Insights
Insights are the structured findings that Claude saves when it discovers something noteworthy during an assessment. Unlike a flat report, Insights persist across assessment runs, carry a remediation status you update over time, and give security teams a living record of their infrastructure's posture.
Anatomy of an Insight
Every Insight captures a specific finding in a consistent structure. The title is a short, human-readable description of the issue — concise enough to scan in a list. The detail field contains the full explanation: what Claude observed, the evidence it collected, and any relevant context. The severity tells you how urgently the finding needs attention, and the category tells you what domain it belongs to. Together they let you filter and prioritize a remediation queue without opening each Insight individually.
The status tracks where the finding sits in your remediation workflow. The remediation steps field holds Claude's suggested actions — these are a starting point, not a script, and you can update them as your team determines the actual fix. The session field links the Insight back to the specific assessment run that produced it, so you can trace findings to their source. The agent field identifies which host the finding relates to, which matters when the same issue appears on multiple machines.
Severity
Severity reflects how urgently the finding needs attention. Claude assigns severity based on the nature of the risk — not just its theoretical impact, but the likelihood of exploitation and the breadth of exposure in your environment.
| Severity | Meaning |
|---|---|
| Critical | Immediate risk of compromise or data loss; address today |
| High | Significant risk; address within days |
| Medium | Moderate risk or compliance gap; address within weeks |
| Low | Minor issue or hardening opportunity |
| Info | Neutral observation with no immediate risk |
Category
Category tells you what domain the finding belongs to, making it easy to filter and assign to the right team. A networking finding and an identity finding may both be High severity, but they belong to different owners and different remediation tracks.
| Category | Examples |
|---|---|
| Security | Exposed credentials, weak TLS, unsafe permissions |
| Identity | Stale accounts, over-privileged roles, missing MFA |
| Networking | Open ports, unencrypted services, firewall gaps |
| Compliance | Policy violations, audit failures, missing controls |
| Performance | High resource usage, failing services, disk pressure |
| Configuration | Misconfigured settings, outdated software |
| Availability | Services stopped, replication failures, disk failures |
| Licensing | Over-assigned or unused licenses |
Status Workflow
Insights start as Open when Claude saves them — the finding is recorded, but no one has acted on it yet. When a team member reviews the Insight and takes ownership, you move it to Acknowledged. Once active remediation is underway, update it to In Progress so the rest of your team knows work is happening. When the issue is fixed and verified, mark it Resolved. If your team reviews the finding and decides not to act — because it is an accepted risk or a false positive — mark it Dismissed instead.
Open → Acknowledged → In Progress → Resolved
→ DismissedYou can update status directly in the dashboard by navigating to Insights, selecting the finding, and choosing a new status. You can also ask Claude to do it during a session: "Mark the 'Local Administrator Password Not Rotated' insight as resolved."
TIP
Use Dismissed for accepted risks rather than leaving findings Open indefinitely. A clean Open queue is a meaningful signal — it means everything there genuinely needs attention.
Filtering
The Insights view in the dashboard lets you filter by severity, category, status, agent, and date range. Use filters to build a focused remediation queue — for example, all Critical and High findings that are still Open on production servers. You can combine multiple filters at once, so a security team can pull every open Security and Identity finding across all agents, while an ops team works from a separate view scoped to Availability and Performance.
Persistent Across Runs
Insights are not replaced when you re-assess the same host. Each assessment run adds new Insights rather than overwriting existing ones, so you retain the full history of what Claude has found over time. If Claude finds the same issue again and an Insight already exists with a Resolved status, it can re-open the existing Insight or create a new one — ensuring that regressions are captured rather than silently ignored.
INFO
This behavior means your Insights list grows over time. Use the status filter to focus on Open and In Progress findings during day-to-day operations, and treat the full history as an audit trail.