Is the remediation suggestion given by the scanner accurate?
These suggestions can often be incorrect, outdated, or irrelevant to the specific system. Further research may need to be done to produce accurate information.
Is the remediation suggestion tailored to the environment?
The canned suggestions given by the scanner are often only relevant to one software stack. For instance, most suggestions provide guidance for remediating issues in Apache, but not IIS, Tomcat, or nginx.
Who should receive the remediation guidance?
Find out who owns the asset. Find out if developers need to be brought in. Find who has permissions to make and deploy changes.
Is the remediation guidance in terms the asset owner will understand?
Some asset owners are more technical than others. Some are technical but only in their specific niche. Tailor the remediation guidance by using terms that the asset owner will understand.
What is the best way to deliver the guidance?
The issue might need to be emailed out, put into a ticketing system, opened in a code management system, or some combination of all these options.