Cross-engagement finding search
and cohort assembly across every client and project

Cross-engagement finding search is the operating discipline of assembling vulnerability cohorts across every engagement, every client, and every scanner source in one workspace view. It runs on the dashboard findings view with status group, severity, category, and title filters, then exports the cohort as CSV or PDF for the next operating discipline (triage stand-up, leadership briefing, audit fieldwork response, remediation portfolio rebalance, regulator reply). The cohort reads against the live engagement record across all parent engagements rather than against per-engagement exports stitched together by hand.

The Cmd+K palette is a navigation lookup: type two characters and it returns up to five clients plus five engagements plus five findings on a substring match, then deep-links to the source record. The dashboard findings view is the cohort surface: it returns every matching finding across the workspace with the parent engagement and parent client metadata on every row, paginates fifty rows at a time, supports status group plus severity plus category plus search composition, and exports up to two thousand rows as CSV or PDF. The palette is for fast jumps; the dashboard is for cohort assembly.

Four buckets: All (every finding regardless of status), Open and Pending (the thirteen unfinished-work statuses including open, in_progress, reopened, non_compliant, not_implemented, ineffective, not_assessed, not_tested, partially_implemented, detected, triaged, contained, eradicated), Resolved and Compliant (the seven closed-success statuses including resolved, verified, compliant, implemented, effective, recovered, closed), and Closed and N.A. (the two final-non-action statuses not_applicable and false_positive). The status group is the first filter every cohort applies because mixing open work with closed work hides the cohort the cross-engagement question is meant to surface.

The dashboard category multi-filter accepts both severity values (critical, high, medium, low, info) and any non-severity tag (status names, category names, programme-label tags the workspace applies). Selections within the severity set OR together (Critical OR High); selections within the non-severity set OR together (Open status OR In progress status); the two classes AND across each other. The composition lets a cohort target Critical plus High open work across one control family in one filter combination.

The dashboard paginates fifty rows at a time and shows the total count on the page header. The CSV and PDF export buttons assemble up to two thousand rows per request through the export=true API parameter. Cohorts larger than two thousand rows narrow the filter (tighter severity band, tighter category, tighter date range through the sort-by-updated) and export in slices that are then concatenated outside the workspace. The cap is the per-request upper bound the API enforces, not the size of the cohort the workspace can carry.

The dashboard does not persist filter combinations as named searches the user can revisit with one click. The operating discipline preserves the cohort definition: name the recurring cohort (this-quarter-open-critical, this-cycle-overdue-high, this-release-finding-footprint, this-control-family-evidence-cohort, this-suppression-audit-cohort) and re-apply the same filter combination on the next cycle. Programmes with many recurring cohorts maintain the cohort definitions in a runbook or in the workspace conventions documentation outside the dashboard.

Every dashboard query and every /api/findings request filters by workspace_id derived from the authenticated profile before the dashboard query runs. One operator never sees another tenant s cohort. The role check on the team_role boundary runs before the query plan executes, so a non-consultant role cannot reach a cross-engagement view scoped to clients the role does not have access to. Cross-workspace federation is not supported; a security consultancy or enterprise running multiple workspaces switches workspace and re-applies the cohort filter.

The CSV export writes Items Export.csv with the headline columns: finding title, severity, status, category, parent engagement title, parent client company name, engagement type, last-updated timestamp, and creation timestamp. The CSV reads cleanly into a spreadsheet for portfolio pivots, into a downstream document for the audit response, or into an analytics tool for cross-cycle trend assembly. The export carries the cohort the dashboard view was returning at the moment of the export click.

The PDF export writes Items Export.pdf through html2pdf, rendering the cohort table as a structured page-layout document. The PDF attaches to the audit fieldwork reply, the regulator query response, the board pack appendix, or the customer evidence room handover. The PDF carries the cohort as the data the leadership read; the slide deck cites the PDF as the evidence behind the headline number rather than as a screenshot of the dashboard view.

Findings with a false_positive override show up in the Closed and N.A. status group; findings with an accepted_risk override show up in their original severity band on the cohort with the status the workspace has assigned. The cross-engagement cohort filtered to Closed and N.A. surfaces the false-positive cohort across the workspace for the periodic suppression review; the cohort filtered to Open and Pending surfaces the actively-tracked work including findings carrying severity overrides. The override decision lives on the finding overrides surface; the cohort surface reads the override state on the row.

The dashboard returns the cohort as a row-level table with the joined engagement and client context. It does not ship a built-in pivot table or group-by aggregation across severity, status, engagement, or client. Programmes that need aggregated cohort counts assemble those outside the dashboard by exporting the cohort to CSV and running the aggregation in a spreadsheet or in a downstream analytics tool. The cohort assembly returns the data; the aggregation runs outside the workspace.

Named cohorts (this-quarter-open-critical, this-cycle-overdue-high, this-release-finding-footprint, this-control-family-evidence-cohort) feed the recurring leadership cadence by re-applying the same filter combination on every cycle. The cohort size, the cohort delta cycle over cycle, the cohort age distribution, and the cohort owner mix become the leadership scorecard numbers. The headline number on the board pack reconciles to the cohort export it cites because both read from the live workspace findings record.