Findings
A finding is a vulnerability that a pentester reports during a pentest. Each finding includes a detailed description of the vulnerability and clear recommendations on how your team can remediate the issue.
Accessing Findings
Once your pentest goes Live, pentesters begin testing your asset.
To access the detailed list of reported findings for a specific pentest, navigate to the pentest and select the Findings tab.
The Findings tab is organized into two distinct views to help you manage vulnerabilities across test cycles:
- Current Pentest Findings: This view shows all vulnerabilities actively discovered and reported within the current pentest.
- Historical Findings: This is a reference view, listing all findings from the asset’s previous pentest(s) that were still in an Open or Accepted Risk state when the current test began.
Current Pentest Findings
The Current Pentest Findings tab is your main remediation workspace, displaying all vulnerabilities identified in the active engagement.
Finding Overview and Quick Filters
At the top of this tab, you will see a series of tiles that count the total number of findings within each state. You can quickly filter the list of findings below by clicking on any of these tiles.
Filtering, Sorting, and Exporting
To manage your remediation workflow, you have the flexibility to tailor your view of the findings using:
Filter Findings: Easily narrow the list by specific criteria:
Sort the List: Organize your view by:
- Created At
- Severity
- Latest Activity
- Name
Search: Use the Search bar to quickly locate specific findings by keyword.
Export: Download a CSV file of all findings for offline analysis or external reporting.
Historical Findings
This tab gives you full visibility into the triage and verification process performed by the pentesters on your previously open or accepted risk vulnerabilities.
Pentesters review every open or accepted risk historical finding to determine if the vulnerability is still reproducible in the current environment.
- Vulnerability Still Exists: If the vulnerability was not fixed (still reproducible), the previous finding is marked as Carried Over. A new corresponding finding is then created on the Current Pentest Findings tab for you to manage in the active test cycle.
- Vulnerability Fixed: If the vulnerability was successfully remediated, the finding is marked as Fixed and closed.
- No Longer Applicable: If the finding is irrelevant to the scope or state of the current test, it is simply not re-reported.
You can track the progress using the Original State → Review Outcome column and see which tester reviewed each previous finding and their final decision.
To manage the triage workflow, you can filter this list by the finding’s Original State (e.g., Pending Fix, Accepted Risk) and by the Reviewed Status (Reviewed or Unreviewed) to see which items still require attention.