**Problem Statement** Security Inventory currently includes "no longer detected" vulnerabilities in its vulnerability counts. The upgraded Security Dashboard (gradually released since February/March 2026) excludes these by default, creating an inconsistency between the two surfaces. When a customer views vulnerability counts in Security Inventory and then compares them to the Security Dashboard, the numbers do not match. This undermines trust in both surfaces and causes confusion about which is the source of truth. --- **Root Cause** Security Inventory vulnerability counts are based on the `vulnerability_statistics` table, which was the original source for the Security Dashboard. The Security Dashboard has since been upgraded to exclude "no longer detected" vulnerabilities using `vulnerabilitiesPerSeverity` via Elasticsearch and other sources. Security Inventory was not updated to match this change. --- **Expected Behavior** Security Inventory vulnerability counts should exclude "no longer detected" vulnerabilities, consistent with the behavior of the upgraded Security Dashboard and the default filter in the Vulnerability Report. --- **Current Behavior** Security Inventory includes "no longer detected" vulnerabilities in its counts, resulting in higher numbers than the Security Dashboard for the same group or project. --- **Impact** Customers comparing Security Inventory and Security Dashboard counts see different numbers and cannot determine which is accurate. This is particularly confusing when Security Inventory is being used as the primary observability surface for security posture. --- **References** * Related issue: Risk score does not exclude no longer detected vulnerabilities (https://gitlab.com/gitlab-org/gitlab/-/work_items/600438) * Slack thread: https://gitlab.slack.com/archives/C07UD442PQ9/p1779103830135599 --- **DRI** Engineering: @rossfuhrman PM: @m-omokoh