SAST higher than DAST

SAST identifies the issue in code (SQL injection in a function); DAST cannot reach it from any URL in the test environment because the function is unreachable or behind unverified authentication. The workspace severity resolves to the SAST severity if code review confirms the issue is exploitable from the supported call paths, or downgrades with rationale if reachability is disproved. The original SAST severity stays on the finding regardless of the resolution.

Pattern: DAST higher than SAST

DAST identifies an exploitable issue at a URL; SAST flags no rule because the vulnerable code path is in a library the SAST scan does not cover, or because the rule set lacks coverage for the issue class. The workspace severity resolves to the DAST severity supported by the exploit evidence. A note records the SAST coverage gap so the next rule-set review picks it up.

Pattern: SCA Critical, DAST silent

SCA flags a Critical CVE in a dependency the application uses; DAST does not exercise a code path that reaches the vulnerable function. The workspace severity resolves through reachability assessment: Critical if reachable and exploitable, Medium if reachable but not exploitable from realistic input, Low if unreachable with a documented call-graph or static analysis to back the conclusion. The upstream CVSS stays on the finding as evidence.

Pattern: Two DAST tools, different severities

Burp Suite flags a finding High with Certain confidence; Acunetix flags the same URL Medium. The workspace severity resolves to the higher value supported by reproduction evidence. If only one tool reproduces in retest, the workspace severity anchors to that tool is rating with a note recording the disagreement. The pattern that fails is averaging the two; severity does not average meaningfully.

Pattern: Scanner High, manual test Low

Scanner flags a finding High; manual penetration testing or analyst review downgrades to Low because compensating controls (network segmentation, WAF rule, MFA enforcement) prevent realistic exploitation. The workspace severity resolves to Low with the compensating control documented on the finding. The audit reads this as a defensible downgrade because the control is named and verifiable.

The unifying principle is that severity follows reproducible evidence. The triage page on scanner output deduplication covers the upstream discipline of recognising when two records describe the same issue, and the page on vulnerability scanner false positives covers the related discipline of identifying when a finding does not represent a real issue at all.^8,9,15

Severity, SLA assignment, and remediation cadence

Severity normalisation produces the input that SLA assignment consumes. A workspace that anchors SLA to source severity inherits inconsistent cadence across scanners; a workspace that anchors SLA to normalised severity produces a consistent remediation picture that auditors and remediation owners both read cleanly.

Workspace severity	Reasonable starting SLA	Operating implication
Critical	7 days for internet-facing assets, 14 days for internal	Off-cycle remediation; engagement with leadership if SLA at risk; retest within 14 days of fix.
High	30 days for internet-facing, 60 days for internal	Scheduled in next remediation cycle; retest at next routine scan.
Medium	90 days	Batched into routine remediation; eligible for exception with risk acceptance evidence.
Low	180 days, or accept with documented rationale	Track but do not consume premium remediation capacity; review in quarterly cleanup.
Info	No SLA; archive after review	Informational only; surfaces in evidence but does not generate remediation work.

The SLAs are starting reasonable values, not regulatory requirements. PCI DSS sets a specific 30-day cadence on high-severity vulnerabilities in scope for the CDE; HIPAA, SOC 2, and ISO 27001 read SLA cadence through operating evidence rather than fixed numbers. The vulnerability SLA management workflow covers the operating discipline that turns severity into a remediation programme, and the vulnerability SLA policy template provides a starting policy structure.^9,10,11,12

How compliance frameworks read severity normalisation

Auditors do not read severity normalisation as a single control; they read it through adjacent controls that depend on consistent severity to operate. A programme that normalises severity well produces evidence that several controls read as operating; a programme that does not normalise leaves the same controls reading as partial.

