Dynamic Funnel for Agentic Vuln Management Adoption
## TL;DR
New funnel-type chart on the upgraded security dashboard that shows the level of adoption of DAP features and how they might be able to increase or scale it.
## Business Value
This feature will enable customers to identify gaps in DAP adoption, which will drive consumption and revenue and creates and creates a compelling demo as well.
## Success Criteria
How will we know this epic is successful? Define measurable outcomes.
- [ ] Performance or usage metric
- [ ] UX or qualitative outcome
## Scope
### In Scope
1. This chart is located on the group and project security dashboard page
2. A 'funnel' or 'wave' type visual that demonstrates how agentic flows are influencing
3. The funnel should have the following steps presented if the customer has them configured for that project /group
1. Number of Critical and High SAST vulnerabilities detected in last x days
2. True positives (with AI false positive detection)
3. MRs created with DAP
4. MRs merged
4. Support for page-level filters (project, report type, security attributes)
5. Available for both Ultimate and Ultimate+DAP users, but Ultimate only customers should have their chart grayed out/have an empty state: it should be a hint for what Users could get if they upgrade to DAP.
6. For Ultimate+DAP, if "False Positive detection" or "Vulnerability Resolution", show an empty state at the correct step in the funnel
#### Requirement details
1. Since MRs created and MRs merged could be ever-incrementing numbers, we will limit the vulnerabilities to detected in last x days.
2. Each step in the funnel filters from the step before.
3. Number of Critical and High SAST vulnerabilities detected in last x days: since we're only considering DAP use cases (which can tackle all critical and high sast vulnerabilities) we don't need extra filtering in this step.
4. True positives (with AI false positive detection): we need to use vulnerability flags where the origin is from AI FP detection and it's confirmed as non FP.
### Out of Scope
1. Organization-wide security dashboard
2. Group-by filtering like severity / report type
3. Exploitability
4. Other steps in the funnel
### Key Milestones
- [ ] Milestone 1 - Target: YYYY-MM-DD
- [ ] Milestone 2 - Target: YYYY-MM-DD
## Decision Log
Track key decisions to avoid rehashing discussions
| Date | Decision | Rationale | Owner |
|------|----------|-----------|-------|
| | | | |
## Resources
- Design: [link]
- Documentation: [link]
<details>
<summary>PM description</summary>
**Problem to Solve:** Customers are unable to understand the level of adoption of DAP features and how they might be able to increase or scale it
Business Case: This feature will enable customers to identify gaps in DAP adoption, which will drive consumption and revenue and creates and creates a compelling demo as well.
**In Scope:**
* This chart is located on the security dashboard page.
* A 'funnel' or 'wave' type visual that demonstrates how agentic flows are influencing
* The following steps in the funnel should be presented if the customer has them configured for that project group or at org level when org level is made available.
* Vulnerabilities detected
* True Positives (SAST / Secrets only today)
* Exploitability (once this is made available via 'SDLC' agent)
* MRs created
* MRs resolved
* Other fields may be introduced in the future
* Support for filters (severity, report type, business context, projects) and group bys (severity, report type, business context)
* This should be available for both users (Ultimate and Ultimate+DAP) _but_ Ultimate only customers should be grayed out - it should be a hint for what Users could get if they upgrade to DAP.
* For Ultimate + DAP, if an agent is not on, grey out that specific chart element.
**Out of Scope:**
* n/a
**Designs: see attached**
**Dependencies**
* tbd
</details>
epic