From 3eaad97e645a0114250968ceda23b9f2f21d8ede Mon Sep 17 00:00:00 2001
From: Alex Augustine <aaugustine@github.com>
Date: Fri, 31 Oct 2025 03:36:48 -0400
Subject: [PATCH 1/7] Add information on policy settings to prevent future ghas
 enablement (#58090)

Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
---
 .../managing-your-github-advanced-security-license-usage.md  | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/content/code-security/securing-your-organization/managing-the-security-of-your-organization/managing-your-github-advanced-security-license-usage.md b/content/code-security/securing-your-organization/managing-the-security-of-your-organization/managing-your-github-advanced-security-license-usage.md
index 4490301d2643..0071180688d8 100644
--- a/content/code-security/securing-your-organization/managing-the-security-of-your-organization/managing-your-github-advanced-security-license-usage.md
+++ b/content/code-security/securing-your-organization/managing-the-security-of-your-organization/managing-your-github-advanced-security-license-usage.md
@@ -57,6 +57,11 @@ To learn about licensing for {% data variables.product.prodname_GHAS_cs_and_sp %
 
 The simplest way to turn off all {% data variables.product.prodname_cs_or_sp %} features for one or more repositories is to create a security configuration where the product is disabled at the top level. You can apply this custom configuration to repositories where you want to turn off paid features.
 
+To prevent future enablement of security features, we recommend you ask your enterprise administrator to set the enterprise account's {% data variables.product.prodname_AS %} policies so that:
+* {% data variables.product.prodname_AS %} is **not available**.
+* Repository administrators are **not allowed** to enable or disable {% data variables.product.prodname_AS %} features for their repositories.
+See [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise).
+
 > [!TIP]
 > Ensure that you give your custom configuration a very clear name, for example: "No Code Security" or "Secret Protection and Supply chain only" to avoid confusion.
 

From e1ead9edeed9194a5bf1dac9817670bd20297656 Mon Sep 17 00:00:00 2001
From: hubwriter <hubwriter@github.com>
Date: Fri, 31 Oct 2025 07:39:49 +0000
Subject: [PATCH 2/7] Fix typo in Visual Studio docs for Copilot (#58222)

Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
---
 content/copilot/how-tos/set-up/install-copilot-extension.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/content/copilot/how-tos/set-up/install-copilot-extension.md b/content/copilot/how-tos/set-up/install-copilot-extension.md
index 3d0f1be0de66..edad593003a2 100644
--- a/content/copilot/how-tos/set-up/install-copilot-extension.md
+++ b/content/copilot/how-tos/set-up/install-copilot-extension.md
@@ -156,13 +156,15 @@ To see instructions for other popular coding environments, use the tool switcher
 
 Starting from {% data variables.product.prodname_vs %} 2022 Version 17.10, the unified {% data variables.product.prodname_copilot_short %} and {% data variables.copilot.copilot_chat %} extension is included by default as a built-in component. For more information, see [Install {% data variables.product.prodname_copilot %} in {% data variables.product.prodname_vs %}](https://learn.microsoft.com/en-us/visualstudio/ide/visual-studio-github-copilot-install-and-states?ref_product=copilot&ref_type=engagement&ref_style=text) in the Microsoft documentation.
 
+The following instructions are for versions 2022 17.8 and 2022 17.9 of {% data variables.product.prodname_vs %} for Windows.
+
 ## Installing the {% data variables.product.prodname_copilot %} extension in {% data variables.product.prodname_vs %}
 
 1. Make sure you have access to {% data variables.product.prodname_copilot %}. For information, see [AUTOTITLE](/copilot/about-github-copilot/what-is-github-copilot#getting-access-to-copilot).
 
