Josh Thomson Action Centre

Security teams identify thousands of vulnerabilities and configuration gaps but struggle to track remediation progress. Issues get lost in spreadsheets, duplicated across multiple systems, and resolved without central visibility.

ThreatAware's Action Centre transforms security gap identification into automated remediation workflows that track issues from discovery through resolution.

The Remediation Bottleneck

Traditional security operations follow a broken pattern:

1. Discovery: Vulnerability scanners and compliance tools identify issues
2. Reporting: Security teams generate lists and spreadsheets
3. Assignment: Manual ticket creation and assignment to responsible teams
4. Tracking: Email follow-ups and status meetings
5. Verification: Manual checking whether issues were actually resolved

This process creates friction, delays, and accountability gaps that leave organisations vulnerable while teams believe issues are being addressed.

Two Types of Security Actions

Continuous Actions: For ongoing security requirements like "ensure all Windows servers have Windows Defender deployed and functioning". These run persistently, automatically triggering remediation when devices enter the defined criteria.

Snapshot Actions: For defined sets of issues with completion deadlines like "patch these 47 critical vulnerabilities by month-end". These capture a specific problem set and track progress toward zero remaining issues.

Automated Workflow Integration

The Action Centre integrates with existing workflow automation platforms:

Power Automate Integration: Create workflows that automatically deploy software, configure settings, or escalate issues based on ThreatAware findings.

Tines Integration: Build sophisticated security orchestration workflows that combine multiple remediation steps and decision points.

ServiceNow Integration: Automatically create and update tickets with context from ThreatAware asset data.

Custom Webhooks: Connect to any system with API capabilities for custom remediation workflows.

Intelligent Issue Tracking

The Action Centre distinguishes between automation success and problem resolution:

Automation Tracking: Did the remediation workflow execute successfully? This confirms the technical process completed without errors.

Item Resolution: Did the underlying security issue actually get fixed? This validates the business outcome rather than just technical execution.

This dual tracking prevents false confidence from successful workflow execution that didn't actually resolve the underlying security problem.

Real-World Implementation Examples

Continuous EDR Deployment:

• Trigger: Any Windows endpoint lacks CrowdStrike deployment
• Action: Power Automate workflow deploys agent via RMM platform
• Verification: ThreatAware confirms agent is installed and communicating
• Escalation: If deployment fails after 48 hours, create ServiceNow ticket for manual intervention

Snapshot Patch Management:

• Trigger: Monthly critical vulnerability report identifies 156 affected systems
• Action: Create snapshot action with 30-day deadline
• Workflows: Automated patching for standard systems, manual tickets for complex environments
• Progress Tracking: Real-time dashboard showing resolved vs. remaining systems

Configuration Drift Remediation:

• Trigger: Continuous monitoring detects firewall policy changes
• Action: Automatic policy restoration for unauthorised changes
• Verification: Policy compliance check confirms correct configuration
• Reporting: Security team notification of automatic remediation

Advanced Automation Features

Threshold Controls: Limit automated actions to prevent unintended mass changes. Set maximum devices per hour for deployment workflows to avoid overwhelming systems.

Stop Triggers: Automatically pause automation if error rates exceed defined thresholds, preventing cascade failures from faulty workflows.

Column Selection: Specify which asset data fields to include in workflow payloads, ensuring automation systems receive necessary context.

Time Delays: Configure minimum time devices must remain in problem state before triggering actions, preventing responses to temporary conditions.

Team Collaboration Features

Assignment Management: Assign actions to specific team members or groups with clear accountability.

Project Organisation: Group related actions into projects for coordinated remediation campaigns.

Progress Dashboards: Visual representations of remediation progress with drill-down capabilities for detailed analysis.

Deadline Tracking: Clear visibility into approaching deadlines with automated notifications for at-risk actions.

Integration Architecture

The Action Centre operates through ThreatAware's comprehensive asset visibility, ensuring automation decisions use accurate, real-time data: Asset Context: Every action includes complete device information—user, location, specifications, and current security status. Real-Time Updates: Actions trigger based on current device state, not stale data from periodic scans. Cross-Platform Validation: Remediation verification occurs across multiple management systems for comprehensive confirmation. Historical Tracking: Complete audit trail of all automated actions and their outcomes for compliance and analysis.