Findings → Remediation Roadmap
Embeds into any Y6 proposal as §4. Generated from the G3 Discovery report — each finding already carries a
severity+remediation_asset_id. Group by severity; sequence high-severity + low-effort first.
Source audit: {{CLIENT}} Discovery Audit | Findings: {{FINDING_COUNT}}
Summary
| Severity | Count | Engagement phase |
|---|---|---|
| Critical | {{CRIT_COUNT}} | Week 1–2 |
| High | {{HIGH_COUNT}} | Week 2–4 |
| Medium | {{MED_COUNT}} | Week 4–6 / retainer |
Remediation table
One row per finding.
Assetis the SnowOps §4 module/asset that closes it — the sameremediation_asset_idfrom the G2 rule that produced the finding.
| # | Finding | Severity | Fixed by (asset) | Effort | Phase |
|---|---|---|---|---|---|
| 1 | e.g. No Conditional Access policies (IAM-001) | Critical | H2 (conditional-access) | ~M | Wk 1 |
| 2 | e.g. NSGs allow SSH/RDP from internet (NET-002) | Critical | N6 (NSG baseline) | ~S | Wk 1 |
| 3 | e.g. Storage allows public network access (NET-001) | High | N5 (private endpoint enforcement) | ~M | Wk 2 |
| 4 | e.g. Storage permits TLS < 1.2 (ENC-001) | High | D3 (OPA bundle) + M3 (TLS enforcement) | ~S | Wk 2 |
| 5 | e.g. Key Vault purge protection disabled (ENC-003) | High | F5 (key-vault) | ~S | Wk 2 |
| 6 | e.g. Defender plans disabled (LOG-001) | High | F1 / B3 (baseline) | ~S | Wk 1 |
| 7 | e.g. SP secrets > 90 days old (IAM-002) | Medium | H5 (sp-inventory + rotation) | ~S | Wk 5 |
| 8 | e.g. No subscription budget (COST-001) | Medium | U1 (budget module) | ~S | retainer |
| … | {{ADDITIONAL_FINDINGS}} |
Effort key: ~S ≤ 1 day · ~M ≤ 3 days · ~L > 3 days. Map to the Y2 price gates.
What the roadmap proves
- Every gap has a named, productized fix — not a research project.
- Sequenced for impact: critical + low-effort first; the deal-blocking control gets fixed in week 1.
- Compliance coverage: the fixes map to {{FRAMEWORK}} controls — see the Y7 coverage matrix.
Roadmap (not-yet-shipped) assets are marked (delivered during engagement — Mx); never implied as shipped product. Nidhi reviews framework-claim language.