 1. Make sure you have a compatible version of {% data variables.product.prodname_vs %} installed. {% data reusables.copilot.visual-studio-version %}
 
-1. Install the {% data variables.product.prodname_copilot %} in {% data variables.product.prodname_vs %} See [Install {% data variables.product.prodname_copilot %} in {% data variables.product.prodname_vs %}](https://learn.microsoft.com/en-us/visualstudio/ide/visual-studio-github-copilot-install-and-states?ref_product=copilot&ref_type=engagement&ref_style=text) in the Microsoft documentation.
+1. Install the {% data variables.product.prodname_copilot %} extension in {% data variables.product.prodname_vs %}. See [Install {% data variables.product.prodname_copilot %} in {% data variables.product.prodname_vs %}](https://learn.microsoft.com/en-us/visualstudio/ide/visual-studio-github-copilot-install-and-states?ref_product=copilot&ref_type=engagement&ref_style=text) in the Microsoft documentation.
 
 1. After installing the {% data variables.product.prodname_copilot %} extension, to enable {% data variables.product.prodname_copilot %}, ensure you have added your {% data variables.product.prodname_dotcom %} account to {% data variables.product.prodname_vs %}. For more information, see [Add your {% data variables.product.prodname_dotcom %} accounts to your {% data variables.product.prodname_vs %} keychain](https://learn.microsoft.com/en-us/visualstudio/ide/work-with-github-accounts?ref_product=copilot&ref_type=engagement&ref_style=text) in the Microsoft documentation.
 

From 3bea960d206cd3200dcab0191f612cc5079ef567 Mon Sep 17 00:00:00 2001
From: Florin Coada <coadaflorin@github.com>
Date: Fri, 31 Oct 2025 07:43:51 +0000
Subject: [PATCH 3/7] Revise default setup language configuration details
 (#58267)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
---
 ...guring-default-setup-for-code-scanning-at-scale.md |  1 -
 .../configuring-default-setup-for-code-scanning.md    | 11 +++--------
 2 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md b/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md
index 74eddc74fd72..7c1920ac623a 100644
--- a/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md
+++ b/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md
@@ -45,7 +45,6 @@ For repositories that are not eligible for default setup, you can configure adva
 A repository must meet all the following criteria to be eligible for default setup, otherwise you need to use advanced setup.
 
 * Advanced setup for {% data variables.product.prodname_code_scanning %} is not already enabled.
-* Uses Go, JavaScript/TypeScript, Python, or Ruby.
 {% data reusables.code-scanning.require-actions-ghcs %}
 
 {% data reusables.code-scanning.default-setup-pre-enablement-explanation %}
diff --git a/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md b/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md
index 18b6a7aa8ffa..505f1bdd94ef 100644
--- a/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md
+++ b/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md
@@ -56,11 +56,9 @@ Default setup uses the `none` build mode for {% data variables.code-scanning.no_
 
 We recommend that you start using {% data variables.product.prodname_code_scanning %} with default setup. After you've initially configured default setup, you can evaluate {% data variables.product.prodname_code_scanning %} to see how it's working for you. If you find that something isn't working as you expect, you can customize default setup to better meet your needs. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/evaluating-default-setup-for-code-scanning).
 
-### About adding non-compiled and compiled languages to your default setup
+### About adding new languages to your default setup
 
-If the code in a repository changes to include Go, JavaScript/TypeScript, Python, or Ruby, {% data variables.product.prodname_dotcom %} will automatically update the {% data variables.product.prodname_code_scanning %} configuration to include the new language. If {% data variables.product.prodname_code_scanning %} fails with the new configuration, {% data variables.product.prodname_dotcom %} will resume the previous configuration automatically so the repository does not lose {% data variables.product.prodname_code_scanning %} coverage.
-
-Compiled languages are not automatically included in default setup configuration because they often require more advanced configuration, but you can manually select any {% data variables.product.prodname_codeql %}-supported compiled language for analysis.
+If the code in a repository changes to include any {% data variables.product.prodname_codeql %}-supported languages, {% data variables.product.prodname_dotcom %} will automatically update the {% data variables.product.prodname_code_scanning %} configuration to include the new language. If {% data variables.product.prodname_code_scanning %} fails with the new configuration, {% data variables.product.prodname_dotcom %} will resume the previous configuration automatically so the repository does not lose {% data variables.product.prodname_code_scanning %} coverage.
 
