What is a one sentence summary of your feature request?
Add the ability to define explicit exclusions for relevant risks, including a dedicated risk rule that lists all custom exclusions.
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
Risks analyzing GPOs, users, computers, service accounts, files, certificates, and similar objects may require exclusions for various valid reasons, such as honeypots, business requirements, or multiple break‑glass domain accounts.
These exclusions should be configurable by GUID and/or name and must include a description field explaining the reason for each exclusion.
Therefore, the existing honeypot structure in the JSON configuration, as well as all detectable risks, should be extended to respect these exclusions.
Additionally, configuring a per‑risk threshold would be extremely helpful, as appropriate thresholds are highly dependent on the specific environment.
Whenever any kind of exclusion is applied, a dedicated risk with 0 points should be triggered. This risk should clearly list all active exclusions along with their documented reasons, ensuring transparency and auditability.
This approach reduces false positives while maintaining visibility into intentional deviations from best practices.
How do you currently solve the challenges you have by not having this feature?
Currently, we document somewhere else that a specific rule is not relevant.
Some others seem to ask support to increase the limits like it has been done here: Increase number of domain admin not member of protected users · Issue #335 · netwrix/pingcastle · GitHub
For the threshold we do our own checks and manually override the results for example at these risks and some more others: