Production · Program Automation

Vulnerability Management Operations

End-to-end automation of the operational layer behind a vulnerability management program. Scanner findings flow into Linear, get routed to owners, tracked against SLAs, escalated through exceptions, and reported to engineering weekly. Built entirely through Claude Cowork skills, scheduled tasks, and MCP integrations.

Role
Designer & Operator
Built With
Claude Cowork
Status
Live in Production
Tools
Linear · Slack · Aikido
The Problem
One person's memory was the bottleneck
Vulnerability management generates a steady stream of operational work: triage new findings, assign owners, track deadlines, create exceptions when deadlines pass, close exceptions when findings get fixed, and report progress weekly. Every one of those steps was manual. If the person running the program was busy, on vacation, or just forgot, things slipped. Not because people could not fix vulnerabilities, but because no one remembered which deadline was approaching, who owned an unassigned finding, or which exception was about to lapse.
The Report
Automated weekly status posted to engineering
Every Friday, the system drafts a vulnerability management update from live Linear data, waits for human approval, then posts to Slack. Severity breakdown, SLA status, fixes since the last report, and kudos for teams that shipped remediations.
Slack | #team-eng
# team-eng S Security Bot Friday 3:02 PM Vulnerability Management Update Active Vulnerabilities: 30 Critical 2 High 8 Medium 14 Low 6 EOL items tracked separately: 3 SLA Status ✓ On track: 26 ⚠ Approaching: 3 ✕ Breached: 1 Compliance rate: 96.7% Fixes Since Last Report: 5 🎉 Kudos Platform Team (3 fixes) · Auth Team (2 fixes) Exceptions: 3 active 1 exception approaching expiration (7 days) View Dashboard →
The Pipeline
End-to-end automation, from scanner to Slack
Each step in the vulnerability lifecycle is handled by a combination of Cowork skills, scheduled tasks, and MCP integrations. The system handles the mechanical work. People make the decisions that require judgment.
01

Scanner Detection

Aikido scans the codebase and files each finding as a Linear issue in the Vulnerability Management project. Issues carry severity, affected path, and package metadata.

02

Owner Assignment

For each unassigned finding, look up the affected file path in CODEOWNERS. If a single owner is clear, propose them. If ambiguous, search the internal knowledge base for the right team and escalate to the manager.

03

Slack Notification

Assigned owners get a Slack notification with the finding details, severity, SLA deadline, and a direct link to the Linear issue. No one needs to check a dashboard to find out they have work.

04

SLA Monitoring

Linear tracks SLA deadlines natively. The system surfaces findings approaching their deadline 7 days before breach and sends escalation notifications to prevent surprises.

05

Exception Creation

When a finding breaches its SLA without resolution, the system creates an exception record in Linear's Security Exceptions project. The exception includes finding details, days overdue, and a bounded risk window.

06

Remediation & Close

When the engineering team fixes a finding and closes the Linear issue, the system auto-closes the corresponding exception and sends a status update to Slack. No manual cleanup.

07

Weekly Reporting

Every Friday, a scheduled task queries all active findings, calculates severity breakdown, SLA compliance, and fixes since the last report. Drafts the message, waits for approval, then posts to #team-eng.

08

Program Hygiene

Retire lapsed exceptions, surface quiet cancellations, deduplicate findings across scans, and flag items closed without a fix. The register stays trustworthy because it cleans up after itself.

How It's Built
Cowork automation, not a traditional app
This is not a standalone application with its own codebase and deploy pipeline. It is a set of Claude Cowork skills, scheduled tasks, and MCP integrations that together automate the operational layer of the program. The pattern is reproducible: anyone with access to Cowork and the right connectors can stand up the same system.
What makes this different

Traditional vulnerability management tools focus on scanning and dashboards. The operational work between "finding detected" and "finding fixed" is still manual: triaging, assigning owners, tracking deadlines, creating exceptions, reporting progress. This project automates that entire middle layer without writing a single line of application code.

🤖

Cowork Skills

Reusable skill files that encode reporting templates, triage routing logic, exception workflows, and program hygiene rules. Claude reads these and follows the patterns.

Scheduled Tasks

A Friday scheduled task triggers the weekly vulnerability report. Claude drafts the report from live Linear data and presents it for approval before posting to Slack.

🔗

Linear MCP

Reads and writes to the Vulnerability Management project. Queries active findings, severity, SLA fields, assignees, labels. Creates exception issues in the Security Exceptions project.

💬

Slack MCP

Posts weekly reports to #team-eng. Sends assignment notifications to individual owners. Delivers SLA warnings, breach alerts, and status change updates.

🔎

Knowledge Base Lookup

When CODEOWNERS does not have a clear match, Claude searches the internal knowledge base to identify the right team and owner for the affected service.

🛠

Aikido Scanner

Runs automated scans and pushes findings directly into Linear. Issues are labeled with scanner source (aikido or boa for manual/pen-test findings).

Severity Mapping
Scanner to Linear to SLA
Findings carry severity from the scanner into Linear as priority levels. SLA deadlines are tracked through Linear's native SLA fields, so there is no separate tracking spreadsheet to maintain.
Severity Mapping and SLA Tracking
LINEAR PRIORITY SEVERITY SLA TRACKING LABELS Priority 1 Critical slaStartedAt, slaBreachesAt tracked natively aikido Priority 2 High slaHighRiskAt triggers 7-day warning aikido boa Priority 3 Medium Standard SLA window, breach creates exception aikido Priority 4 Low Tracked but no SLA enforcement aikido Carve-out labels: eol security-exception tracked separately in the weekly report
Capabilities
What the automation handles
📊

Weekly Reporting

Drafts a complete status report from live data every Friday. Severity breakdown, SLA compliance, fixes since last report, and kudos. Posted to Slack after human approval.

👥

Owner Routing

Matches unassigned findings to owners via CODEOWNERS lookup. Falls back to the internal knowledge base when ownership is ambiguous. Proposes before assigning.

SLA Monitoring

Surfaces findings approaching their deadline 7 days before breach. Sends escalation notifications so deadlines do not arrive as surprises.

📋

Exception Management

Creates exception records in Linear when findings breach SLA. Bounded risk windows with expiration dates. Auto-retires exceptions when the underlying finding is fixed.

📈

Metrics Reconstruction

Builds trend reports from issue timestamps already in Linear. Open vs. closed, inflow vs. outflow, time to remediate, and SLA compliance. No snapshots to maintain.

🔎

Program Hygiene

Retires lapsed exceptions, surfaces quiet cancellations, deduplicates findings, and flags items closed without a fix. The register stays trustworthy because it cleans up after itself.

💬

Status Notifications

Slack messages for every meaningful state change: new assignments, approaching deadlines, SLA breaches, exception creation, finding closure, and exception retirement.

🛠

Scanner Integration

Aikido pushes findings directly into Linear. Manual and penetration test findings are filed with the boa label for separate tracking alongside automated scan results.

Stack
What it's built with
Claude Cowork Cowork Skills Scheduled Tasks Linear MCP Slack MCP Aikido (Scanner) CODEOWNERS Knowledge Base Linear SLA Fields Security Exceptions (APPEXCE)
Outcomes
Impact
0
Manual reporting steps
95%+
SLA compliance
100%
Exception coverage
0
Lines of application code