Workflow: Reviewing Findings#
Goal#
Triage and manage security findings from a completed scan — assess each finding's relevance, update governance statuses, and optionally use AI-assisted triage to accelerate the process.
Prerequisites#
- At least one completed scan with findings.
- Access to the Findings page.
- (Optional) A configured AI provider for AI Review.
Steps#
1. Navigate to Findings#
Click Findings in the main navigation. The Findings list page shows all findings across scans for your company.
Alternatively, navigate to a specific scan's detail page and click the Findings tab to see findings for that scan only.
2. Apply Filters#
Use the filter bar to narrow the findings view:
| Filter | Recommended Setting for Triage |
|---|---|
| Severity | Start with critical and high |
| Status | open (untriaged findings) |
| Drift | new (findings not seen in previous scans) |
| Domain | Specific domain if triaging per-target |
3. Review Each Finding#
Click a finding to open its detail page. Evaluate:
- Title and Description — understand what was detected.
- Severity and Scores — assess the technical severity, confidence level, and risk score.
- Evidence — review the matched URL, host, port, path, template ID, and raw payload to confirm the finding is legitimate.
- Drift Label — is this
new,changed, or aregression? New and regression findings typically require more attention.
4. Update Governance Status#
Based on your assessment, transition the finding to the appropriate status:
| Decision | Target Status | When to Use |
|---|---|---|
| Needs investigation | in_progress |
You need more time to analyze or remediate |
| Not a real issue | false_positive |
Evidence shows a detection error |
| Real but acceptable | accepted_risk |
Business decision to accept; set an expiry date |
| Fixed | resolved |
Remediation completed and verified |
| Leave as-is | open |
Not yet evaluated; will return to it later |
Add a note explaining your reasoning. This is stored in the immutable audit trail.
For accepted_risk: you must provide an expiry date. This is the date by which the risk will be re-evaluated.
5. (Optional) Use Bulk Triage#
If many findings share the same assessment (e.g., a batch of info-level findings that are all informational):
- Return to the Findings list.
- Select findings using the checkboxes.
- Click Bulk Actions.
- Choose the target status and write a shared note.
- Confirm. Each finding gets an individual audit trail entry.
6. (Optional) Trigger AI Review#
For large finding sets, AI Review can accelerate triage:
- Navigate to the completed scan's detail page.
- Click AI Review → Trigger Review.
- Configure the review:
- Mode:
conservative(more cautious suggestions),balanced, oraggressive(bolder suggestions). - Scope:
all_findings,open_only, orlow_confidence_only.
- Mode:
- Wait for the AI to process (typically 1–3 minutes; polls every 5 seconds).
- Review the AI suggestions:
- Each finding gets a suggested action, confidence score, rationale, and remediation hint.
- High-confidence suggestions (≥ 0.75) are pre-selected for convenience.
- Apply suggestions you agree with, or Ignore suggestions you disagree with.
- Applied suggestions trigger the corresponding governance status change with a full audit log.
7. Verify Triage Completeness#
After triaging, filter by open status to check for remaining untriaged findings. Aim to triage all critical and high findings within your team's SLA.
Expected Outcome#
All findings from the scan (or at minimum all critical and high findings) have an updated governance status with documented reasoning. The audit trail captures who made each decision and when.
Common Issues#
| Issue | Cause | Resolution |
|---|---|---|
| AI Review is unavailable | No AI provider configured | Configure an AI provider in Settings |
| AI Review times out | Too many findings for the AI context window | Try narrowing the scope (e.g., open_only) |
| Cannot accept risk without expiry | Accepted risk requires expiry date | Provide a future date for re-evaluation |
| Finding reappears after resolution | Same vulnerability detected in next scan | Investigate if the fix was deployed correctly |
| Bulk action partially fails | One or more findings in an invalid state for the transition | Check individual finding statuses |