CDR and CNAPP Remediation: Fixing Findings Across Cortex Cloud’s Unified View

Cortex Cloud merged CNAPP and CDR into one platform, but the CNAPP remediation workflow for each still looks nothing alike. 

While Cortex Cloud puts every finding into one alert queue, a misconfiguration and a live runtime threat still require completely different paths to a fix.

Say a misconfigured S3 bucket and a credential-stuffing attack both show up next to each other. Fixing them looks completely different: 

• CNAPP remediation for a misconfiguration requires a policy rewrite and an IaC update to stay fixed. 
• CDR remediation for credential attack needs immediate investigation, log preservation, and containment before evidence degrades.

Tamnoon’s 2026 State of Cloud Remediation Report shows that critical alerts stay unresolved for 150 days, but runtime threats are often measured in minutes. And with frontier AI now accelerating both vulnerability discovery and attack speed, the volume hitting both sides of that queue is about to increase significantly.

Different types of findings require different remediation paths. Tamnoon helps teams manage both in one workflow, from validation and prioritization to safe, coordinated fixes.

Frontier AI Is Accelerating Both Sides of the Backlog

Frontier AI models are changing the math on both config findings and runtime threats.

On the config side, AI-powered scanning is finding vulnerabilities at a race that outstrips manual remediation. Palo Alto Networks’ own May 2026 security advisory reported that the majority of findings came from frontier AI models scanning its codebase. That same scanning capability is becoming available across the industry. Every Cortex Cloud customer’s CSPM and CIEM backlogs are about to get deeper.

On the runtime side, AI-driven attacks are compressing the attack lifecycle. Palo Alto Networks estimates a three- to five-month window before AI-driven exploits become widespread and recommends that every SOC target single-digit MTTR through agentic automation. That means more CDR alerts, firing faster, with less time to investigate before the threat moves.

Both sides of Cortex Cloud’s unified view are getting louder simultaneously. More config findings from AI scanning. More runtime alerts from AI-accelerated attacks. Teams that already struggle with the remediation workflow split between these two finding types will face an even sharper bottleneck without a way to handle both patterns at scale.

Two Finding Types, Two Remediation Patterns

Cortex Cloud surfaces both misconfigurations and runtime alerts through a single pane. But the operational response each one demands is shaped by what the finding represents and how fast the situation can change.

CNAPP Remediation: Configuration Findings

Config findings come from Cortex Cloud’s CSPM, CIEM, and DSPM capabilities. These are structural issues, such as over-privileged IAM roles, public-facing storage buckets, missing encryption, and network exposure gaps. They tend to be slow-moving. The misconfiguration has likely been there for weeks or months before detection.

The remediation pattern is methodical. Each finding needs ownership mapping, dependency analysis, and a root-cause fix, typically an IaC update or policy rewrite to prevent the same issue from being redeployed. 

Speed matters, but the priority is getting the fix right so the finding stays closed. See how Tamnoon approaches remediation for Cortex Cloud. 

CDR: Runtime Alerts

Runtime alerts come from Cortex Cloud’s CDR capability. These are live behavioral signals, like unusual API call patterns, geographic anomalies, credential abuse, and data movement that deviates from baseline. The situation is active and evolving.

The remediation pattern is time-sensitive. Investigation has to start immediately and preserve forensic evidence before any containment action. Shutting down access before mapping the scope means losing the trail.

Consider a CDR alert flagging hundreds of login attempts per second from an IP in Singapore against a customer that operates entirely in the US, all at 3 am local time. Investigation reveals that the calls are hitting every available endpoint. The pattern points to stolen credentials being used in a botnet-style extraction attack. The team needs to trace which resources were accessed, confirm the blast radius, and preserve CloudTrail logs before revoking access. The fix here is containment followed by credential rotation and access policy hardening, not an IaC update.

The tempo is the difference. Config findings reward thoroughness while runtime alerts punish hesitation.

How Tamnoon Bridges Both Inside One Workflow

Both finding types enter Tamnoon through Tamnoon’s integration with Cortex Cloud. Config findings and CDR alerts land in the same initiative queue, normalized and grouped. 

What changes is how the workflow responds to each one:

• Single ingestion pipeline: Cortex Cloud findings arrive via API with their severity, risk context, alert category, and affected resources. Tamnoon normalizes and deduplicates them regardless of whether the source is a CSPM policy violation or a CDR behavioral signal. Teams work from one prioritized queue.
• Investigation adapts to signal type: For config findings, Tami runs read-only queries against live cloud APIs to map ownership, dependencies, and usage patterns. For CDR alerts, Tami prioritizes speed, scoping the anomalous activity, identifying affected resources, and preserving logs before evidence degrades. Both paths follow the same agentic remediation framework. The depth and urgency adjust based on what the finding demands.
• RCI adjusts based on context: Every finding receives a Remediation Confidence Indicator (RCI) scored as SAFE, RISKY, or UNSAFE. For config findings, the score weighs structural factors like asset value, blast radius, and recurrence history. For CDR alerts, the score factors in behavioral urgency: is the activity still live, how fast is it spreading, and what is the forensic risk of acting before the investigation completes.
• Remediation matches the pattern: Config findings get IaC updates and policy enforcement to prevent recurrence. CDR alerts get containment actions, access revocations, and forensic handoffs with full investigation context preserved for the responding team.
• One audit trail for both: Whether the finding was a dormant misconfiguration or an active runtime threat, the investigation, RCI progression, action taken, approval chain, and verification results all live in the same record. Teams running SOC 2, HIPAA, or similar frameworks get compliance evidence without building it after the fact.

Close Config and Runtime Findings from the Same Workflow

Cortex Cloud unified detection across config and runtime. Tamnoon delivers safe CDR and CNAPP remediation at scale. Every finding type gets investigated, scored, and resolved through the same trusted workflow, with the response calibrated to what the signal actually demands.

With frontier AI accelerating findings on both sides of the queue, that workflow needs to hold up under increasing volume without adding headcount. Organizations running Tamnoon with Cortex Cloud reduce open exposures by up to 97% within 90 days. Config findings stay closed because prevention is built into the fix. Runtime threats get contained with full forensic context intact.