Finding Lifecycle – Track AWS Security Issues Across Scans
TroveSec doesn’t create a new set of findings from scratch every time you scan. Instead, it tracks each finding across scans and updates its lifecycle state based on what changed. This means you can ask Claude not just “what’s wrong?” but also “what got worse?”, “what did we fix?”, and “what’s new since last time?”
Lifecycle states
Section titled “Lifecycle states”Every finding is always in one of four states:
Active
Section titled “Active”The finding was present in the latest scan and its severity is the same as before. This is the default state for any ongoing issue. Use this when you want to see your current open problems.
“Show me all active critical findings"
"What’s currently open in IAM?”
Resolved
Section titled “Resolved”The finding was present in a previous scan but did not appear in the most recent one. This means the underlying issue was fixed — either by you, or because the affected resource was removed.
Resolved findings are kept in history so you can prove to auditors what was fixed and when.
“What did we fix this week?"
"Show me resolved findings from the last scan"
"What S3 issues have been resolved?”
Regressed
Section titled “Regressed”The finding appeared in a previous scan, was resolved, and has now come back — or it was present and its severity has increased. Regressions need immediate attention because they indicate something that was thought to be fixed has slipped back.
TroveSec records the previous severity alongside the current one so you can see exactly how things got worse.
“What regressed since our last scan?"
"Are there any findings that got worse?"
"Show me anything that came back after being fixed”
Accepted
Section titled “Accepted”Your team has formally accepted the risk on this finding and recorded a business reason. Accepted findings are filtered out of most queries by default, but you can always ask to see them.
See Risk Acceptance for how to accept and revoke risks via Claude.
“Which findings are currently accepted?"
"Show me accepted risks and when they expire”
How findings move between states
Section titled “How findings move between states”Each time a scan completes, TroveSec runs a delta pass that compares the new findings against the previous scan for that AWS account:
- A finding present in both scans stays active (or moves to regressed if severity increased)
- A finding present before but missing now moves to resolved
- A resolved finding that reappears moves back to active (or regressed if at higher severity)
- A brand new finding (never seen before) starts as active
The first_seen_at and last_seen_at timestamps on each finding record exactly when it was first detected and when it was last confirmed by a scan.
The scan delta summary
Section titled “The scan delta summary”Each completed scan includes a quick delta summary:
- New findings — findings that didn’t exist in the previous scan
- Resolved findings — findings present before but gone now
Ask Claude about the delta after any scan:
“How many new findings came up in the last scan?"
"What changed between this scan and the previous one?"
"Did we fix more than we broke this week?”
Practical queries
Section titled “Practical queries”After a remediation sprint:
- “What findings did we resolve this week?”
- “Show me everything that was fixed since Monday”
Incident triage:
- “What’s new in the last 24 hours?”
- “Did anything regress since the deploy?”
Weekly review:
- “Give me a summary of what changed this week — new, resolved, and regressed”
- “Is our finding count going up or down?”
Audit prep:
- “Show me all findings resolved in the last 90 days”
- “Which critical findings have we resolved this quarter?”
Lifecycle vs posture score
Section titled “Lifecycle vs posture score”The lifecycle tracks individual findings. The posture score aggregates all findings into a single number. Use lifecycle queries when you want specifics; use the posture score when you want a high-level trend.