Agnech
Report Type

Remediation Roadmap

Prioritized action plan with effort estimates and team assignments. Turn vulnerability findings into an executable remediation strategy.

Overview

The Remediation Roadmap transforms raw vulnerability findings into an actionable plan. It prioritizes issues by risk, estimates effort, and assigns work to teams—making it easy to plan sprints and allocate resources.

Bash
1# Generate remediation roadmap
2bloodhound report roadmap --output roadmap.pdf
3

4# Roadmap for specific time horizon
5bloodhound report roadmap --horizon 90d --output quarterly-roadmap.pdf
6

7# Include effort estimates
8bloodhound report roadmap --estimate-effort --output roadmap-with-effort.pdf
9

10# Team-aware roadmap
11bloodhound report roadmap --team-config ./teams.yaml --output team-roadmap.pdf
Immediate
3 critical issues
This Sprint
12 high priority
Backlog
55 lower priority

Prioritization

Findings are prioritized using a multi-factor scoring system that considers severity, exploitability, business impact, and remediation complexity.

Text
1# Prioritization Score Calculation
2

3═══════════════════════════════════════════════════════════════════
4                    PRIORITIZATION MATRIX
5═══════════════════════════════════════════════════════════════════
6

7Finding: SQL-001 (SQL Injection in payment API)
8

9FACTOR                          WEIGHT   SCORE   CONTRIBUTION
10────────────────────────────────────────────────────────────────
11Severity (CVSS)                 30%      9.8     2.94
12Exploitability                  25%      10.0    2.50
13Business Impact                 20%      9.5     1.90
14Data Sensitivity                15%      10.0    1.50
15Remediation Effort              10%      7.0     0.70
16────────────────────────────────────────────────────────────────
17PRIORITY SCORE                          │ 9.54 / 10
18PRIORITY TIER                           │ P0 - IMMEDIATE
19

20RANKING EXPLANATION
21───────────────────────────────────────────────────────────────────
22This finding ranks #1 of 70 because:
23• Critical severity with CVSS 9.8
24• Trivially exploitable (no authentication required)
25• Affects payment processing (highest business impact)
26• Exposes PII and financial data
27• Fix is straightforward (parameterized queries)
28

29RECOMMENDATION: Fix within 24 hours

Priority Tiers

P0
ImmediateFix within 24 hours
P1
UrgentFix within 1 week
P2
HighFix within 2 weeks
P3
MediumFix within 30 days
P4
LowFix within 90 days

Effort Estimation

AI-powered effort estimation based on code complexity, fix type, and historical data from similar issues.

Text
1# Effort Estimation Output
2

3═══════════════════════════════════════════════════════════════════
4                    EFFORT ESTIMATES
5═══════════════════════════════════════════════════════════════════
6

7SUMMARY
8───────────────────────────────────────────────────────────────────
9Total Findings: 70
10Total Estimated Effort: 156 developer-hours (≈ 4 developer-weeks)
11

12BY PRIORITY
13───────────────────────────────────────────────────────────────────
14P0 (3 findings)   │████░░░░░░░░░░░░░░░░│  12 hours (8%)
15P1 (12 findings)  │████████████░░░░░░░░│  48 hours (31%)
16P2 (21 findings)  │██████████████░░░░░░│  52 hours (33%)
17P3 (18 findings)  │████████░░░░░░░░░░░░│  32 hours (21%)
18P4 (16 findings)  │██████░░░░░░░░░░░░░░│  12 hours (8%)
19

20DETAILED ESTIMATES
21───────────────────────────────────────────────────────────────────
22ID        Title                              Est.     Confidence
23────────────────────────────────────────────────────────────────────
24SQL-001   SQL Injection in payment API       2h       HIGH (92%)
25          └─ Simple parameterization fix
26

27AUTH-001  Authentication bypass              4h       MEDIUM (75%)
28          └─ Requires middleware refactor
29

30XSS-001   Stored XSS in comments             1h       HIGH (95%)
31          └─ Add DOMPurify sanitization
32

33DEPS-001  Outdated lodash (CVE-2024-xxxx)    0.5h     HIGH (98%)
34          └─ Version bump only
35

36CRYPTO-001 Weak password hashing             8h       LOW (60%)
37          └─ Migration script needed
38          └─ Uncertainty: database size unknown
39

40CAPACITY PLANNING
41───────────────────────────────────────────────────────────────────
42With 2 developers at 80% capacity:
43• P0 items: 1 day
44• P0 + P1: 1 week
45• All P0-P2: 2.5 weeks
46• All findings: 4 weeks

Team Assignment

Automatically assign findings to teams based on code ownership and expertise.

