Understanding Results

Finding structure

Each finding represents a single vulnerability:

{
  "id": "finding-uuid",
  "severity": "high",
  "title": "SQL Injection in login form",
  "description": "The login endpoint accepts unsanitized input...",
  "vulnType": "sqli",
  "sourceTool": "zap",
  "proofOfExploit": "POST /login with payload ' OR 1=1 -- ...",
  "remediation": "Use parameterized queries...",
  "retestCommand": "docker run --rm nuclei -t sqli -u https://example.com/login"
}

Severity levels

SeverityCVSS rangeAction
Critical9.0 - 10.0Fix immediately - active exploitation likely
High7.0 - 8.9Fix within days - significant risk
Medium4.0 - 6.9Fix within weeks - moderate risk
Low0.1 - 3.9Fix when convenient - minimal risk
Info0.0Informational - no direct security impact

Each finding includes a CVSS v3.1 vector string (e.g. CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) that breaks down how the score was calculated. Hover over the vector string in the results page to see a tooltip explaining each metric. Admin users can override the AI-assigned severity if needed.

Tool results

Each tool reports its own status independently:

StatusMeaning
pendingTool has not started yet
runningTool is currently executing
completeTool finished and reported results
failedTool encountered an error

A pentest is complete when all tools have finished (regardless of individual tool status).

Prioritizing fixes

  1. Start with critical and high findings
  2. Group findings by type (e.g., fix all XSS at once)
  3. Use retest commands to verify each fix
  4. Run a follow-up pentest to confirm the full fix

Previous

Multi-Domain Pentests

Next

Retest Commands

On this page