1-click remediation and patching#

What sets ZEUS apart from "passive" reporting tools is closing the loop — we don't just find, we fix and verify.

Bulk-patch — fixing many hosts at once#

The /api/v1/vulnerabilities/bulk-patch endpoint queues remediation runs on all machines with open findings. The body accepts, among others:

{
  "scope": "lab" | "all",
  "auto_approve": true,
  "dry_run": false,
  "finding_ids": [123, 456]
}

It returns { planned, enqueued, runs: [...] }. Each run has a run_id, a target and a script_id.

Does it work for everything?#

No — and it is important to say so honestly. Bulk-patch works for findings that have a mapped remediation script (script_id):

• ✅ Linux package updates (apt/yum/dnf)
• ✅ Windows Update (selected KBs)
• ✅ container image upgrade (PR with a pinned version)
• ❌ configuration fixes (manual workflow)
• ❌ IaC drift remediation (manual PR)
• ❌ zero-day mitigations without an official patch

Honesty rule in the demo: say "1-click bulk patching for vulnerabilities with a mapped script (~70% of the CVE corpus)". Don't promise it will fix everything.

Finding state machine#

Each finding goes through:

open → triaged → fix-in-progress → resolved → verified

After running the script, ZEUS verifies the close (a re-scan confirms that the finding is gone) — hence the verified state, not just resolved.

SLA and escalation#

Remediation is tied to the SLA per severity (Critical 7 days · High 30 · Medium 90). Breaching the threshold generates an escalation to Slack/Teams. The Remediation studio shows the run history and statistics (e.g. the "resolved_last_7d" KPI).

Policy-driven auto-remediation#

The remediation_policy_tick worker (ARQ) evaluates remediation policies every few minutes — each has its own schedule_cron and safety gates (e.g. a guard on CVE age of 24 h). This lets you automate fixes without manual clicking.

---

Remediation is the reason ZEUS is an operational platform, not just another dashboard. We find → fix → verify.