Creating Checks, strategies & scopes

The point of a Forge investigation isn’t just to answer a question once — it’s to capture the answer as something the platform keeps working for you. Forge can save three kinds of durable objects, all from the same conversation:

• A Check — a detection that produces findings on a schedule.
• A remediation strategy — a reusable fix for a piece of software.
• A remediation scope — a standing policy that rolls a fix out across the fleet.

All three follow the same shape: you and Forge develop the thing, validate it against the endpoints in your Reach, and Forge presents a single approval card before anything is saved. Creating any of these always requires your explicit approval.

Creating a Check

A Check is a saved detection — a script or osquery query the agent runs on a schedule, emitting a finding on every match. Checks fill the gap when no scanner has a signature for what you need to find.

1. Describe what you’re hunting for. “Are any endpoints running OpenSSH older than 9.6?” or “Flag any host where the root account has a non-expiring password.”
2. Forge drafts a detection — a shell/PowerShell script or an osquery query — and you validate it by running it against the endpoints in your Reach. Refine until the results are right: narrow the query, eliminate a false positive, switch languages.
3. Ask Forge to save it as a Check. Forge presents an approval card summarizing the detection and its classification badges (destructive, requires-elevated-privilege, long-running, and so on). Hover a badge for the rationale.
4. Set schedule, scope, and severity at save time — a cron schedule for recurring evaluation (or leave it one-shot), an optional endpoint filter, and a severity that controls how the resulting findings are weighted downstream.
5. Approve. Once active, the Check runs on every matching endpoint on its schedule and emits findings that flow through the rest of the pipeline unchanged.

You can trigger an immediate run of a saved Check from the conversation rather than waiting for the next scheduled evaluation.

See Checks for the full anatomy, status lifecycle, and how Check findings flow downstream.

Creating a strategy

A remediation strategy is a reusable method for fixing a remediation subject — an update, patch, uninstall, configuration change, or manual procedure. Use Forge when the default strategy for a subject doesn’t fit your environment and you have a tested fix of your own.

1. Describe the fix. “We need to update Firefox on these Macs via Homebrew” or “Here’s our tested PowerShell script for installing Chrome with our GPO settings.”
2. Validate the fix by running it against a vulnerable endpoint in your Reach, so you know it actually works before saving it.
3. Ask Forge to create the strategy. On the approval card, Forge captures:
   • the subject it fixes (product and vendor),
   • the type (update, patch, uninstall, configure, manual),
   • the execution method (package manager, script, or manual instructions),
   • the OS families it applies to, and whether it requires a reboot.
   • For script strategies, the card shows classification badges for the script, just like Checks.
4. Approve. The strategy joins the strategy library immediately and becomes selectable for matching targets; over time its confidence score updates based on real outcomes.

Tip

The script Forge saves into a strategy is the same one you just validated — there’s no separate untested copy. Prove the fix in the conversation, then save exactly that.

See Remediation Strategies for strategy types, execution methods, selection order, and organization overrides.

Creating a scope

A remediation scope is a standing policy: “keep this software healthy on these endpoints.” Where a Check finds and a strategy fixes, a scope continuously applies the fix across a slice of the fleet. Create one from Forge when you’ve validated a fix and want to roll it out and keep it rolled out.

1. Describe the rollout. “Keep Firefox updated on all macOS endpoints” or “Fix Chrome on every Windows endpoint owned by the sales team.”
2. Forge composes the scope filters from your description — by product, vendor, OS family, and whether the endpoint must have a Furl agent.
3. Review the preview. The approval card summarizes the filters and estimates how many targets and endpoints the scope will match, so you can confirm the blast radius before it goes live.
4. Approve, and choose whether to activate immediately. An active scope continuously matches new targets and dispatches remediations, subject to governance and tag-based execution policies.

Start narrow. Scope to a small endpoint group — a canary tag, a single team — and watch outcomes before widening the filters. You manage and expand the scope afterward from the remediation scopes page.

See Remediation Scopes for filter details, the scope lifecycle, and how matched targets become executions.

How the three fit together

A complete Forge workflow often produces all three in sequence:

1. A Check discovers which endpoints have the problem and keeps watching for new ones.
2. A strategy defines the validated fix for the affected software.
3. A scope ties them together into a standing policy that remediates matches automatically and keeps the fleet healthy going forward.

Each object stands on its own and is managed from its own library after you create it — but creating them together in one investigation is what turns a one-off question into durable automation.

Related

• Checks — detection patterns that produce findings
• Remediation Strategies — reusable fixes
• Remediation Scopes — standing remediation policies
• Endpoint Reach — the endpoints Forge validates against
• Governance — controls whether scoped remediations auto-execute