Skip to main content

Overview

Priority helps you understand which remediations Backline recommends addressing first. When multiple remediations are available, Backline uses Priority to create a deterministic and explainable ranking across the queue. Priority balances two practical questions:
  • How much risk will this remediation reduce?
  • How safe is it to apply right now?
“Which remediation should be prioritized first?”
Backline calculates Priority from Impact and Fixability to answer this question, helping security and engineering teams align urgency with delivery safety.

Where to Find It

Open a remediation and navigate to: Remediation Side Panel → Overview tab Priority is displayed alongside Impact and Fixability to explain how the remediation is ranked relative to others.

What Priority Shows

The Priority section provides the final ranking label for the remediation. It includes:
  • Priority label: P1, P2, or P3
  • Explanation: Summary of how Impact and Fixability contributed to the result

Priority Labels

Backline assigns one of three Priority labels:

P1 - Highest Priority

This remediation is among the highest-priority items in the queue.Used when the remediation combines strong risk reduction with a sufficiently favorable safety profile.

P2 - Important

This remediation is important, but not among the top-ranked items.Used when the remediation has meaningful value but ranks below the highest-priority work.

P3 - Lower Priority

This remediation is lower priority relative to the rest of the queue.Used when the remediation currently delivers less urgency, less safety, or a weaker balance of both than higher-ranked items.

How It Works

Priority is derived from Impact and Fixability using a weighted combination of both scores: Priority = (Impact weight × Impact score) + (Fixability weight × Fixability score) By default:
  • Impact weight = 0.6
  • Fixability weight = 0.4
This means the model gives slightly more importance to security value, while still accounting for expected rollout safety. The resulting score is then mapped to a label:
  • P1 = 75 to 100
  • P2 = 50 to 74
  • P3 = 0 to 49

Priority Factors

Impact

Impact measures how much security risk the remediation is expected to reduce. Higher Impact generally pushes Priority upward.

Fixability

Fixability measures how safe and easy the remediation is expected to be to apply. Higher Fixability also pushes Priority upward. Together, these factors create the final ranking shown in the remediation queue.

Understanding the Result

Priority is a balancing signal. It does not represent severity alone, and it does not represent implementation safety alone. For example:
  • A remediation may be P1 because it has both high Impact and strong Fixability.
  • A remediation may be P2 because it reduces meaningful risk, but has some delivery complexity.
  • A remediation may be P3 because it provides lower immediate value, lower expected safety, or both.
Two remediations with similar vulnerability severity may still receive different Priority labels if their Fixability is different.

Missing Data Behavior

Priority adapts automatically when one of its inputs is unavailable.
  • If Impact is missing but Fixability is available, Priority is based on Fixability.
  • If Fixability is missing but Impact is available, Priority is based on Impact.
  • If both Impact and Fixability are missing, Priority is N/A.
This allows Backline to continue ranking remediations when partial scoring data is available.

Why This Matters

Priority helps teams decide what to address first without relying on severity alone. A remediation backlog often includes a mix of urgent, easy, complex, and low-value work. Priority gives teams a single explainable ordering that balances security urgency with engineering practicality. This helps teams:
  • sort remediation queues consistently
  • identify the most important work to review first
  • explain why one remediation is ranked above another
  • align security goals with safe rollout practices

Best Practices

Use Priority as the default ranking signal for remediation triage. A common workflow is:
  1. Review the Priority label
  2. Compare the underlying Impact and Fixability scores
  3. Read the explanation for why the remediation ranked where it did
  4. Use engineering judgment for final review and rollout decisions
Priority is designed to guide triage, not replace review. High-priority remediations should still be evaluated in context.

FAQ

Is Priority the same as severity?

No. Priority is a combined ranking signal based on Impact and Fixability. Severity is only one input into Impact.

Why is a remediation with severe vulnerabilities not always P1?

Because Priority also accounts for expected rollout safety. A remediation may reduce significant risk but still rank lower if it appears risky or difficult to apply.

Can a low-impact remediation still become P1?

It is unlikely under default weighting, but possible if Fixability is very strong and the queue overall is weak. Priority always reflects the final weighted balance.

What happens if one of the underlying scores is missing?

Priority automatically falls back to the available score. If both Impact and Fixability are missing, Priority is shown as N/A.

Impact

Understand how Backline measures the security risk reduction of a remediation

Fixability

Learn how Backline estimates how safe a remediation is to apply

Remediations

Understand how remediations work in Backline

SLA Settings

Configure SLA policies that influence Impact scoring