CSPM Alert Prioritization: From 500 Daily Findings to 20 You Should Actually Fix

CSPM severity ratings tell you how bad a finding could be in the worst case. Your actual risk depends on three factors working together:

Dimension 1: CSPM Severity (the tool's rating)

• Critical, High, Medium, Low
• Use as-is; do not override the tool's technical severity assessment

Dimension 2: Asset Criticality (your classification) Tag every cloud resource with a criticality tier during your first week:

Critical: Production workloads handling customer data, financial transactions, or authentication
High: Production supporting services (logging, monitoring, CI/CD)
Medium: Staging/pre-production environments with production-equivalent data
Low: Development, test, sandbox environments with synthetic data

In AWS, apply as a resource tag: Criticality: critical|high|medium|low In Azure, use resource tags: criticality: critical|high|medium|low In GCP, use labels: criticality: critical|high|medium|low

Dimension 3: Exploitability (network reachability)

• Directly internet-exposed: the resource has a public IP or is reachable via load balancer from 0.0.0.0/0
• Indirectly exposed: reachable from the internet via multiple hops (e.g., behind a private subnet but accessible from a publicly exposed host)
• Internal only: no internet path exists

Wiz and Orca calculate attack paths automatically. In Prisma Cloud, use Network Analyzer. For manual assessment, check: security groups with 0.0.0.0/0 inbound, public load balancer targets, S3 buckets with public ACLs.

Priority matrix:

Do not try to fix 500 findings. Do this instead:

Week 1: Asset tagging sprint Tag every cloud resource with criticality before looking at findings. Without asset criticality context, you cannot score anything. Assign engineering leads for each account/workload; they know which resources matter.

# AWS: bulk tag resources in an account
aws resourcegroupstaggingapi tag-resources \
  --resource-arn-list arn:aws:s3:::my-prod-bucket \
  --tags Criticality=critical,Environment=production

# Tag all EC2 instances in a region
aws ec2 describe-instances --query 'Reservations[].Instances[].InstanceId' --output text | \
  xargs -I {} aws ec2 create-tags \
    --resources {} \
    --tags Key=Criticality,Value=high Key=Environment,Value=production

Week 2: Apply the P0 filter -- find your actual fire Filter your CSPM to show only: Critical severity + Critical assets + Internet-exposed. This is your P0 list. It should be 5-20 findings, not 500.

In Wiz: Filters: Severity = Critical, Has Internet Exposure = Yes, Asset Tag Criticality = critical In Prisma Cloud: Asset Explorer > Filters: Risk Rating = Critical, Internet Exposed = true, Tag: Criticality = critical In Orca: Risks > Filter: Severity = Critical, Attack Surface = Internet Facing, Tags: criticality = critical

Fix your P0 list before anything else. These are the findings that could result in a breach this week.

Week 3-4: P1 and suppression setup After P0 is clear, move to P1 (Critical + Critical asset + internal, or Critical + High asset + internet-exposed).

In parallel, begin suppressing clear false positives:

• Public CDN S3 buckets flagged as 'public access enabled' (intentional)
• Dev/test accounts flagged for missing encryption (accepted risk with documented exception)
• Findings on decommissioned resources that appear in inventory but have no actual workload

Every suppression is a risk decision. Document it or you've created an invisible blind spot.

Categories safe to suppress (with documentation):

Never suppress without a ticket. Every suppression in the CSPM tool should have a corresponding ticket number in your tracking system (Jira, ServiceNow, etc.).

Suppression template:

Finding ID: [CSPM finding ID]
Resource: [ARN / resource identifier]
Suppression reason: [false positive / accepted risk / compensating control]
Business justification: [1-2 sentences]
Compensating controls (if any): [what else reduces this risk]
Approved by: [name + title]
Review date: [90 days from today]
Ticket: [JIRA-1234]

Set calendar reminders for every suppression review date. A suppression that was valid when created may not be valid 90 days later -- the CDN bucket may have been repurposed for sensitive data, the dev account may now have prod data in it.

After 90 days of consistent work, a functioning CSPM program produces:

Volume targets:

• P0 findings (Critical + Critical asset + internet-exposed): 0 open >24 hours
• P1 findings open >7 days: <5
• P2 findings open >30 days: declining month-over-month
• New Critical findings introduced per week: tracked and reviewed within 48 hours

Process markers:

• Every open finding in P0/P1/P2 has an owner and a target remediation date
• Every suppression has a ticket and a review date
• Weekly or bi-weekly sync with engineering leads to review P1 findings
• Monthly metric reported to security leadership: P0/P1 closure rate

What your weekly CSPM review looks like at 90 days:

1. Check new findings from the last 7 days: any new P0s? (target: zero, escalate immediately if not)
2. Check P1 findings approaching SLA: need engineering escalation?
3. Check suppression review dates expiring this week: renew or lift
4. Update the monthly trend chart (10 minutes)

If your weekly review takes more than 30 minutes, your P0/P1/P2 filters are not scoped tightly enough.

Track four numbers. Report them monthly to security leadership and quarterly to the board.

Simple trend chart -- paste into your monthly security report:

Month    | P0 open | P1 SLA% | New Crit/wk | Supp reviewed
Jan 2026 |    14   |   42%   |     23      |    60%
Feb 2026 |     6   |   67%   |     18      |    78%
Mar 2026 |     1   |   81%   |     12      |    91%
Apr 2026 |     0   |   88%   |      8      |    95%

This trend tells a clear story: P0 exposure time is collapsing, SLA compliance is improving, new finding introduction rate is declining (your developers are fixing root causes), and suppression governance is tightening. That story is your evidence that the program is working.

CSPM findings are remediated by engineers, not security teams. If security identifies, tracks, AND remediates, you have a scaling problem. The handoff must be clean.

What the security team owns:

• Running the CSPM tool
• Applying the scoring model and identifying P0/P1/P2
• Creating tickets with finding details, remediation steps, and SLA
• Tracking SLA compliance and escalating overdue items
• Making suppression decisions and documenting them

What engineering teams own:

• Fixing the finding within SLA
• Tagging resources with criticality (they know which workloads matter)
• Flagging findings they believe are false positives back to security for suppression review
• Asking for security review before launching new workloads (shift-left)

Ticket format that engineers will actually act on:

Title: [CSPM] CRITICAL: S3 bucket prod-customer-data publicly readable
Severity: P1 (Critical finding on production asset)
SLA: Fix by [DATE - 7 days from today]

Finding: The S3 bucket 'prod-customer-data' has ACL set to public-read.
This bucket contains customer PII (per data classification tag).

Risk: Any unauthenticated user can read all objects in this bucket.
The bucket contains approximately 2.4M customer records.

Fix (2 commands):
  aws s3api put-bucket-acl --bucket prod-customer-data --acl private
  aws s3api put-public-access-block --bucket prod-customer-data \
    --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,\
    BlockPublicPolicy=true,RestrictPublicBuckets=true

Verification: Run aws s3api get-public-access-block --bucket prod-customer-data
and confirm all four values are 'true'.

If this is intentional (public CDN bucket), reply on this ticket with the
business justification and tag @security-team for suppression review.

Tickets with exact fix commands get remediated. Tickets that say 'review S3 bucket security configuration' do not.