PCI DSS v4.0 Requirement 6.3.1 requires vulnerabilities to be identified, risk-ranked, and assigned a severity. The risk-ranking process is the audit-relevant artefact; a documented severity policy with override rationale satisfies the operating-effectiveness bar. PCI DSS 6.3.3 then requires patching critical and high-severity vulnerabilities within one month of release, which depends on the severity classification being defensible.¹²
ISO 27001:2022 Annex A 8.8 (technical vulnerability management) treats vulnerability evaluation, including severity assignment, as a documented and repeatable control. The severity policy is read at audit alongside the operating evidence (findings with severity assigned through the policy, override events with rationale).¹⁰
SOC 2 CC4.1 (monitoring activities) reads the severity model through the monitoring evidence: do the findings produced across the observation period reflect a consistent severity policy, or do they vary with the analyst on duty. CC7.1 (system monitoring) reads the trend of severity across the period as evidence the monitoring is operating.¹¹
NIST SP 800-53 RA-5 (vulnerability monitoring and scanning) requires vulnerabilities to be analysed and remediated according to a risk-based approach. The severity policy is the artefact that operationalises the risk-based approach; a policy with override events produces the operating evidence the control reads as effective.⁹
NIST SP 800-30 sets the underlying risk assessment model that severity normalisation maps into. A workspace severity policy that translates scanner output into a documented risk basis reads as aligned to the NIST risk assessment process rather than as a vendor-specific judgement.⁸

The shared pattern is that the severity classification is itself a control. Storage of scanner output is not the control; the workspace decision about what severity that output produces is the control. Programmes that store scanner output without normalising it satisfy the storage requirement and fail the risk-ranking requirement.

Operational checklist for defensible severity normalisation

At policy design

The canonical workspace severity scale (four or five bands) is documented and chosen once.
Each supported scanner has a documented default mapping from source severity to workspace severity.
The override conditions and named override roles are documented in the policy.
The CVSS version anchor (3.1 or 4.0) is named for workspace canonical reporting.
The policy version, effective date, and change log structure are in place.

At finding import

The source severity is captured from the scanner output verbatim.
The default workspace severity is applied automatically per the policy table.
Both severities are visible on the finding record from creation.
Drafts that require analyst triage are flagged for review rather than silently published.

At triage and override

Override conditions from the policy are selected explicitly; bare overrides are not accepted.
The rationale is recorded as free text alongside the named condition.
The override actor and timestamp are captured automatically through the platform activity log.
The original source severity remains on the finding evidence section.

At periodic review

The translation table is reviewed at least annually and on named trigger events.
Override patterns (same default repeatedly overridden) drive default mapping changes rather than relying on repeated manual work.
Scanner vendor severity scale changes are reflected in the policy within a documented lead time.
CVSS version transitions are planned as versioned policy changes with effective dates.
Severity trend metrics are reviewed for evidence the policy produces a coherent risk picture.

For internal security, AppSec, and vulnerability management teams

Severity normalisation is the discipline that lets a multi-scanner programme produce a consolidated findings picture that survives leadership review and audit observation. Internal security teams, AppSec teams, vulnerability management teams, and security engineering teams operate the policy as a workspace artefact rather than as analyst preference, because preference does not survive team change.

Anchor the severity scale to one workspace decision rather than to whichever scanner happened to import first.
Document the default mapping per scanner; apply it automatically at import; require explicit override with rationale to change it.
Preserve the source severity on the finding so audit can read back the original signal without recovering it from raw scanner exports.
Resolve disagreement between scanners through reproducible evidence, not through averaging or majority.
Anchor SLA assignment to workspace severity so remediation cadence is consistent across the scanner stack.
Review the translation table at least annually and on scanner vendor scale changes.

For internal security teams, AppSec teams, vulnerability management teams, and security engineering teams, severity normalisation is the gate that turns raw scanner output into a defensible workspace risk picture. The severity calibration research covers how severity drifts over time across testers and tools, and the vulnerability prioritisation workflow covers how the normalised severity feeds into the prioritisation decision the programme actually operates.

How SecPortal supports severity normalisation

SecPortal anchors severity to a structured field on each finding, preserves the scanner-emitted evidence alongside it, and records every severity change as an activity event so the audit trail reads from the live engagement rather than from a reconstructed history.

Bulk import with source severity preserved

Findings imported in bulk from Nessus, Burp Suite, and CSV exports arrive as drafts on the engagement. The originating severity, scanner identifier, and evidence stay attached to the finding record so the workspace severity is the decision applied on top rather than a replacement that erases the source. The bulk finding import feature covers the supported formats and the draft promotion flow.

