Book a Demo

Program Management

Overview

Nullify orchestrates long-running security initiatives across code reviews, bug hunts, pentests, and cloud audits. Security Program Management intelligently manages the backlog of triaged findings, monitors threat intelligence, tracks team capacity, understands organizational risk, and assigns work to the right people at the right time.

Backlog Management

Nullify maintains a curated security backlog combining findings from all sources:

Finding Sources

  • Code Review: Application vulnerabilities (CWEs), dependency vulnerabilities (CVEs), leaked secrets

  • Cloud Audits: Infrastructure misconfigurations and compliance violations

  • Pentests: Validated application vulnerabilities with exploit evidence

  • Bug Hunts: Attack surface discoveries and theoretical vulnerability chains

Intelligent Curation

  • Randomization: Prevents bias toward specific finding types

  • Severity Sorting: Ranks by exploitability score (0-100), not just CVSS

  • Deduplication: Filters out resolved findings automatically

  • Display Limits: Shows ~50 highest-priority findings to prevent overwhelm

  • Status Tracking: Links findings to pull requests and tickets for remediation status

Threat Intelligence Monitoring

Nullify continuously monitors external threat landscape:

Daily Internet Research

  • Automated searches for organization-specific threats (max 5 searches/day)

  • Focus on your technology stack and active CVEs in backlog

  • Identifies actively exploited vulnerabilities

  • Detects zero-day disclosures affecting your dependencies

Intelligence Integration

  • Threat data informs escalation decisions

  • Prioritizes findings with active exploitation

  • Guides messaging context for stakeholder communication

  • Triggers emergency campaigns for critical threats

Team Capacity Tracking

Nullify understands how much work each team can handle:

Workload Scoring

  • Open Pull Requests: Counts PRs under review per developer

  • Assigned Tickets: Tracks Jira issues assigned to each person

  • Workload Metrics: Calculates current capacity vs. historical baseline

  • Velocity Analysis: Considers past remediation speed

Intelligent Distribution

  • Identifies least-loaded developers for new assignments

  • Supports action staggering to prevent overload

  • Balances workload across team members

  • Respects team boundaries (no cross-team assignments without approval)

Organizational Risk Profile

Nullify builds a comprehensive understanding of your organization:

Risk Factors

  • Team Structures: Engineering teams, ownership boundaries, reporting lines

  • Code Ownership: CODEOWNERS mapping, commit history analysis, service ownership

  • Technology Stack: Languages, frameworks, cloud providers, dependencies

  • Remediation Velocity: How quickly teams typically address findings

  • Industry Vertical: Domain-specific risk considerations

  • Team Responsiveness: Historical response rates to security issues

  • Business Criticality: Service tiers and customer impact

Context-Aware Decisions

  • Risk profile informs backlog prioritization

  • Business context drives timing decisions

  • Organizational structure guides assignment logic

  • Industry considerations affect compliance mapping

Intelligent Work Assignment

Nullify assigns work using multi-factor decision logic:

Assignment Factors

  1. Severity: Finding exploitability and business impact

  2. Reachability: Direct vs. transitive dependencies, code path analysis

  3. Exploitability: Validated with evidence vs. theoretical

  4. Team Capacity: Current workload and historical velocity

  5. Ownership: Code ownership and service responsibility

  6. Priority: Business criticality and compliance requirements

Auto-Fix PR Creation

  • Generates fix PRs with capacity-aware reviewer selection

  • Selects least-loaded team member as reviewer

  • Includes context-rich descriptions and remediation rationale

  • Links back to original finding with reproduction steps

PR Lifecycle Management

  • Daily Monitoring: Checks status of all open security PRs

  • Comments: AI agent adds context, answers questions, provides guidance

  • Escalations: Notifies team leads when PRs stall

  • Closures: Tracks merged/closed PRs and updates finding status

Ground Rules

  • Configurable constraints per organization (e.g., "no deploys on Fridays")

  • Respects team preferences and working hours

  • Honors maintenance windows and freeze periods

  • Adapts to organizational culture and processes

Campaign Management

Campaigns organize security work with flexible targeting:

Campaign Scope

Campaigns can target work by:

