Automate remediation target tracking in Application Vulnerability Response

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Automate Remediation Target Tracking in Application Vulnerability Response

    Application Remediation Target Rules enable organizations to establish timelines for addressing application vulnerable items (AVIs). These rules help ensure vulnerabilities are remediated within specified timeframes, such as 15 days for critical risks. App-Sec Managers can create and manage these rules to track and ensure timely remediation efforts.

    Show full answer Show less

    Key Features

    • Remediation Target and Reminder Targets: Managers set targets for fixing vulnerabilities and reminders for upcoming deadlines.
    • Visual Tracking: The AVI list view uses color coding to indicate status: green for upcoming, orange for approaching, and red for past due.
    • Default Rules: Three inactive default rules are available based on risk ratings:
      • Critical Risk: 15 days
      • Medium-High Risk: 30 days
      • Less Critical Risk: 45 days
    • Rule Management: Rules can be deactivated or deleted, affecting how AVIs are managed. Deactivated rules clear current target dates, while deleted rules preserve information for closed AVIs.
    • Most Restrictive Rule Application: If multiple rules apply to an AVI, the most stringent rule dictates the remediation target date.
    • Scheduled Job for Evaluation: The Evaluate remediation targets job runs daily to update remediation target dates based on active rules.

    Key Outcomes

    By implementing these remediation target tracking features, ServiceNow customers can expect improved management of application vulnerabilities, ensuring timely remediation and compliance with security policies. This results in enhanced security posture and reduced risk exposure across applications.

    Application Remediation Target Rules define the expected timeframe for remediating application vulnerable items (AVIs), providing a timeframe for remediating the vulnerability itself. For example, if an application vulnerable item contains a critical risk rating then the vulnerability on that item needs to be fixed within 15 days.

    App-Sec Managers can create application remediation target rules by defining:
    • The remediation target.
    • The reminder target.

    App-Sec Managers can see the remediation target date in the AVI form and list views, however dates are not updated for AVIs in the Deferred, Resolved, or Closed state.

    The Remediation target date is color-coded coded on the AVI list view as dots, as follows:
    • AVIs that have not reached their notification date are shown in green.
    • AVIs approaching the remediation target date are shown in orange.
    • AVIs past the remediation target date are shown in red.

    Default rules

    Application Vulnerability Response ships with three default rules which are inactive by default:
    • Critical Risk Rating Rule: A remediation target with a 1-Critical risk rating, a remediation target of 15 days, and a reminder of 7 days before the target date.
    • Medium-High Risk Rating rule: A remediation target with either a 2-High or 3-Medium risk rating a remediation target of 30 days, and a reminder of 7 days before the target date.
    • Less Critical Risk Rating rule: A remediation target with a 4-Low risk rating a remediation target of 45 days, and a reminder of 7 days before the target date.

    Remediation target rules can be deactivated or deleted

    When a rule is deactivated, the current remediation target dates for the AVIs it was applied to, are cleared. If an AVI satisfies any active rule that rule is applied, otherwise the AVI has no rule or target date, and its status is No Target.

    When rules are deleted, the Remediation target date and related fields on closed AVIs are preserved. The Remediation target date and related fields on non-closed AVIs are cleared and any dependent rules are reapplied.

    Remediation rule scenario

    When multiple remediation target rules are applied to the same AVI, the most restrictive rule is applied.

    For example, if an AVI meets the condition for two application remediation target rules:

    Scenario: AVI last opened on 03/01/2018 at 10:00:00.
    • Application remediation target rule 1: Last opened on 03/07/2018; remediation target is 15 days since it was last opened; calculated remediation target date is 03/16/2018 10:00:00.
    • Application remediation target rule 2: Last opened on 03/10/2018; remediation target is 10 days since it was last opened; calculated remediation target date is 03/11/2018 10:00:00.
    In this scenario, the Application remediation target rule 2 applies to the AVI since it has the more restrictive date. 10 days since the AVI was first identified versus 15 days.
    Note:
    Application remediation targets are calculated from the Last Opened date plus the number of days (measured as 24-hour increments). You can add this field to the AVI form from the Form Layout slushbucket. It is the date the AVI was most recently opened in your instance.

    Starting from V17.1, remediation targets are calculated from the Target from (date). The default value remains Last Opened date.

    Note:
    Once the application remediation target rule is defined, remediation target dates are calculated by the Evaluate remediation targets scheduled job or the Apply Changes button on the Remediation Target Rules list view.

    About the Evaluate remediation targets scheduled job

    Evaluate remediation targets runs once at 4:00:00 daily.

    Evaluate remediation targets iterates through all active vulnerability rules, starting with those rules with the earliest remediation target date. It looks at all AVIs that:
    • Are not in a Closed, Deferred, or Resolved state.
    • Have no remediation target date.
    • Have a remediation target date that is later than the date in the application remediation target rule.

    Evaluate remediation targets adds a remediation target date, if one does not exist, or if this rule contains an earlier date than the one in the record, it updates the existing target date. Finally, it updates the Remediation target date and Remediation status fields in the AVI form. For inactive rules, Evaluate remediation targets clears the remediation fields on the AVI.

    Reapplying remediation target rules

    When you change a remediation target rule, use the Apply Changes button on the Remediation Target Rules list page to rerun all the changed rules on all active Open AVIs except those in the Closed, Deferred or Resolved state.
    Note:

    If the scheduled job, Evaluate remediation targets is running, you cannot initiate a reapply process. However, if a reapply process is already running, and the scheduled job is triggered, they run in parallel.

    The reapply processes in Vulnerability Response and Application Vulnerability Response are independent and can run in parallel.