How thirty connectors become one honest queue: the correlation, deduplication, and wave accounting that turn a pile of overlapping scanner output into a single source of truth you can actually triage.
Enterprise environments run three to ten scanners at once, and each one rescans the same hosts on its own schedule. Left alone, that produces silos, duplicates, and analysts triaging the same vulnerability five times over. This ebook is about the layer that prevents that outcome. It follows scanner output from the moment a connector fetches it, through normalization and a four-case deduplication pipeline, into a single deduplicated queue, and onward into wave accounting that turns repeated scans into a recurrence signal instead of noise. Along the way it shows how PMAP keeps the picture honest across thirty vendors: severity is never trusted blindly, every result is scoped to its tenant, raw payloads are archived for replay, and the same correlation engine runs under every connector so two tools reporting the same weakness on the same asset still produce one finding to manage.
What you will learn
- Why the same vulnerability seen by many scanners must become one finding, and what breaks when it does not.
- How one correlation engine sits under all thirty connectors, so deduplication is uniform regardless of scanner type.
- How the four-case pipeline decides create, update, or reopen for every inbound result, deterministically.
- How a normalized SHA-1 fingerprint becomes a cross-scanner dedup key, and how the V2 variant adds company-scoped precision.
- How wave accounting and the asset wave matrix turn successive scans into a measurable recurrence and coverage signal.
- How severity governance, tenant scope, and raw-payload archiving keep the unified queue trustworthy and defensible.
Inside this ebook
- Chapter 1. The Unification Problem. A scanner is good at finding things. It is terrible at knowing whether someone else already found the same thing yesterday. Unification is the work of answering that question for every result, at scale, before a human ever looks.
- Chapter 2. The Ingestion Path. Scanner data does not land directly in a table. It travels a defined path, and correlation sits in the middle of that path for every single connector. Understanding the path is understanding where unification happens.
- Chapter 3. The Four-Case Deduplication Pipeline. For every inbound result the engine runs a small, deterministic decision tree. Four cases cover every situation, and the order they are tried in is what makes the outcome predictable rather than lucky.
- Chapter 4. The Fingerprint. Cross-scanner deduplication lives or dies on one value. The fingerprint is the quiet mechanism that lets two different tools, describing the same vulnerability in their own dialects, resolve to a single finding.
- Chapter 5. Wave Accounting and Recurrence. Deduplication answers whether a result is new. Wave accounting answers something a single scan never can: is this vulnerability coming back, and which scanners are actually watching it.
- Chapter 6. Keeping the Mirror Current and Honest. Unification is not a one-time import. It is a living mirror of every connected vendor’s scan portfolio, kept current by schedulers and sync loops, and kept honest by scope, idempotency, and archived evidence.
Without a unified import layer, every scanner produces its own silo of findings, duplicates multiply, and analysts triage the same vulnerability five times. The import layer collapses that into one governed, deduplicated queue.
PMAP design rationale
At a glance
- Series: PMAP Ebook
- Discipline: Scan Orchestration
- Audience: CISO, vulnerability manager, scan operator
- Reading time: About 50 minutes
- Platform: PMAP by Privia Security
- Applies to: PMAP v2026.06
