Findings Overview
Findings are the core unit of a pentest report in Vulnsy. Each finding represents a discovered vulnerability with severity, evidence, and remediation guidance.
Findings are the building blocks of every pentest report. Each finding represents a single vulnerability discovered during an engagement, complete with a description, severity rating, evidence, and remediation guidance.
What Is a Finding?
A finding documents a specific security issue. Every finding contains the following fields:
| Field | Description |
|---|---|
| Title | Short name identifying the vulnerability |
| Severity | Critical, High, Medium, Low, or Informational |
| Description | Detailed explanation of the vulnerability, how it was identified, and its impact |
| Remediation | Recommended steps to fix or mitigate the vulnerability |
| Status | Current state — Open, In Progress, Remediated, or Accepted Risk |
| CVSS | Optional CVSS 3.1 and/or 4.0 score with full vector support |
| Affected assets | The URLs, IPs, hostnames, or networks the issue applies to |
| References | Links to CVEs, OWASP entries, or other external resources |
| Evidence | Screenshots and an evidence narrative proving the vulnerability exists |
Two Ways to Use Findings
Vulnsy supports two workflows for managing findings:
- Library findings — Reusable vulnerability templates stored in your organization's finding library. Import them into any report and customize the details for that specific engagement.
- One-off findings — Custom findings created directly inside a report. Useful for unique issues that don't need to be templated.
Library findings save significant time on recurring assessments. Build your library once, then pull findings into reports with a few clicks.
Organizing the Library
Library findings are organized into repositories — named collections you control. Most teams organize by assessment type, for example:
- AppSec — XSS, SQLi, CSRF, authentication flaws, etc.
- NetPen — misconfigurations, unpatched services, network-level issues
- Mobile — insecure storage, certificate pinning, platform-specific issues
- Cloud — IAM misconfigurations, exposed storage, serverless risks
You can create, rename, and reorganize repositories to match your own methodology.
Next Steps
- Creating findings — learn how to add findings to reports and your library
- Finding library — manage reusable vulnerability templates
- Evidence — attach screenshots and proof to your findings
- Severity levels — understand how severity ratings work