 ## Configuring default setup for a repository
 
@@ -79,7 +77,6 @@ Compiled languages are not automatically included in default setup configuration
    {% ifversion ghas-products %}
 
    ![Screenshot of the "{% data variables.product.prodname_code_scanning_caps %}" section of "{% data variables.product.UI_advanced_security %}" settings. The "Default setup" button is highlighted with an orange outline.](/assets/images/help/security/default-code-scanning-setup-ghas.png)
-   
 
    {% else %}
 
@@ -89,11 +86,9 @@ Compiled languages are not automatically included in default setup configuration
 
    You will then see a "{% data variables.product.prodname_codeql %} default configuration" dialog summarizing the {% data variables.product.prodname_code_scanning %} configuration automatically created by default setup.
 
-   > [!NOTE]
-   > If your repository contains _only_ compiled {% data variables.product.prodname_codeql %}-supported languages (for example, Java), you will be taken to the settings page to select the languages you want to add to your default setup configuration.
 
 1. Optionally, to customize your {% data variables.product.prodname_code_scanning %} setup, click **{% octicon "pencil" aria-hidden="true" aria-label="pencil" %} Edit**.
-   * To add or remove a language from the analysis performed by default setup, select or deselect that language in the "Languages" section. If you would like to analyze a {% data variables.product.prodname_codeql %}-supported compiled language with default setup, select that language here.
+   * To add or remove a language from the analysis performed by default setup, select or deselect that language in the "Languages" section.
    * To specify the {% data variables.product.prodname_codeql %} query suite you would like to use, select your preferred query suite in the "Query suites" section.
 
 1. Review the settings for default setup on your repository, then click **Enable {% data variables.product.prodname_codeql %}**. This will trigger a workflow that tests the new, automatically generated configuration.

From 1d8f219861e1cb99c6800476df6f573844fbf2f9 Mon Sep 17 00:00:00 2001
From: Jules <19994093+jules-p@users.noreply.github.com>
Date: Fri, 31 Oct 2025 08:44:27 +0100
Subject: [PATCH 4/7] Add deprecation notice for Copilot Extensions Developer
 Policy (#57940)

Co-authored-by: Jules Porter <jules-p@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
---
 .../github-terms/github-copilot-extension-developer-policy.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/content/site-policy/github-terms/github-copilot-extension-developer-policy.md b/content/site-policy/github-terms/github-copilot-extension-developer-policy.md
index d9a30aa99f5d..b41493ab7928 100644
--- a/content/site-policy/github-terms/github-copilot-extension-developer-policy.md
+++ b/content/site-policy/github-terms/github-copilot-extension-developer-policy.md
@@ -7,7 +7,9 @@ topics:
   - Legal
 ---
 
-> Last Updated: September 6, 2024
+> Last Updated: October 20, 2025
+
+> [!WARNING] We are deprecating GitHub Copilot Extensions on November 10, 2025, in favor of the Model Context Protocol (MCP). You can read more about this change in our [changelog post](https://github.blog/changelog/2025-09-24-deprecate-github-copilot-extensions-github-apps/).
 
 This Agreement is a legal agreement between you (“You”) and GitHub, Inc. (“GitHub”, “we”, or “us”). By clicking “I Agree”, you’re agreeing to be bound by all the terms of this Agreement. If you are entering into this Agreement on behalf of a company or other legal entity, you represent that you have the legal authority to bind the entity to this Agreement, in which case “You” will mean the entity you represent.
 

