Finding States
Learn what finding states mean.
We move the pentest to Closed once you’ve resolved all findings. Until then, the pentest is in Remediation.
You can filter findings by their state on the Current Pentest Findings tab of the pentest page.
| Finding State | Description |
|---|---|
| Triaging | This is the initial state for a potential vulnerability. Pentesters have assigned an initial severity, but the finding is currently under review and validation. The finding is not yet confirmed as valid, and the assigned severity level is not finalized. |
| Pending Fix | Pentesters validated the finding and assigned a severity level to it based on the likelihood of occurrence and business impact. You can now:
|
| Ready for Retest (Retest) | You fixed the finding internally and submitted it for retest. Pentesters retest the finding and then change its state to:
|
| Fixed | Pentesters verified that the issue was resolved and could no longer reproduce the vulnerability after a retest. |
| Accepted Risk | Your organization has formally acknowledged the finding but decided to accept the associated risk instead of pursuing a technical fix. |
| Carried Over | This status applies when a finding from a previous pentest for the same asset was still open and unresolved. This finding is now being tracked on the current pentest for verification. This status does not apply to In-House Pentests. |
| Declined | The finding has been triaged and declined because the pentester determined it is not a valid vulnerability. |
| Out of Scope | The finding was found on an asset or service that is not covered by the current pentest scope. |
| Duplicate | The vulnerability already exists and has been reported as a separate finding within the current pentest. |
If you’re an In-House Pentester who works on an In-House Pentest, you will also see a Draft state. Use this state for findings that are still being written and are not ready to enter the triaging workflow.
Last modified December 15, 2025