Vulnerability management breaks when scanner findings, the asset register, and the ticket queue live in three tools and nobody can explain why a CVE was deferred. Dock fixes the attribution gap. The agent reads Tenable plus Qualys scan output and the ServiceNow GRC asset record, drafts a remediation queue with priority reasoning, and waits for a security lead to approve before tickets are filed. Every row carries the scanner finding ID, CVSS vector, agent priority, approver, and timestamp.
Tenable, Qualys, and ServiceNow GRC stay the system of record for the raw data. Dock is the system of record for what the AGENT INTERPRETS. Each Dock row carries a pointer back to the platform record, agent identity, decision, reviewer, and timestamp. The agent re-fetches platform data via fresh API reads when it needs current state.
The remediation queue surface
| Finding | Asset | CVSS | Agent priority | Reviewer | Status |
|---|---|---|---|---|---|
| tenable://finding/F-4471 (CVE-2026-1188, OpenSSL) | snow://ci/web-edge-07 (internet-facing) | 9.1 | P0 patch this week | lead@ approved 05-29 | ticket SNOW-88210 |
| qualys://qid/378122 (Apache Struts) | snow://ci/internal-batch-12 (segmented, no PII) | 8.8 | P2 next maintenance window | lead@ deferred 05-29 | exception logged |
| tenable://finding/F-4502 (curl libcurl) | snow://ci/laptop-fleet (4,210 endpoints) | 7.5 | P1 push via MDM | lead@ approved 05-29 | ticket SNOW-88214 |
The agent never opens a ticket on its own. It writes the row, surfaces its reasoning, and waits. Approval flips the status and triggers the ServiceNow create call. Deferrals get an exception row with an expiry date, which the agent re-checks on the next scan cycle.
One workflow, walked through
A Tuesday Tenable scan returns 312 new findings. The agent pulls each CVSS v4.0 vector, queries ServiceNow GRC for asset exposure tier and data classification, and cross-references Qualys for confirming detections. It writes 312 rows, sorted by a priority score combining CVSS, internet exposure, and asset criticality. Eleven are tagged P0. The security lead scrolls the P0 block and approves nine. Two get downgraded with a note. Approved rows fan out to ServiceNow tickets with the agent identity in the requester field. Fourteen minutes on what used to be half a day.
Why it matters
Auditors and incident responders both ask the same question after a breach: who decided this CVE was not urgent, and when. Scanner consoles do not answer that. Ticket comments answer it badly. Dock answers it in one row. The agent's draft is preserved, the human override is preserved, and the timestamp anchors both. That is what agent audit and compliance means in practice for a security team, and it is the same primitive that makes Dock for compliance usable for SOC 2 evidence.
The other half of the matter is the dangerous ops contract. Filing a remediation ticket is reversible. Pushing a patch is not. The agent drafts, the human approves the priority, and the patch deployment itself stays in the existing change-management process.
Start with Dock for SecOps to see the full surface set.
FAQ
Does the agent ever auto-file tickets? No. Ticket creation is gated on lead approval. The agent can draft, score, and propose. It cannot open a ServiceNow ticket without an approver row.
What happens to deferred findings? They become exception rows with an expiry date and a justification. The agent re-evaluates them on the next scan and re-surfaces any whose context has changed, for example an asset that moved from internal to internet-facing.
How does Dock handle conflicting Tenable and Qualys findings? The agent writes both pointers on the same row and flags the discrepancy. The lead sees the conflict in one place rather than reconciling two consoles. Priority follows the higher CVSS vector by default, overridable.
Does this replace our scanner or GRC tool? No. Tenable, Qualys, and ServiceNow GRC remain source of truth for raw scan data and asset records. Dock holds the interpretation layer: priority, reasoning, approval, timestamp. See agent audit and compliance for attribution and Dock for compliance for evidence shape.
Priority scoring follows the CVSS v4.0 specification published by FIRST.org (first.org/cvss), and the patch cadence model follows NIST SP 800-40 Rev. 4, Guide to Enterprise Patch Management Planning (csrc.nist.gov).