Mitigation Actions Reference by Scan Type
Last updated: December 23, 2025
This article provides an authoritative reference for mitigation actions available in Cyrisma and the scan types to which they apply. It is intended to clarify what actions can be taken within mitigation plans, why certain actions are restricted to specific scan types, and how these actions affect remediation tracking and future scans.
This is a reference-style article and does not describe user interface workflows.
Purpose of Mitigation Actions
Mitigation actions define how findings from scans are handled within a mitigation plan. Depending on the scan type, findings may represent files, folders, email messages, configuration benchmarks, or vulnerabilities tied to software or systems.
Because these objects differ in nature, not all mitigation actions are available for all scan types.
Mitigation Action Availability by Scan Type
The table below shows which mitigation actions are available for each mitigation plan type.
Mitigation Action | Local Data | Microsoft 365 Email Data | Cloud Data | Vulnerability | Secure Baseline Scan |
Take No Action | Yes | Yes | Yes | No | Yes |
Delete | Yes | Yes | No | No | No |
Move to Secure Location | Yes | Yes | No | No | No |
Encrypt | Yes | No | No | No | No |
Remove Permissions | Yes | No | No | No | No |
Task Completed | No | No | Yes | Yes | Yes |
Mark as False Positive | Yes | Yes | Yes | No | No |
Suppress | No | No | No | Yes | Yes |
Globally Suppress | No | No | No | Yes | No |
Suppress All Similar | No | No | No | No | Yes |
Explanation of Key Mitigation Actions
Take No Action
Indicates that no remediation or tracking action is required for the item. The finding remains visible but is intentionally left unchanged.
Available for data scans and secure baseline scans.
Delete
Deletes the affected file or email item from its source location.
Available only for file-based and email-based data sensitivity mitigation plans.
Move to Secure Location
Moves the affected file or email item to a system-defined secure repository. The secure repository location is configured by a system administrator.
Available only for file-based and email-based data sensitivity mitigation plans.
Encrypt
Encrypts the affected file on the host system using a specified password.
Available only for local data sensitivity mitigation plans where the Cyrisma agent has direct access to the file system.
Remove Permissions
Removes specified access permissions from a file to restrict exposure.
Available only for local data sensitivity mitigation plans.
Task Completed
Marks the mitigation item as completed without performing a technical enforcement action. This is commonly used to document remediation performed outside of Cyrisma, such as patching, configuration changes, or administrative fixes.
Available for cloud data scans, vulnerability scans, and secure baseline scans.
Mark as False Positive
Indicates that the detected item does not represent a valid risk. No further action is required, but the item remains documented.
Available for data sensitivity scans only.
Suppress
Suppresses the finding so it does not appear in future scan results or mitigation plans until the suppression expires.
Available for vulnerability scans and secure baseline scans.
Globally Suppress
Suppresses a vulnerability across all targets within the instance.
Available only for vulnerability scans.
Suppress All Similar
Suppresses a secure baseline finding across systems with the same operating system and compliance level.
Available only for secure baseline scans.
File-Based vs Target-Based Mitigation Behavior
Data Sensitivity mitigation plans operate on discrete objects such as files, folders, and email messages. Because the Cyrisma agent can take direct action on these objects, enforcement actions such as delete, encrypt, and permission removal are supported.
Vulnerability and Secure Baseline mitigation plans are target-based and configuration-driven. These plans track remediation effort but do not directly enforce changes on systems. As a result, actions are limited to documentation, suppression, and completion tracking.
Suppression and Mitigation Plans
Suppression is a form of risk acceptance and differs from remediation.
Key behaviors:
Suppressed items do not appear in future scan results
Suppressed items are not eligible for inclusion in new mitigation plans
Suppressions expire automatically based on system configuration
Suppressions can be applied from scan results or within mitigation plans
Suppression duration is controlled in system configuration and can be set to 30, 60, or 90 days.
Automated vs Manual Actions
Some mitigation actions trigger agent-side enforcement, such as deleting or encrypting files during local data mitigation.
Other actions are documentation-only and serve as evidence that remediation occurred outside of Cyrisma. Mitigation plans do not automatically update based on patching, configuration changes, or suppression unless a new scan is run.
Summary
Mitigation actions in Cyrisma are intentionally scoped by scan type to ensure technical accuracy and operational safety. Understanding which actions are available for each mitigation plan type helps ensure correct remediation, proper documentation, and accurate risk tracking across the platform.