Getting wrong results in remediation projects based on queries using finding.firstFound

we are using Rapid7 InsightVM partly for quality and SLA control for his service managed assets.
A central means to do so is the use of Remediation Projects.

One sample query for a such a remediation project is

asset.groups IN [‘asset group’] && finding.firstFound <= /NOW - P120D/ && vulnerability.cvssScore >= 7 && DOES NOT CONTAIN 'windows

aiming at all vulnerabilities which have been found on an asset more than 120 d ago, are severe or critical (CVSS>=7), are no Windows assets and belong to the correct group of assets.

(This is just a sample, there are lots more.)

Sadly this Remediation Prjs always also include assets on which the respective vulnerabilities have not been found longer than 120 d ago.

As a matter of fact, even worse, there are even whole solutions that only contain assets which do not (!) in any way fit the given date restriction.

Any clues, any ideas would be greatly appreciated, our workflow for dealing with vulnerabilities is depending on correct results.


Hi Robert! I am a Product Manager in InsightVM. You have stumbled across something that we are in the process of fixing right now. This issue has been caused by First Found “ever” and First Found “instance/reoccurance” being utilised in different ways throughout the product. This will be fixed by adding both the First Found ever and Last Reoccurrence date everywhere in the user interface. This fix will be in the product in July/August this year. If you have any more questions, our Support team are aware of this issue, or reach out to your CSM.

Hi, Sarah,
thank you for your fast re.
Some points from my side:

  1. How to continue?
    1.a) I already opened up a similar support case ( [06969320], adding some screenshots) as this stops a critical nontechnical workflow from working the way our customer expects it.
    1.b) Our customer would expect any kind of recommendation / workaround (besides wait for July/August).

  2. What you explain - in my humble opinion - does not account for every detail of the problem we’re experiencing (especially around the different results in static / dynamic remprjs and the very strange and inconsistent results regarding the first occ of a vuln on an asset). Is there any externally available documentation around this to verify that what we are seeing is fully explained by the issue you’re describing?

  3. A little bit disappointing and I will have to explain this to my customer in detail:
    If this is a known issue - and correct me if did not I got this - which would invalidate almost any results from queries using finding.firstFound, why is there no mentioning of that anywhere? Documentation? Or was I just unable to find it?
    We laid out a functionality and a corporate workflow (between customer and service provider) around the expectation that we would be able to verify SLAs with Rapid7 and now we are not (at least at the time being).

R. F. Todt

Hi Robert,

Thank you for the reply. I think this would be best tackled with a call with myself and the PM responsible for this project to explain the inconsistencies you are seeing in Remediation Projects. If you reach out to me on I’d be more than happy to set up a call.