Tamnoon Academy
Remediation Confidence Indicator (RCI)
What Is the Remediation Confidence Indicator (RCI)?
The Remediation Confidence Indicator (RCI) is a score Tamnoon assigns to each proposed remediation action. It reflects how confidently that specific fix can be executed without causing disruption to production systems.
RCI differs from severity scores like CVSS and risk-likelihood metrics like EPSS. Those measure how bad a finding is or how likely it is to be exploited. RCI measures how safe the fix itself is to apply. A critical vulnerability might have a SAFE RCI if the fix is well-understood and the blast radius is contained. A lower-severity misconfiguration might score RISKY if the affected resource handles production traffic with complex dependencies.
This distinction matters because the risk of the finding and the risk of the fix are two separate calculations. Most security tools focus only on the first one. RCI addresses the second.
You may also see references to the remediation confidence score, which was a prior name for the same concept.
RCI is part of Tamnoon’s approach to agentic cloud security operations, where AI agents handle investigation, planning, and execution with human oversight at key decision points. Within that model, agentic remediation relies on RCI to determine when automation can proceed safely and when a human needs to step in.
How the Remediation Confidence Indicator Works
See how Tamnoon's Remediation Confidence Indicator uses production context to score every fix before execution.
Why RCI Matters in Remediation Workflows
Cloud security teams want to automate remediation. The operational case is clear when alert volumes outpace manual capacity, MTTR stays high, and backlogs grow faster than teams can work through them.
But automation without a confidence layer forces an all-or-nothing choice. Either trust the system to execute every fix automatically, or require manual review for everything. Neither works at scale.
The trust gap is measurable. According to the Cloud Security Alliance’s State of Security Remediation report, 75% of organizations’ security teams still spend more than 20% of their time on manual remediation tasks, even though 83% report using some level of automation. Teams have adopted automation in theory. In practice, they still don’t trust it enough to let go of manual oversight.
This is the problem RCI solves. Scoring each fix individually lets teams build trust in automated remediation incrementally. Safe remediation at scale becomes possible because the system itself distinguishes between fixes that can run on their own and fixes that need a human eye.
For Cloud Security Managers, this is personal. They are accountable if a fix breaks something in production. RCI gives them a mechanism to automate confidently without blindly taking on that risk.
How RCI Works
RCI works in three layers: the inputs that inform the score, the tier it produces, and the point in the workflow where it gets applied.
Inputs to the Score
RCI is not a static calculation. It draws on context gathered during the investigation of each finding, including:
- The blast radius of the proposed change (how many systems or services it could affect)
- The asset’s business value and sensitivity classification
- Whether the fix is reversible or permanent
- Observed usage patterns for the affected resource
- Historical remediation outcomes for similar fixes
Tami, Tamnoon’s AI agent, gathers and weighs these inputs as part of its investigation. The more evidence available, the more precise the score.
The Confidence Tiers
Every proposed fix receives one of three RCI tiers:
- SAFE: The fix has high confidence. It can be executed automatically without human intervention. The blast radius is contained, the change is well-understood, and historical outcomes support safe execution.
- RISKY: The fix has moderate confidence. It requires expert-supervised review before execution. A CloudPro (Tamnoon’s human cloud security expert) reviews the remediation plan, validates the approach, and approves or adjusts before anything runs.
- AWAITING DATA: The investigation has not yet gathered enough context to assign a confident score. The fix will not execute until additional evidence is collected and the tier can be determined. This tier prevents premature action when information is incomplete.
The system is conservative by default. When in doubt, RCI holds rather than proceeds.
Where RCI Sits in the Workflow
RCI is assigned after investigation and before execution. Tamnoon has already ingested the finding, investigated the affected resource, and generated a remediation plan before the confidence score is applied.
Nothing touches production until RCI clears it. This is a core principle of production-safe remediation: the work of understanding context, assessing blast radius, and validating the approach happens entirely outside the live environment.
RCI in Practice
Consider two findings that look identical on the surface: an overly permissive IAM role granting broad S3 access.
In the first case, the role is attached to a development sandbox account. No production workloads depend on it. Usage logs confirm that the broad permissions have never been exercised. Tami generates a least-privilege policy scoped to observed usage. RCI: SAFE.
In the second case, the same overly permissive role is assigned to a production application with multiple services that read and write across several S3 buckets. Restricting permissions could break active workflows. Tami flags the dependency chain and generates a remediation plan, but the blast radius is wide enough to require human review. RCI: RISKY.
Same finding type. Same severity. Different RCI tiers. That difference is why context-aware scoring matters more than blanket policies.
For a detailed example of this workflow in practice, see how Tamnoon handles remediating Wiz findings end-to-end.
RCI and Remediation Validation
RCI addresses what happens before a fix runs. Remediation validation addresses what happens after.
Once a fix executes, validation confirms two things: the original finding is resolved, and no new issues were introduced. Together, RCI and validation form two halves of AI remediation safety.
One ensures confidence going in. The other provides proof coming out. This pairing is what makes full automation viable. Teams can trust that fixes were scored for safety before execution and verified for effectiveness after.
See RCI in Action
RCI scores every fix before it touches your environment. Book a demo to see how confidence-based automation handles your CNAPP findings from investigation through safe execution.
FAQs
CVSS and similar scores measure the severity of a vulnerability itself. RCI measures how safely the proposed fix can be applied. A critical vulnerability might have a SAFE RCI if the fix is straightforward, and a moderate vulnerability might score RISKY if the remediation could disrupt dependent services. The two scores answer different questions.
SAFE means the fix can run automatically with high confidence. RISKY means a human expert reviews and approves before execution. AWAITING DATA means the system needs more context before it can assign a tier, and the fix is held until that context is available.
Yes. Fixes with a SAFE tier can be executed automatically when automation policies allow it. RISKY fixes require human approval. AWAITING DATA fixes are held until enough evidence is gathered to determine a tier.
Yes. The remediation confidence score was a prior name for the same concept. RCI (Remediation Confidence Indicator) is the current term.
