Violet
Start free scan
HomeProductPricingExamplesResourcesAboutSign in
← Resources
Guide4 min read · updated May 9, 2026

Triage on Monday morning

On this page

The 45-minute window

It is Monday morning. Your scan ran over the weekend. You have 12 new findings in your inbox and standup starts in 45 minutes. You need to know, before you walk into that room, what is on fire and what can wait until Wednesday.

Most teams get this wrong. They spend the 45 minutes reading every finding in detail, panic-escalating the ones with scary names, and walk into standup with no clear plan. Do not do that. Triage is a sorting problem, not a reading problem. Your job is to put each finding in exactly one bucket: fix today, fix this sprint, or ticket and move on. The decision tree below does that in five questions. Most findings resolve at question one or two. You will be done in ten minutes, not 45.

The decision tree

Run every finding through these five questions in order. Stop as soon as you have an answer.

  1. Is it critical severity AND publicly reachable? Fix today. Do not finish this list. Open a ticket, assign it to whoever is on-call, and mention it first in standup. Publicly reachable means: no authentication required, no VPN, no IP allowlist, accessible from the open internet.
  2. Does it touch authentication, authorization, or payments? Page the relevant team lead before standup — not during, before. Auth and payments bugs are never just engineering problems. They have legal, compliance, and customer-trust implications that your team lead needs to know about before anyone else starts asking questions.
  3. Does it span multiple teams or a shared library? Do not handle it solo. Schedule a cross-team meeting before the next sprint planning session. A finding in a shared authentication library used by four services is not a one-engineer ticket. Treating it as one is how fixes get applied to two services and missed in the other two.
  4. Is it in a public-facing input, form, or API endpoint with unsanitized data? Ticket it as high priority for the current sprint. This is the classic XSS and injection surface. It may not be critical severity, but it is reachable and it is being probed by automated scanners right now. Do not let it sit in the backlog for two sprints.
  5. Everything else. Create a ticket at default priority and triage it during the week when you have time to read the finding properly. Low-severity findings on internal tools, info-level exposures, configuration findings with compensating controls — these are real issues, but Monday morning is not when you reason about them carefully.

A worked example

Here are 12 findings from a real triage session. Walk through each one.

  1. CRITICAL SQL injection on public search endpoint — no auth required
  2. CRITICAL RCE on internal deployment tool — VPN + IP allowlist required
  3. HIGH Broken access control on /api/admin — requires valid session
  4. HIGH Privilege escalation in shared auth library — affects four services
  5. HIGH JWT signature not verified on payment webhook
  6. MEDIUM Stored XSS on public user profile page
  7. MEDIUM No rate limit on password reset endpoint
  8. MEDIUM IDOR on report download — requires authenticated session
  9. LOW Verbose error messages leaking stack traces — internal tool only
  10. LOW Missing CSRF protection on settings page — requires login
  11. INFO Server header exposing nginx version
  12. INFO TLS 1.0 still enabled on legacy subdomain

Apply the decision tree. Finding 1 — critical, publicly reachable, no auth: fix today, stop reading, this goes in standup as the first item. Finding 2 — critical, but VPN and IP allowlist: skip to question 5, default ticket, triage during the week. Finding 3 — high, touches authorization: question 2 catches this, page the lead before standup. Finding 4 — high, shared auth library: question 3, schedule cross-team meeting. Finding 5 — high, payment webhook: question 2, page the lead before standup. Finding 6 — medium, public profile, stored XSS: question 4, high-priority ticket for current sprint. Finding 7 — medium, no rate limit on password reset: question 4, high-priority ticket this sprint (auth surface). Finding 8 — medium, IDOR, requires auth: question 5, default ticket. Findings 9–12 — low and info, all internal or non-critical: question 5, default tickets.

Result: 1 finding fixed today, 2 escalated to leads, 1 cross-team meeting scheduled, 2 high-priority tickets, 6 default tickets. Five minutes thinking. 12 findings sorted. Time to write tickets.

Printable cheatsheet

Next up
Remediation SLAs

24h / 7d / 30d / 90d as a decision framework, not a deadline gun. How to drive a re-test that actually proves the fix.

Read →