Findings
Findings Overview
Findings are the core unit of a pentest report in Vulnsy. Each finding represents a discovered vulnerability with severity, evidence, and remediation guidance.
Findings are the building blocks of every pentest report. Each finding represents a single vulnerability discovered during an engagement, complete with a description, severity rating, evidence, and remediation guidance.
What Is a Finding?
A finding documents a specific security issue. Every finding contains the following fields:
| Field | Description |
|---|---|
| Title | Short name identifying the vulnerability |
| Severity | Critical, High, Medium, Low, or Informational |
| Description | Detailed explanation of the vulnerability and how it was identified |
| Impact | What an attacker could achieve by exploiting this issue |
| Remediation | Recommended steps to fix or mitigate the vulnerability |
| Status | Current state of the finding (e.g. open, resolved) |
| References | Links to CVEs, OWASP entries, or other external resources |
| Evidence | Screenshots and images proving the vulnerability exists |
Two Ways to Use Findings
Vulnsy supports two workflows for managing findings:
- Library findings — Reusable vulnerability templates stored in your organization's finding library. Import them into any report and customize the details for that specific engagement.
- One-off findings — Custom findings created directly inside a report. Useful for unique issues that don't need to be templated.
Library findings save significant time on recurring assessments. Build your library once, then pull findings into reports with a few clicks.
Finding Categories
Findings are organized by assessment type:
- Web App — XSS, SQLi, CSRF, authentication flaws, etc.
- Infrastructure — misconfigurations, unpatched services, network-level issues
- Mobile — insecure storage, certificate pinning, platform-specific issues
- Cloud — IAM misconfigurations, exposed storage, serverless risks
- API — broken authentication, injection, rate limiting, BOLA
- IoT — firmware issues, insecure protocols, default credentials
Next Steps
- Creating findings — learn how to add findings to reports and your library
- Finding library — manage reusable vulnerability templates
- Evidence — attach screenshots and proof to your findings
- Severity levels — understand how severity ratings work