From d4691afedf70a2c611bc6481870f3686a59069aa Mon Sep 17 00:00:00 2001
From: Damien Butler <81618731+DamienButler@users.noreply.github.com>
Date: Fri, 31 Oct 2025 07:58:40 +0000
Subject: [PATCH 5/7] Damienbutler GHES SCIM table network requirements for
 configuring SCIM provisioning (#57991)

Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .../configuring-scim-provisioning-for-users.md            | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md
index 0944b1866d00..341c8d09cb09 100644
--- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md
+++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md
@@ -58,6 +58,14 @@ If you're configuring SCIM provisioning for a new enterprise, make sure to compl
 {% else %}
 
 * SCIM is a server-to-server protocol. Your instance's REST API endpoints must be accessible to your SCIM provider.
+
+This table contains the network requirements to configure GHES SCIM with an IdP:
+
+| System | Direction | Purpose | Protocol / Port | Notes |
+|------------|------------|----------|------------------|-------|
+| GitHub Enterprise Server | Inbound | Receives SCIM API requests from IdP for users and groups | TCP 443 (HTTPS) | [AUTOTITLE](/enterprise-server/rest/enterprise-admin/scim) must be reachable from IdP |
+| Identity Provider (IdP) | Outbound | Sends SCIM provisioning requests to GitHub for users and groups | TCP 443 (HTTPS) | IdP acts as SCIM client, initiating outbound HTTPS connections to GitHub's SCIM API endpoints. |
+
 * For authentication, your instance must use SAML SSO, or a mix of SAML and built-in authentication.
   * You cannot mix SCIM with other external authentication methods. If you use CAS or LDAP, you will need to migrate to SAML before using SCIM.
   * After you have configured SCIM, you must keep SAML authentication enabled to continue using SCIM.

From d5217345dff5a3eded68ce2806a33a145878f64a Mon Sep 17 00:00:00 2001
From: hubwriter <hubwriter@github.com>
Date: Fri, 31 Oct 2025 07:59:33 +0000
Subject: [PATCH 6/7] Mention character limit for CIs in CCR (#58269)

Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
---
 content/copilot/concepts/prompting/response-customization.md   | 2 +-
 .../copilot/repository-custom-instructions-support.md          | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/content/copilot/concepts/prompting/response-customization.md b/content/copilot/concepts/prompting/response-customization.md
index b4c16b01e580..fd3e7bf07666 100644
--- a/content/copilot/concepts/prompting/response-customization.md
+++ b/content/copilot/concepts/prompting/response-customization.md
@@ -12,7 +12,7 @@ redirect_from:
   - /copilot/concepts/code-review/coding-guidelines
   - /copilot/concepts/response-customization
 contentType: concepts
-category: 
+category:
   - Configure Copilot
 ---
 
diff --git a/data/reusables/copilot/repository-custom-instructions-support.md b/data/reusables/copilot/repository-custom-instructions-support.md
index cdf2b9bb8b92..0e896c8e99e0 100644
--- a/data/reusables/copilot/repository-custom-instructions-support.md
+++ b/data/reusables/copilot/repository-custom-instructions-support.md
@@ -20,3 +20,6 @@ The following table shows which {% data variables.product.prodname_copilot_short
 **4:** Repository-wide instructions, path-specific instructions, and agent instructions (using `AGENTS.md`, `CLAUDE.md` or `GEMINI.md` files).<br>
 **X:** Custom instructions are not supported.<br>
 **N/A:** Feature not available on this platform.
+
+> [!NOTE]
+> {% data variables.copilot.copilot_code-review_short %} only reads the first 4,000 characters of any custom instruction file. Any instructions beyond this limit will not affect the reviews generated by {% data variables.copilot.copilot_code-review_short %}. This limit does not apply to {% data variables.copilot.copilot_chat_short %} or {% data variables.copilot.copilot_coding_agent %}.

