Skip to main content

Overview

Impact helps you understand how much security risk a remediation is expected to reduce. Not every remediation delivers the same security value. Some remediations address highly severe or time-sensitive vulnerabilities, while others improve posture but are less urgent. Backline calculates Impact to answer a practical question:
“How important is it to resolve this remediation from a security perspective?”
This helps security and engineering teams understand which remediations are likely to deliver the greatest risk reduction.

Where to Find It

Open a remediation and navigate to: Remediation Side Panel → Overview tab Impact is displayed alongside Fixability and Priority to help explain how Backline ranks remediations.

What Impact Shows

The Impact section provides a simple view of how much security value a remediation is expected to deliver. It includes:
  • Impact badge: High, Medium, or Low
  • Explanation: Plain-language explanation of what drives the score

Impact Badges

Backline assigns one of three Impact badges:

High Impact

This remediation is expected to significantly reduce security risk.Used when the remediation addresses vulnerabilities that are highly severe, highly time-sensitive, or both.

Medium Impact

This remediation provides meaningful security improvement, but is not among the most urgent items in the queue.Used when the remediation reduces real risk, but the underlying vulnerabilities are not currently at the highest severity or nearest SLA deadline.

Low Impact

This remediation provides limited immediate risk reduction compared with other remediations.Used when the underlying vulnerabilities have lower severity, lower urgency, or both.

How It Works

Backline calculates Impact using two inputs from the actionable vulnerabilities included in the remediation:
  • Severity
  • SLA urgency
Backline first filters to actionable vulnerabilities only. It then identifies the most representative vulnerability by selecting the one with the highest severity score. If multiple vulnerabilities have the same severity score, Backline selects the one with the highest SLA urgency. The final score is calculated using the selected finding: Impact = (0.7 × Severity score) + (0.3 × SLA urgency)
This keeps the model simple and explainable, while still accounting for both technical severity and operational urgency.

Impact Factors

Determines the potential technical impact of the most important vulnerability addressed by the remediation.Severity is converted into a normalized score:
  • Critical = 95
  • High = 80
  • Medium = 55
  • Low = 25
Determines how time-sensitive the remediation is based on the SLA due date of the selected vulnerability.SLA urgency is mapped as follows:
  • Overdue = 100
  • Due in 3 days or less = 90
  • Due in 14 days or less = 75
  • Due in 30 days or less = 60
  • Due in 60 days or less = 40
  • More than 60 days away or missing SLA = 20

Understanding the Result

Impact is remediation-focused. It reflects the expected value of fixing the remediation, not just the raw severity of a single vulnerability. For example:
  • A remediation may have High Impact if it addresses a critical vulnerability that is close to breaching SLA.
  • A remediation may have Medium Impact if it fixes high-severity issues that are not currently time-sensitive.
  • A remediation may have Low Impact if it addresses lower-severity vulnerabilities or vulnerabilities with distant SLA deadlines.

Why This Matters

Impact helps teams focus on remediations that are expected to reduce the most meaningful security risk. Severity alone does not fully explain why one remediation matters more than another. Impact adds operational context by combining severity with urgency. This helps teams:
  • prioritize remediations with the greatest expected risk reduction
  • identify time-sensitive remediation work
  • understand why a remediation is important
  • compare security value across the queue

Best Practices

Use Impact together with Fixability and Priority. A common workflow is:
  1. Review the Impact badge
  2. Understand whether the remediation is reducing urgent or significant risk
  3. Compare it with Fixability before deciding what to address first
  4. Use Priority as the final ranking signal
Impact should not be interpreted in isolation. A high-impact remediation may still require careful review if the change is complex or risky.

FAQ

Is Impact the same as severity?

No. Severity reflects the potential technical impact of a vulnerability. Impact reflects how much security risk the remediation is expected to reduce, based on severity and SLA urgency.

Can a remediation have a high-severity vulnerability but only medium Impact?

Yes. If the vulnerabilities are not especially time-sensitive from an SLA perspective, the overall Impact score may be lower.

What happens if SLA data is missing?

If SLA data is missing, Backline uses a low urgency value rather than zero. This prevents missing SLA data from fully removing the remediation’s importance.

Is Impact shown as a number or a label?

Both. Backline shows a numeric score from 0 to 100 and a badge of High, Medium, or Low.

Priority

Understand how Impact combines with Fixability to determine overall remediation priority

Fixability

Learn how Backline estimates how safe a remediation is to apply

SLA Settings

Configure SLA policies that influence Impact scoring

Remediations

Understand how remediations work in Backline