Security tool consolidation
one record, no orphaned history

The vulnerability scanner stores its native record. The triage spreadsheet stores a curated subset. The ticket queue stores the remediation work. The shared drive stores the report PDFs. The chat channel stores the actual decision about whether the finding was real and what the team did about it. Each system is incomplete on its own and none of them reconcile to the same total at the end of the quarter.

The compliance spreadsheet that was current six months ago no longer matches the live findings record. The audit team spends a week stitching the two together by hand. By the time the binder ships, the underlying findings have moved and the binder is already out of date. Recurring audit drift is the most expensive symptom of tool sprawl, because every cycle pays the migration cost without ever finishing the migration.

The scanner imports finish at a CSV download. A human carries the CSV into the spreadsheet. Another human carries the spreadsheet into the ticket queue. By the time engineering picks up the ticket, the original scanner evidence is two transformations away. When the retest comes, the original CVSS vector has been replaced with a free-text "high" and the audit cannot tell whether the finding closed or simply got lost.

A separate compliance spreadsheet maps controls to evidence. The findings record does not feed it. The mapping is updated quarterly at best. The day the auditor asks how the SOC 2 CC7.1 evidence reconciles to the live remediation queue, the team realises the two records have not agreed since the last audit cycle and the gap is the difference between the two systems.

A new analyst inherits the queue and immediately discovers that the rules for which spreadsheet column means severity, which ticket label means accepted risk, and which folder holds the latest report all live in undocumented institutional memory. Onboarding is a six-week ramp in tool taxonomy rather than two weeks of contributing to actual security work.

The scanner license sits on the security budget. The Jira seat sits on engineering. The shared drive sits on IT. The compliance spreadsheet sits in Finance. The chat licence sits in a platform line item. Nobody can answer how much the security tooling stack costs because the cost is fragmented across owners. When the renewal review comes, the total is always larger than anyone remembered.

One findings record per finding, regardless of source. The scanner output, the spreadsheet history, the ticket queue, and the report draft all collapse onto one record with CVSS 3.1 vector, severity, evidence, status, owner, and remediation history. The same record carries the prior IDs from Nessus, Burp, DefectDojo, Jira, and any imported CSV so the migration is reversible and the audit can trace the lineage.

Engagement-attached documents replace the shared drive. Reports, screenshots, scanner exports, scope letters, retest evidence, and signed attestations attach to the engagement they belong to rather than to a folder hierarchy that diverges from the records the team works on. Documents inherit the workspace and engagement scope so access control and audit retrieval follow the engagement rather than a parallel access list.

Compliance tracking maps the live findings record to ISO 27001, SOC 2, Cyber Essentials, PCI DSS, and NIST controls. The mapping derives from the findings record rather than running alongside it as a parallel spreadsheet. CSV export gives the audit team the trail behind every control conclusion without a manual reauthor step. The control register stops drifting because the source is the same as the operational queue.

External scanning, authenticated scanning, and code scanning all run inside the platform. Net-new findings land directly on the findings record without a CSV courier. Imports from Nessus, Burp Suite, and CSV continue to cover legacy outputs and any specialised scanner the team still owns. The continuous-monitoring scheduler covers daily, weekly, biweekly, and monthly cadence per asset, so the recurring scan posture survives consolidation rather than depending on a handful of cron jobs scattered across the team.

Team management with RBAC tiers (owner, admin, member, viewer, billing) replaces shared spreadsheet access lists. Multi-factor authentication enforces AAL2 session promotion before any record is changed. Encrypted credential storage with AES-256-GCM holds the authenticated-scan credentials inside the platform rather than in an external password manager that nobody syncs. Verified domains constrain credential creation to hostnames the workspace owns. The credential layer stops being a liability the day the consolidation completes.

AI-generated reports produce the executive summary, technical report, remediation roadmap, and compliance summary from the live engagement record rather than from a static draft a human reauthored. The branded client portal mirrors scoped views to external stakeholders without copying the data. Global search reaches across findings, engagements, clients, and documents from one bar so the answer to "where did we put that" stops requiring three browser tabs and two file explorer windows.

The team imports the easy spreadsheet on day one and never finishes the rest. Six months later half the programme runs on the new platform and half still runs on the old stack. The audit cannot decide which record is authoritative and the team pays the cost of both systems. The fix is a documented migration map with retirement dates per legacy artefact rather than a vague intent to consolidate.

A bulk import preserves severity but loses the CVSS attack vector, attack complexity, privileges required, and impact metrics. The migrated findings carry "high" but cannot be re-prioritised when KEV or asset context shifts because the underlying vector is gone. The fix is mapping the full CVSS vector during import so the priority logic continues to work after the spreadsheet retires.

Findings migrate to the new platform but the open Jira tickets stay on the old queue. Engineering picks up tickets from one place; security tracks remediation in another. The two systems drift and findings close in one without closing in the other. The fix is migrating the active remediation work alongside the findings, retiring the old queue on a documented date, and using the activity log on the new platform as the single closure record.

Compliance mapping migrates to compliance tracking but the original spreadsheet keeps getting updated by the GRC team because that is what the audit binder template references. The new platform never becomes the source of truth for control evidence. The fix is updating the audit binder template to reference the platform export and retiring the spreadsheet on the day the next cycle opens.

The team migrates findings and reports but leaves authenticated-scan credentials in a shared password manager entry. The new platform cannot run authenticated scans without a manual paste each time. The team falls back to external scanning and the authenticated coverage gap quietly returns. The fix is migrating credentials into encrypted credential storage with the verified-domain hostname check during the same migration window the findings move on.

A consolidation that leaves the decision-making chat channel alone migrates everything except the most important record. Six weeks later the new platform holds the findings and the chat channel still holds the rationale for why each one closed the way it did. The fix is moving the rationale onto the finding itself, with the comment, the named decider, and the timestamp captured on the activity log so the audit can read why and not just what.

Consolidation depends on bulk finding import preserving original tool metadata, scanner result triage promoting validated findings into the queue, and security testing program management holding the wider programme cadence after the migration completes.

Once the consolidation lands, the queue feeds vulnerability prioritisation, vulnerability SLA management, remediation tracking, and security leadership reporting from one record rather than from the patchwork the consolidation retired.

Findings, evidence, decisions, owners, and audit trail all live on the same engagement record. The operational queue, the audit binder, and the leadership pack derive from that record rather than from three reauthored views that disagree by audit week.

The migration map names every legacy artefact, its destination on the engagement record, and its retirement date. The activity log captures the migration steps so the audit can reconstruct what moved and when. Heroic memory in someone's head stops being the dependency.

Bulk imports preserve CVSS vectors, severities, evidence, and prior IDs. Migrated findings inherit engagement scope, asset tier, and exposure annotation. The platform holds the lineage so the historical decisions remain defensible after the legacy system retires.

The compliance mapping, the leadership pack, and the audit binder all derive from the live record. Nobody assembles the evidence at the end of the quarter from a spreadsheet; the activity log is the trail and the AI report is the narrative.