define security rules and get notified when they're violated
Policies are meant to automatically help to guarantee that your application security program rules are being enforced based on the application/server business criticality, which is defined when an asset is created.
When they're violated, or when they're restored, you can trigger notifications. Those notifications could respect different escalation levels: Product Owner, Coordination, Management, Senior Management and CxO. It means that you can notify a Product Owner first, then if the policie continues to be violated, the next level you set, e.g., Senior Management, could be notified as well.
This policy aims to enforce a maximum amount of days that HTTPS certificates can reach prior to their expiration date for each application/server based on their business severities. Never let your users see the "invalid certificate" page. Learn more about Gauntlet Certificate Monitoring.
This policy aims to enforce a maximum amount of issues that could coexist for each application/server based on their business severities.
This policy aims to enforce a maximum time for issues to be fixed since their creation based on their business severities.
By default issues have an undefined business severity, because the business severity needs to be manually set, although it can be done in bulk. The point of this policy is to define a maximum time for an issue to have its business severity classified since its creation. Otherwise other policies won't be applied, e.g., Max Issues Policy and Max Fix Time Policy.
To make sure that your application or network device is being frequently scanned for vulnerabilities, this policy is very important. Even if your application or server doesn't change, scanners get updated and increase their vulnerability database, thus finding more bugs than before.