From fca73739803727877269deb95aa1e6cef21173da Mon Sep 17 00:00:00 2001
From: mc <42146119+mchammer01@users.noreply.github.com>
Date: Fri, 31 Oct 2025 08:52:43 +0000
Subject: [PATCH 7/7] Convert "Interpreting secret risk assessment results"
 into a tutorial  (#58120)

Co-authored-by: Laura Coursen <lecoursen@github.com>
Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
---
 ...rpreting-secret-risk-assessment-results.md | 92 +++++++++++++++----
 1 file changed, 72 insertions(+), 20 deletions(-)

diff --git a/content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/interpreting-secret-risk-assessment-results.md b/content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/interpreting-secret-risk-assessment-results.md
index b0f44e2d9699..881b7253df20 100644
--- a/content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/interpreting-secret-risk-assessment-results.md
+++ b/content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/interpreting-secret-risk-assessment-results.md
@@ -1,44 +1,96 @@
 ---
 title: 'Interpreting secret risk assessment results'
 shortTitle: 'Interpret results'
-intro: 'Use the results from your {% data variables.product.prodname_secret_risk_assessment %} report to improve your organization''s security.'
+intro: 'Understand the results from your {% data variables.product.prodname_secret_risk_assessment %} and prioritize leak remediation.'
+permissions: 'Organization owners, security managers, and users with the **admin** role'
 allowTitleToDifferFromFilename: true
-type: how_to
 versions:
   feature: secret-risk-assessment
 topics:
-  - Code Security
-  - Secret scanning
   - Secret Protection
   - Organizations
   - Security
+contentType: tutorials
 ---
 
-The {% data variables.product.prodname_secret_risk_assessment %} dashboard displays point-in-time insights into the secrets detected in your organization. {% data reusables.secret-risk-assessment.link-conceptual-information %}
+## Introduction
+
+In this tutorial, you'll interpret your secret risk assessment results, and learn how to:
+
+* Understand risk metrics on the dashboard
+* Identify high-risk secret leaks
+* Prioritize secrets for remediation
 
 ## Prerequisites
 
-You need to generate a {% data variables.product.prodname_secret_risk_assessment %} report and wait for the scan to complete before being able to view and export the results. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/viewing-the-secret-risk-assessment-report-for-your-organization#generating-an-initial-secret-risk-assessment) and [Exporting the {% data variables.product.prodname_secret_risk_assessment %} to CSV](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/viewing-the-secret-risk-assessment-report-for-your-organization#exporting-the-secret-risk-assessment-to-csv).
+You must generate a {% data variables.product.prodname_secret_risk_assessment %} report and wait for the scan to complete. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/viewing-the-secret-risk-assessment-report-for-your-organization#generating-an-initial-secret-risk-assessment).
+
+## Step 1: Understand your dashboard metrics
+
+Once your assessment completes, review the key metrics at the top of the dashboard:
+
+* **Total secrets**: Total number of secret leaks found across your organization
+* **Public leaks**: Distinct secrets found in **public** repositories
+* **Preventable leaks**: Leaks that push protection could have prevented
+
+You can also determine the number of secrets found in your **private repositories** by subtracting the number of public leaks from your total secrets. While remediating these secrets is less immediately important, they still pose risk if someone gains unauthorized access to your repositories, or if a repository is made public.
+
+## Step 2: Understand secret categories
+
+Look at the **Secret categories** section to understand **what types of secrets** were leaked.
+
+* **Provider patterns**: Specific secret formats for known services (AWS, Azure, {% data variables.product.github %} tokens)
+* **Generic patterns**: Generic secret formats like private keys, API keys, passwords
+
+Provider patterns are often easier to identify and revoke because you know exactly which service they belong to. Generic patterns may require more investigation.
+
+## Step 3: Identify how many repositories are affected
+
+Check the **Repositories with leaks** metric, which shows how many of your repositories contain secret leaks.
+
+If a **high percentage** of repositories contain leaks, this may indicate:
+* A widespread culture issue around secret management
+* A need for organization-wide training
+* Missing guardrails like push protection, which blocks secrets before they are committed
+
+If only a **few** repositories contain leaks, you can:
+* Focus remediation efforts on specific teams
+* Use the leak information to determine which repositories are high-risk areas
+
+## Step 4: Review leaked secrets by type
+
+Scroll to the bottom to see the detailed **Secret type** table, which includes:
+
+* **Secret type**: The specific kind of secret
+* **Distinct repositories**: How many different repositories contain this type
+* **Secrets found**: Total count of this secret type across all repositories
+
+The table sorts by highest count automatically, helping you identify the greatest risks.
+
+If you see **many secrets of the same type** (for example, multiple AWS keys), this indicates:
+* Developers may not be using environment variables
+* Missing documentation on secret management
+
+## Step 5: Prioritizing remediation and related actions
 