CVSS 3.1 vectors on 300+ finding templates

The shared finding library ships with pre-set CVSS 3.1 vectors for common vulnerability classes, so the severity assignment for a known issue (SQL injection, XSS, IDOR, hardcoded secret) is anchored to a recalculable vector rather than to an analyst guess. Analysts adjust environmental and temporal metrics where the workspace context warrants. The findings management feature covers the template library and the per-finding severity surface.

CVSS calculator for 3.1 and 4.0

The CVSS calculator supports both 3.1 and 4.0 vectors, accepts pasted vector strings, and generates shareable URLs for analyst-driven severity adjustments. During the CVSS version transition the calculator handles both methodologies so the workspace can document the version that produced each score. The CVSS calculator tool is free to use.

Activity log records every severity change

When a finding severity is created, overridden, or recalibrated, the change lands in the workspace activity log with the acting user and timestamp. The audit trail reconstructs the severity history of any finding without recovering it from external logs. The activity log feature covers the audit surface and CSV export.

Canonical severity in the report and the portal

AI report generation reads the canonical workspace severity (not the raw scanner severity) into executive summaries, prioritisation tables, and finding writeups. The branded client portal surfaces the canonical severity in the delivered view so leadership and remediation owners read one number per finding rather than vendor-specific noise. The AI reports feature and the client portal feature cover the downstream surfaces.

Retesting confirms severity holds after fix

Retesting workflows re-evaluate the severity after remediation rather than automatically closing the finding. If the fix downgrades exploitability without fully resolving the issue, the finding stays open at a lower severity with the retest evidence attached. The retesting workflows feature covers the closure flow and the retest evidence chain.

Related scanner discipline

Severity normalisation sits between the upstream import and triage disciplines and the downstream remediation and reporting disciplines. The pages below cover the connected decisions.

Scanner output deduplication covers the upstream discipline of recognising when two records describe the same underlying issue, which produces the canonical findings the normalisation policy then attaches a severity to.
Vulnerability scanner false positives covers the parallel discipline of identifying when a scanner finding does not represent a real issue, which is distinct from downgrading the severity of a real finding.
Scanner output formats covers what each scanner export carries (SARIF, Nessus XML, Burp XML, CSV) and how much severity context survives the import.
Scanner evidence chain covers the seven evidence layers that hold the link from scan execution to closed finding, which the severity policy sits inside.
Importing third-party scanner results covers the import workflow that produces the drafts the normalisation policy applies severity to.
Scanner coverage and limits covers what each scanner class actually detects, which informs how much weight to place on a given scanner is severity assignment.
Scanner finding tag and label taxonomy covers the parallel classification discipline that decides which structured category, impact dimension, asset class, exposure context, and remediation owner the canonical record carries alongside the normalised severity.

For the wider operating model the severity policy plugs into, the vulnerability prioritisation framework covers how severity combines with EPSS exploit likelihood, asset context, and SLA scheduling to drive remediation decisions, and the CVSS scoring guide covers the mechanics of the underlying scoring system.

Scope and limitations of this guide

Severity normalisation is a workspace policy, not a substitute for scanner-side calibration. A scanner that consistently emits the wrong severity for a class of issues is a tuning problem at the scanner; normalisation is the downstream discipline that turns the scanner output into a workspace decision. No translation table fixes a scanner that lacks coverage for an issue class, and no normalisation policy substitutes for the analyst judgement an override requires.

Severity claims that depend on whichever scanner happened to fire first almost always understate the prioritisation discipline. Severity claims that decompose into a documented mapping, named override conditions, recorded rationale, and a versioned policy are the claims that survive both the audit observation period and the team change.

Frequently Asked Questions

Sources

Normalise scanner severity on the live engagement record

SecPortal preserves source scanner severity alongside a structured workspace severity, ships 300+ finding templates with pre-set CVSS 3.1 vectors, supports CVSS 4.0 in the calculator, accepts bulk imports from Nessus, Burp Suite, and CSV, and records every severity change in the workspace activity log so the audit trail reads cleanly from scanner output to closed finding.

Start free See findings management