  • Finding Type: Specific CWEs, CVEs, or misconfiguration types

  • Repository: All findings in specific repos

  • Team: All work for a particular team

  • User: Individual developer assignments

  • Severity: All critical/high severity findings

  • Custom Criteria: Arbitrary combination of filters

Dynamic Finders

  • Construct queries based on campaign scope

  • Support complex boolean logic

  • Real-time evaluation as new findings arrive

  • Bidirectional mapping (findings ↔ campaigns)

Campaign Lifecycle

  1. Creation: Define objective and scope

  2. Discovery: Identify all relevant findings

  3. Planning: Calculate remediation effort

  4. Execution: Assign work, open PRs, create tickets

  5. Monitoring: Track progress, escalate blockers

  6. Completion: Verify all findings resolved

Campaign Metrics

  • Total findings in scope

  • Resolved vs. remaining

  • Average time to resolution

  • Team-specific progress

  • SLA compliance tracking

Cross-Functional Coordination

Security Program Management coordinates across all Nullify capabilities:

Parallel Execution

  • Coordinates Git operations (PRs, reviews, merges)

  • Manages ticket lifecycles (Jira creation, updates, closures)

  • Handles messaging (Slack notifications, escalations)

  • Orchestrates multi-platform workflows

Event-Based Audit Trail

  • Logs every action (PR created, ticket assigned, notification sent)

  • Maintains timeline of campaign progress

  • Tracks decision rationale for compliance

  • Supports incident post-mortems

Escalation Channels

  • Integrates team leads as escalation contacts

  • Routes critical findings to security responders

  • Coordinates incident response workflows

  • Manages stakeholder communication

Workflow

1. Detect

Nullify correlates threat intelligence, assessment results, and business metadata:

  • Identifies high-impact vulnerabilities

  • Discovers compliance gaps

  • Detects attack surface changes

  • Monitors for actively exploited CVEs

Recommends campaign templates tailored to your environment.

2. Decide

Security leaders adjust scope and automation:

  • Select which findings to address

  • Choose automation level (tickets, PRs, notifications)

  • Set deadlines and SLAs

  • Define success criteria

3. Execute

Campaigns orchestrate end-to-end work:

  • Assign remediation to correct owners

  • Coordinate fix PR creation

  • Manage ticket lifecycles

  • Escalate when progress stalls

  • Balance workload across teams

4. Report

Stakeholders track real-time progress:

  • Dashboard with burn-down charts

  • Per-team progress views

  • Outstanding findings summary

  • Success metrics and KPIs

  • Detailed audit trails

Integration Points

Security Program Management connects with:

  • Code Review: Prioritizes code vulnerabilities for campaigns

  • Cloud Audits: Tracks infrastructure remediation

  • Pentests: Validates exploit chains are fixed

  • Bug Hunts: Coordinates attack surface reduction

  • Remediations: Triggers auto-fix PR generation

  • Jira: Creates and updates tickets

  • Slack: Sends notifications and escalations

  • GitHub/Bitbucket: Opens PRs and manages reviews

Ground Rules & Constraints

Organizations can configure:

  • Working Hours: Respect time zones and business hours

  • Freeze Periods: No deployments during holidays/maintenance

  • Approval Requirements: Specific reviewers for security changes

  • SLA Overrides: Custom deadlines for specific finding types

  • Notification Preferences: Channel and frequency controls

  • Escalation Paths: Team-specific escalation hierarchies

Campaign Templates

Pre-built campaign templates for common objectives:

  • Eliminate Credential Leaks: Find and rotate all leaked secrets

  • Upgrade Vulnerable Dependencies: Update all CVE-affected packages

  • Harden Terraform: Enforce encryption and access controls

  • Fix OWASP Top 10: Address web application vulnerabilities

  • Cloud Security Posture: Remediate AWS misconfigurations

  • Compliance Gap Closure: Meet PCI-DSS/HIPAA/SOC2 requirements

Metrics & Reporting

Track security program effectiveness:

  • Mean Time to Remediate (MTTR): Average time from discovery to fix

  • Finding Backlog Trend: Growth or reduction over time

  • Team Velocity: Fixes per sprint/week

  • SLA Compliance: % of findings fixed within SLA

  • Coverage: % of codebase/infrastructure assessed

  • Recurrence Rate: Re-introduced vulnerabilities

PreviousPrivate NetworksNextRemediations

Last updated

Was this helpful?