Understanding Findings - apviso [APVISO](/)Product Resources Developers Company [Pricing](/#pricing)[Partners](/partners)[Enterprise](/enterprise) [Login](/login)[Start free pentest](/register?intent=free-local-pentest) [Login](/login)[Start free](/register?intent=free-local-pentest) [Home](/)[Knowledge Base](/docs)Understanding FindingsFindings & ReportsUnderstanding Findings ====================== What severity levels mean, how findings are structured, and how to interpret CWE/CVE references and compliance mappings. What Is a Finding? ------------------ A finding is a confirmed vulnerability or security observation discovered during a pentest. Each finding is structured to give you everything you need to understand, prioritize, and fix the issue. Severity Levels --------------- APVISO assigns a severity to every finding based on exploitability, impact, and context: - **Critical** — immediately exploitable vulnerabilities that could lead to full system compromise, data breach, or remote code execution. Fix these first. - **High** — serious vulnerabilities such as SQL injection, authentication bypass, or privilege escalation that could cause significant damage. - **Medium** — vulnerabilities that require specific conditions to exploit or have limited impact on their own, such as stored XSS or CSRF in non-critical flows. - **Low** — minor issues like information disclosure, missing security headers, or verbose error messages. Lower priority but worth addressing. - **Informational** — observations that are not vulnerabilities but may be useful context, such as technology fingerprints or deprecated TLS versions. Anatomy of a Finding -------------------- Each finding includes: - **Title** — a concise description of the vulnerability. - **Severity** — Critical, High, Medium, Low, or Informational. - **Description** — what the vulnerability is, how it works, and why it matters. - **Evidence** — HTTP request/response pairs, screenshots, or proof-of-concept payloads that demonstrate the vulnerability. - **Reproduction steps** — step-by-step instructions to reproduce the issue manually. - **Remediation** — specific, actionable guidance on how to fix the vulnerability. - **CWE reference** — the Common Weakness Enumeration identifier (e.g., CWE-89 for SQL Injection). - **CVE reference** — if the finding relates to a known CVE in a specific software version. - **Compliance mappings** — which compliance framework controls the finding relates to (OWASP Top 10, PCI-DSS, etc.). Using Findings Effectively -------------------------- - Start with Critical and High findings — they represent the greatest risk. - Group related findings (e.g., multiple XSS instances) and fix the root cause rather than individual symptoms. - Use CWE references to research the vulnerability class and understand broader implications. - Share findings with developers using the built-in export or integration features. ### Related Articles [Managing Finding Status Track remediation progress using the finding status workflow — from open through to fixed, accepted risk, or false positive.](/docs/managing-finding-status)[Pentest Reports How reports are generated, what they contain, and how to download them as Markdown or PDF.](/docs/scan-reports)[Retesting Findings How to verify that vulnerabilities have been fixed by running targeted retests against specific findings.](/docs/retesting-findings)[Compliance Overview Supported compliance frameworks and how APVISO maps findings to framework controls automatically.](/docs/compliance-overview) [Back to Knowledge Base](/docs) [APVISO](/)Autonomous AI-powered penetration testing for modern web applications. Subscribe [](https://github.com/apviso)[](https://x.com/Apviso_com)[](https://www.linkedin.com/company/apviso/) [![Featured on Good AI Tools](https://goodaitools.com/assets/images/badge.png)](https://goodaitools.com/ai/apviso) Product - [Features](/#features) - [Pricing](/pricing) - [Integrations](/integrations) - [Benchmarks](/#compare) - [Affiliate Program](/affiliate) - [Partners](/partners) - [Enterprise](/enterprise) Resources - [Blog](/blog) - [Use Cases](/use-cases) - [Glossary](/glossary) - [Comparisons](/comparisons) - [Alternatives](/alternatives) - [Compliance](/compliance) - [Vulnerabilities](/vulnerabilities) - [Industries](/industries) - [OWASP APTS](/trust/apts) Developers - [Knowledge Base](/docs) - [API Reference](/docs/api) - [MCP Server](/docs/mcp) Company - [About](/about) - [Contact](/contact) - [Status](https://status.apviso.com) - [Privacy Policy](/legal/privacy) - [Terms of Service](/legal/terms) © 2026 APVISO. All rights reserved.