All use cases
SecOps

Vulnerability-to-Remediation Workflow

Turn new vulnerability findings into tracked ServiceNow remediation tickets, matched to asset owners and backed by SLA timers with escalation.

Qualys Container SecurityServiceNowSlack

The problem

Scanner findings pile up in a console that engineering never opens, and severity scores alone do not say who should fix what. Turning findings into tickets by hand is slow and inconsistent, so remediation deadlines slip without anyone noticing. When the same finding reappears in the next scan, a duplicate ticket often follows.

How it runs on Neblex

A Neblex flow polls Qualys Container Security for findings and detects changes with cursors and content hashing, so resolved and reopened findings are tracked as well as new ones. Dedup with matching rules keeps one open ticket per finding per asset, and an ownership table in Data Tables maps images and clusters to the teams that run them.

Conditional branching applies your prioritization policy, combining scanner severity with asset context such as environment and exposure. Each actionable finding becomes a ServiceNow ticket assigned to the owning team, with a Slack notification to the team channel, and chunked batch processing with checkpoints handles large scan result sets without losing progress.

SLA timers with escalation track each ticket against your remediation deadlines and escalate through Slack when a deadline approaches. The hash-chained audit trail records every finding, routing decision, and escalation, which gives compliance a single verifiable record.

Step by step

1

Poll for new findings

The flow polls Qualys Container Security on a schedule and detects new, changed, and resolved findings via cursors and content hashing.

2

Deduplicate per asset

Matching rules ensure one open ticket per finding and asset, so rescans update tickets instead of duplicating them.

3

Match to owners

A Data Tables ownership map assigns each finding to the team responsible for the affected image or cluster.

4

Create tracked tickets

ServiceNow tickets are created with severity and asset context, and Slack notifies the owning team.

5

Enforce remediation SLAs

SLA timers escalate findings that approach their deadline, and closures write back when the next scan confirms the fix.

Platform capabilities used

  • Poll-based change detection
  • Dedup via matching rules
  • Data Tables ownership mapping
  • Chunked batch processing with checkpoints
  • SLA timers with escalation
  • Hash-chained audit trail

Common questions

Does a rescan create duplicate tickets?

No. Matching rules identify the existing ticket for a finding and asset, so rescans update it. When a finding no longer appears, the flow can close the ticket and record the resolution.

How are asset owners determined?

Ownership lives in a Data Tables map from images, clusters, or namespaces to teams, editable by the security team under role-based access. You can also pull ownership from any system with a REST API by adding it as a typed connector from its OpenAPI spec.

Can we enforce different SLAs by severity?

Yes. Conditional branching sets the SLA timer per severity tier, and timers escalate through Slack or reassignment as deadlines near. Escalation can also respect business hours.

Want this running on your stack?

Neblex Integration Fabric is in beta: full platform, free while in beta. Bring this workflow and we will map it to your systems.