-## Prioritizing high-risk leaks for remediation
+Now that you understand the metrics, prioritize remediation based on risk.
 
-To understand your secrets' footprint and exposure to secrets leaks, review the **Total secrets**,**Public leaks** and **Secret locations** metrics.
+The highest priority secrets are **leaked provider patterns in public repositories**, because they are:
 
-Next, identify the areas in your organization where leaked secrets pose the highest threat to security.
+* Accessible to anyone on the internet
+* Often easier to identify and revoke, since you know which service they belong to
 
-* **Leaked secrets that are still active** usually present the greatest risk to security. Prioritize any active secrets for remediation ahead of inactive secrets. For more information about checking the validity of a detected credential, see [AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository) in the {% data variables.product.prodname_ghe_cloud %} documentation.
-* Similarly, **secrets leaked in public repositories** are usually considered a higher risk and priority, than those secrets leaked in private {% ifversion ghec or ghes %}or internal {% endif %}repositories.
-* The **Repositories with leaks** metric can indicate how frequent, or the extent of, secret leaks across your organization. A large proportion of repositories with secret leaks may suggest that developer education and increased security awareness around secrets is important for your organization.
+Next, you can address secrets that present lower risk or require more extensive efforts to remediate. These can be:
 
-## Identifying areas of exposure
+* **Generic patterns in public repositories**, which may require investigation to identify the service or system they belong to
+* **Private repository leaks**, that represent a lower immediate risk but should still be addressed
 
-Review the **Preventable leaks** and **Secret categories** metrics to understand your current secret detection coverage, in addition to learning how {% data variables.product.github %} can help prevent future secret leaks.
+Finally, look for the following indicators, which may require additional prevention efforts beyond leak remediation:
 
-* Secret leaks that could have been prevented using {% data variables.product.prodname_GH_secret_protection %} features such as {% data variables.product.prodname_secret_scanning %} and push protection are shown by the **Preventable leaks** metric.
-* Using the **Secret categories** metric and the **Token type** table, search for patterns in the type of secrets leaked across your organization.
-  * Common areas and repeated occurrences of leaked secrets may suggest particular CI/CD workflows or development processes in your organization that are contributing to the results.
-  * You may also be able to identify specific teams, repositories, or networks that are more prone to secret leaks, and therefore require additional security measures or management to be put in place.
+* **Many repositories with leaks**: Indicates need for organization-wide training and improved security awareness
+* **Repeated secret types**: Suggests specific workflows or teams need targeted intervention
+* **Common secret categories**: May point to particular CI/CD processes requiring security improvements
 
-## Adopt {% data variables.product.prodname_GH_secret_protection %} to prevent leaks
+## Next steps
 
-We recommend purchasing {% data variables.product.prodname_GH_secret_protection %} products to improve your organization's exposure to secret leaks and optimize your secret detection rates. {% data variables.product.prodname_GH_secret_protection %} is a continuous monitoring and detection solution that is the most effective path for secure development. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/choosing-github-secret-protection).
+{% data variables.product.prodname_GH_secret_protection %} provides continuous monitoring and push protection to help remediate any remaining secrets and prevent future leaks. To help you evaluate whether {% data variables.product.prodname_GH_secret_protection %} is right for your organization, you can estimate the cost before enabling it. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/estimating-the-price-of-secret-protection).