You Shouldn't Need to Hire Someone to Keep Your Scanner in Sync With Your Tools of Record

Nullify's thesis is that security work — finding, triaging, program-managing, and fixing exposure — should run end to end on AI that stays controlled and measurable, so a program's output stops being capped by its headcount. Being a well-behaved citizen of the stack a team already runs is one of the clearest tests of that thesis, because it's one of the purest examples of headcount-as-a-workaround. A team running Nullify alongside a vulnerability-management platform, an ASPM aggregator, and a ticketing system doesn't want yet another island of findings to babysit — it wants Nullify's findings to land cleanly in the tools of record it already operates, stay deduplicated as scans repeat, and never trample a decision a person already made. Today, keeping a scanner's output in sync with those systems of record is often done by a person: someone who re-enters findings by hand, closes stale records one by one, and reconciles a status an engineer changed in one tool against what the scanner still thinks. It's clerical work wearing a security badge, and it scales with headcount rather than with the size of the problem.

Nullify removes that job by pushing its own findings out as a well-behaved source — into the vulnerability-management and ASPM platforms a team already runs, and into the ticketing systems where engineers actually work — under a durable, content-based identity so re-detections update the existing record instead of duplicating it, and with a disposition-aware sync that honors whatever a human already decided wherever they decided it. It replaces a job description, not just a workflow: the headcount a program used to spend keeping a scanner in lockstep with its tools of record doesn't have to exist, because the work that used to require a person now runs as a mechanism you can audit.

What good citizenship has to actually do

Being a well-behaved source in someone else's stack is not glamorous, but it has a precise shape. Done right, it does three things:

  • Doesn't create duplicates. Re-detecting the same vulnerability on a later scan updates the record that already exists, rather than minting a second one. That requires a stable, content-based identity for a finding — one that survives re-scanning and doesn't churn every time a scan runs.
  • Speaks the destination's language. Every platform uses its own severity scale and its own lifecycle states. Nullify's findings have to translate onto each destination's native vocabulary before they can sit alongside everything else a program tracks.
  • Preserves who decided what. If a human already dispositioned a Nullify-sourced record — marked it a false positive, accepted the risk, deferred it — that decision is honored, not silently re-opened on the next scan. Nothing burns trust faster than a tool that re-litigates a call an engineer already made.

Each of those is a mechanism, not a slogan. Here's how Nullify does each one.

A durable identity so re-detections upsert instead of duplicate

Start with the part that actually removes headcount: Nullify pushes its own findings out, as a well-behaved source, into the vulnerability-management and ASPM platforms teams already run as their program of record — ServiceNow VR, Tenable/Vulcan, Kenna, ArmorCode, Brinqa, Nucleus, and Phoenix. This is shipped, unit-tested Go, gated behind a per-tenant flag as the rollout completes. It is delivery-only by design: Nullify writes its findings into the destination, and the only thing it ever reads back is the disposition of records it created itself. It does not ingest other vendors' findings.

The identity backbone underneath it is a durable, content-based key: Nullify derives a deterministic external ID from the connection and the finding, not from a transient scan-run ID — a stable hash, prefixed so it's recognizable as ours. Because it never incorporates a scan-run identifier, re-detecting the same vulnerability on a later scan produces the same ID, and the downstream record gets upserted instead of duplicated. That's the same identity discipline that lets our own asset graph join a SAST finding, a host, and a repo on one canonical key instead of three — here it guarantees that a Nullify finding maps to exactly one record in the destination, run after run.

Once identity is stable, the same normalization Nullify already applies to its own five-band severity scale — mapping onto a synthetic CVSS band, or a 0–100 risk band where a platform expects one — translates each finding into whatever scale the destination uses, so it reads correctly next to everything else the platform holds. Lifecycle state goes through the same treatment: Nullify's status maps onto each platform's native vocabulary on the way out, and the platform's native status maps back onto Nullify's small, canonical set — open, risk-accepted, resolved, reopened, false-positive — on the way back in, so a program can reason about disposition consistently instead of per-tool.

Never silently overwriting a human's decision

And the disposition question is where the trust actually gets earned. If an engineer already marked something risk-accepted or a false positive in the tool where they made that call, Nullify honors it rather than re-flagging it as new. This is a live, running mechanism in production today, not a policy statement: the ticket reconciler that keeps Nullify-created tickets in sync with Jira, Linear, and Azure Boards runs a scheduled drift pass across every open ticket. It checks each ticket's status against the ticket platform, maps the platform's native status onto Nullify's canonical states, and writes back any drift it finds — explicitly as the safety net for the webhook that got dropped or arrived out of order. Read the other system's state, normalize it, and never silently overwrite a human's decision.

The vulnerability-management side follows the same discipline. Alongside the outbound upsert, a scoped read-back loop checks the disposition of records Nullify itself created, by external ID — so if an engineer marks a Nullify-sourced record risk-accepted in ServiceNow, Nullify doesn't re-open it on the next scan or fire an SLA-breach alert against a decision a human already made. It reads back only the records it owns, keyed on the external ID it minted; it never reaches into another vendor's findings.

The authority line is deliberate: Nullify's own scan is authoritative for whether a vulnerability still exists — truly open versus fixed — while the vendor system is authoritative for whether a human accepted the risk or deferred it. Each system stays authoritative for what it's best positioned to know, and an engineer can override in either one.

Measurability is the whole point

Whatever runs this sync has to be auditable, or it's just another opaque number generator competing with the ones a team already distrusts. The metrics that matter here are specific, and deliberately about not creating work:

  • Upsert-versus-create ratio — re-detecting a known finding updates the existing record instead of minting a new one, trending toward all-upsert with near-zero net-new records for re-detections.
  • Loop closure — the share of records where a human's disposition round-trips back into Nullify, so a decision made anywhere in the stack sticks everywhere.
  • Dedup health — duplicate records attributable to Nullify, tracked toward zero.

These are the numbers a security leader should be allowed to ask for, and Nullify is built to answer them, because a source that can't be measured is just a second opinion nobody asked for.

The point of all of this

None of this requires ripping out the tools a team already pays for. That's deliberate: a deal built around "swap your scanner for ours" asks a team to take on migration risk for a lateral move, while a deal built around "keep what you have, and stop paying people to keep it in sync by hand" is something a team already wants. Consolidation can happen later, on its own timeline, earned rather than demanded.

But the real point sits underneath the go-to-market logic. A team running a scanner next to its systems of record has a headcount problem wearing a tooling costume: the missing piece is usually a person whose whole job is re-entering findings, closing stale records, and reconciling a status that changed in one tool against what another tool still believes. That work is mechanical and auditable, which makes it exactly the kind of work a controlled, measurable AI system should absorb. Removing it is a direct increase in what a security program can do with the people it already has — the same argument underneath everything else Nullify builds, from triage through program management to the fix itself.

Book a demo