Report Tabs
Tabs are the top-level sections of a Vulnsy report, each representing a distinct testing area with its own findings, narratives, and export settings.
Tabs are the top-level structural divisions of a report. Each tab represents a separate testing area — for example, "Web Application Testing", "Infrastructure Testing", or "Mobile App Testing" — and contains its own narrative sections and findings.
Why Tabs?
Many pentest engagements cover more than one testing area. Instead of creating separate reports for each area, tabs let you organize everything inside a single report. Each tab can be exported independently or together, depending on your template configuration.
Tab Fields
Each tab has the following configurable fields:
| Field | Description |
|---|---|
| Name | The display name shown in the report (e.g., "Web Application Testing") |
| Export Tag Prefix | A short prefix used to scope template tags for multi-tab exports (e.g., web, infra) |
| Finding ID Prefix | The prefix for finding reference numbers — defaults to REF (e.g., REF-C-001, REF-H-002) |
| Findings Sort Order | How findings are ordered in the export — severity or cvss |
| Report Style | The visual template applied when exporting this tab |
| Overall Risk | The risk rating for this testing area — Critical, High, Medium, Low, or Informational |
How Export Tag Prefixes Work
When a report has multiple tabs, each tab's template tags are scoped using its export tag prefix. This lets a single DOCX template pull data from different tabs into different sections of the document.
For example, if you have two tabs:
| Tab | Export Tag Prefix |
|---|---|
| Web Application Testing | web |
| Infrastructure Testing | infra |
Then in your template, {web.scope} pulls the scope from the web tab, and {infra.scope} pulls the scope from the infrastructure tab.
See Export Tag Prefixes for full details on how multi-tab template tags work.
Finding Reference IDs
Each finding within a tab is assigned a reference ID using the tab's Finding ID Prefix combined with the finding's severity and order number. The default prefix is REF.
For example, with prefix REF:
| Finding | Severity | Reference ID |
|---|---|---|
| SQL Injection | Critical | REF-C-001 |
| Stored XSS | High | REF-H-001 |
| Missing Headers | Medium | REF-M-001 |
Tab Contents
Each tab contains two types of content:
- Narrative sections — free-form content blocks like Scope, Methodology, and Executive Summary. See Narrative Sections.
- Findings — vulnerabilities assigned to this tab. See Report Findings.
Working with Multiple Tabs
You can add as many tabs to a report as your engagement requires. Common multi-tab configurations include:
| Engagement Type | Typical Tabs |
|---|---|
| Full-scope pentest | Web Application, Infrastructure, Wireless |
| Application assessment | External Web App, Internal API, Mobile App |
| Retest engagement | Original Assessment, Retest Results |
Each tab maintains its own findings and narrative sections independently. Reordering or editing findings in one tab does not affect other tabs.
Next Steps
- Narrative Sections — write content within each tab
- Report Findings — assign findings to tabs
- Export Tag Prefixes — configure multi-tab template tags