Threat Statuses (Open, Re-Opened, Closed)

Each threat in Selki has a status that reflects where it stands in your investigation and remediation workflow.

Understanding these statuses ensures that security teams can track progress, prioritize exposures, and maintain clear operational visibility.

Selki uses three statuses:

• Open
• Re-Opened
• Closed

These states are shown both in the Threats List and inside each individual threat’s details panel.

1. Open Threats

A threat is Open when:

• it has been newly detected,
• it has not yet been reviewed or remediated,
• or it has returned to an actionable state.

Open threats require investigation, as they represent active exposures that may still pose risk.

When a threat becomes “Open”

A threat is classified as Open when:

• Selki detects it for the first time,
• its status was manually reopened,
• or new findings are added to an existing threat.

Open threats appear in the Active Threats filter.

2. Re-Opened Threats

Re-Opened threats are exposures that were previously closed, but have reappeared or been manually reopened.

A threat may be reopened when:

• the identity appears again in a new infostealer log or breach dump,
• new metadata is detected, such as a password or hostname,
• an analyst determines that previous remediation was incomplete,
• operational or security policy requires a reassessment.

Re-opened threats help teams recognize recurring risks or repeated compromises affecting the same user.

3. Closed Threats

A threat is Closed when the security team has:

• reviewed the exposure,
• taken appropriate mitigation steps,
• and decided it no longer represents an immediate operational risk.

Closing a threat typically follows actions such as:

• resetting passwords,
• enforcing MFA,
• disabling or validating affected accounts,
• contacting users to confirm remediation,
• confirming no further suspicious activity.

Once closed, the threat moves into the Closed Threats filter and is excluded from day-to-day triage unless new data appears.

Who Can Change a Threat’s Status?

Users with appropriate permissions can:

• open,
• close, or
• re-open

a threat directly from:

• the Threats List (by clicking the status dropdown), or
• the Threat Details panel (via the status menu).

Changes are applied instantly and reflected across all dashboards and exports.

How Status Changes Affect the Dashboard

Threat status influences several elements of the Selki Dashboard:

• Active Threats count increases or decreases based on Open/Re-Opened statuses.
• Closed Threats appear in historical metrics.
• Trends graphs update dynamically to show remediation progress over time.

Status management is essential for accurate reporting and team coordination.

Workflow Recommendations

Here are best practices when managing threat statuses:

• Review Open threats daily, prioritizing High and Critical exposures.
• Close threats only after remediation has been completed.
• Re-open threats immediately if new findings or related exposures appear.
• Filter by Watcher to ensure domains with higher risk receive more frequent review.
• Audit Closed threats regularly to verify long-term mitigation effectiveness.

This ensures a disciplined response process and reduces risk of overlooked exposures.

Summary

Threat statuses in Selki reflect the real-time lifecycle of identity exposures.

By understanding and using Open, Re-Opened, and Closed correctly, your team can maintain a clear, structured, and effective remediation workflow.

Next Article

➡ Article 5 – Threat Risk Levels (Low, Medium, High, Critical)

Updated on: 01/12/2025