Vulnsy Docs
Findings

Findings Overview

Findings are the core unit of a pentest report in Vulnsy. Each finding represents a discovered vulnerability with severity, evidence, and remediation guidance.

Findings are the building blocks of every pentest report. Each finding represents a single vulnerability discovered during an engagement, complete with a description, severity rating, evidence, and remediation guidance.

What Is a Finding?

A finding documents a specific security issue. Every finding contains the following fields:

FieldDescription
TitleShort name identifying the vulnerability
SeverityCritical, High, Medium, Low, or Informational
DescriptionDetailed explanation of the vulnerability, how it was identified, and its impact
RemediationRecommended steps to fix or mitigate the vulnerability
StatusCurrent state — Open, In Progress, Remediated, or Accepted Risk
CVSSOptional CVSS 3.1 and/or 4.0 score with full vector support
Affected assetsThe URLs, IPs, hostnames, or networks the issue applies to
ReferencesLinks to CVEs, OWASP entries, or other external resources
EvidenceScreenshots and an evidence narrative proving the vulnerability exists

Two Ways to Use Findings

Vulnsy supports two workflows for managing findings:

  • Library findings — Reusable vulnerability templates stored in your organization's finding library. Import them into any report and customize the details for that specific engagement.
  • One-off findings — Custom findings created directly inside a report. Useful for unique issues that don't need to be templated.

Library findings save significant time on recurring assessments. Build your library once, then pull findings into reports with a few clicks.

Organizing the Library

Library findings are organized into repositories — named collections you control. Most teams organize by assessment type, for example:

  • AppSec — XSS, SQLi, CSRF, authentication flaws, etc.
  • NetPen — misconfigurations, unpatched services, network-level issues
  • Mobile — insecure storage, certificate pinning, platform-specific issues
  • Cloud — IAM misconfigurations, exposed storage, serverless risks

You can create, rename, and reorganize repositories to match your own methodology.

Next Steps

On this page