YAML
1# Team configuration file (teams.yaml)
2

3teams:
4  - name: "Platform Team"
5    codeowners:
6      - "src/api/**"
7      - "src/middleware/**"
8      - "src/database/**"
9    expertise:
10      - sql-injection
11      - authentication
12      - authorization
13    members:
14      - alice@company.com
15      - bob@company.com
16    capacity: 40  # hours per sprint
17

18  - name: "Frontend Team"
19    codeowners:
20      - "src/views/**"
21      - "src/components/**"
22      - "public/**"
23    expertise:
24      - xss
25      - csrf
26      - client-side-security
27    members:
28      - carol@company.com
29      - dave@company.com
30    capacity: 30
31

32  - name: "DevOps Team"
33    codeowners:
34      - "infrastructure/**"
35      - "docker/**"
36      - ".github/**"
37    expertise:
38      - secrets-management
39      - container-security
40      - ci-cd
41    members:
42      - eve@company.com
43    capacity: 20
Bash
1# Generate team-assigned roadmap
2bloodhound report roadmap --team-config ./teams.yaml
3

4# Output includes:
5#
6# PLATFORM TEAM (40h capacity)
7# ───────────────────────────────────────────────────────────────
8# Sprint 1:
9#   [P0] SQL-001 - SQL Injection in payment API (2h)
10#   [P0] AUTH-001 - Authentication bypass (4h)
11#   [P1] SQL-002 - SQL Injection in products (2h)
12#   ...
13#   Total: 38h (95% capacity)
14#
15# FRONTEND TEAM (30h capacity)
16# ───────────────────────────────────────────────────────────────
17# Sprint 1:
18#   [P1] XSS-001 - Stored XSS in comments (1h)
19#   [P1] XSS-002 - Reflected XSS in search (1h)
20#   [P2] CSRF-001 - Missing CSRF tokens (4h)
21#   ...
22#   Total: 28h (93% capacity)

Remediation Phases

The roadmap organizes work into phases that align with your development cycle.

Text
1# Phased Remediation Roadmap
2

3═══════════════════════════════════════════════════════════════════
4                    REMEDIATION PHASES
5═══════════════════════════════════════════════════════════════════
6

7PHASE 1: EMERGENCY (Week 1)
8───────────────────────────────────────────────────────────────────
9Goal: Eliminate critical exposure
10Effort: 12 hours
11Risk Reduction: 45%
12

13✓ SQL-001 - SQL Injection in payment API
14  └─ Owner: Platform Team
15  └─ Fix: Parameterized queries
16

17✓ AUTH-001 - Authentication bypass
18  └─ Owner: Platform Team
19  └─ Fix: Add session validation
20

21✓ SECRETS-001 - Exposed AWS credentials
22  └─ Owner: DevOps Team
23  └─ Fix: Rotate and use Secrets Manager
24

25

26PHASE 2: HARDENING (Weeks 2-3)
27───────────────────────────────────────────────────────────────────
28Goal: Address high-severity issues
29Effort: 48 hours
30Risk Reduction: 75% (cumulative)
31

32• 12 High-severity findings
33• Focus: XSS, CSRF, dependency updates
34• Includes security regression tests
35

36

37PHASE 3: STRENGTHENING (Weeks 4-6)
38───────────────────────────────────────────────────────────────────
39Goal: Address medium-severity issues
40Effort: 52 hours
41Risk Reduction: 90% (cumulative)
42

43• 21 Medium-severity findings
44• Focus: Input validation, logging, configuration
45

46

47PHASE 4: MAINTENANCE (Ongoing)
48───────────────────────────────────────────────────────────────────
49Goal: Clear remaining backlog
50Effort: 44 hours
51Risk Reduction: 100% (cumulative)
52

53• 34 Low-severity findings
54• Integrate into regular sprint work

Progress Tracking

Track remediation progress and generate status reports.

Bash
1# Update finding status
2bloodhound status SQL-001 --resolved --commit abc123
3

4# Generate progress report
5bloodhound report roadmap --progress
6

7# Output:
8# ═══════════════════════════════════════════════════════════════
9#                     REMEDIATION PROGRESS
10# ═══════════════════════════════════════════════════════════════
11#
12# OVERALL: 23/70 findings resolved (33%)
13# ████████████░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
14#
15# BY PHASE
16# ───────────────────────────────────────────────────────────────
17# Phase 1 (Emergency):  3/3 complete ✓
18# Phase 2 (Hardening):  8/12 complete (67%)
19# Phase 3 (Strengthen): 5/21 complete (24%)
20# Phase 4 (Maintenance): 7/34 complete (21%)
21#
22# BY TEAM
23# ───────────────────────────────────────────────────────────────
24# Platform Team:  12/28 (43%) - On Track ✓
25# Frontend Team:   6/22 (27%) - Behind Schedule ⚠️
26# DevOps Team:     5/20 (25%) - On Track ✓
27#
28# AT RISK
29# ───────────────────────────────────────────────────────────────
30# XSS-003 - Overdue by 3 days (assigned: Frontend)
31# CSRF-002 - Due tomorrow (assigned: Frontend)
32

33# Export to project management tool
34bloodhound roadmap sync --to jira --project SEC

Integration with CI/CD

Add bloodhound report roadmap --progress --fail-on-overdueto your CI pipeline to block deployments when critical fixes are overdue.