Findings
Findings are the heart of your report. Each one is a vulnerability you discovered, with a title, a severity, an optional CVSS score, and a set of rich-text content fields.
Anatomy of a finding
| Part | What it is |
|---|---|
| Title | The vulnerability name, e.g. "SQL Injection in Login Form" |
| Severity | Critical High Medium Low Info, with customizable labels and colors |
| CVSS | A score from 0.0 to 10.0 and a full vector from the built-in CVSS v3.1 calculator |
| Content fields | Description, Details, Impact, and Remediation by default, fully customizable |
Adding a finding
- Open a report and switch to the Findings tab.
- Click Add Finding at the bottom of the sidebar.
- The template browser opens, so choose how to start:
- From a template: a pre-written finding with content already filled in (see Finding Templates).
- From scratch: a blank finding.
- The new finding appears in the sidebar and is selected automatically.
The template browser: categories down the side, template cards you can preview and insert.
Editing a finding
At the top of the editor you'll find the severity badge (click to change level), the title, a CVSS button (shows the score, or "CVSS" if unset), and a ⋯ menu for deleting the field or the finding.
In the sidebar, expand a finding to see its fields. Click a field to load it; a purple dot marks fields that already have content. The default fields are:
- Description: what the vulnerability is
- Details: technical specifics, how you found it, proof of concept
- Impact: what an attacker gains
- Remediation: how to fix it
Every field uses the same rich-text editor as sections, with formatting, tables, images, and code. See Sections for the full editor reference.
Add, rename, reorder, or remove the default fields in Settings → Defaults. You can even attach a per-field AI prompt so Pro/Team drafting knows what each field should contain.
The CVSS v3.1 calculator
There's no need to leave the app. Click the CVSS button next to a finding's title to open the calculator. It has eight metric groups that update the score and severity in real time:
| Metric | Options |
|---|---|
| Attack Vector (AV) | Network, Adjacent, Local, Physical |
| Attack Complexity (AC) | Low, High |
| Privileges Required (PR) | None, Low, High |
| User Interaction (UI) | None, Required |
| Scope (S) | Unchanged, Changed |
| Confidentiality (C) | None, Low, High |
| Integrity (I) | None, Low, High |
| Availability (A) | None, Low, High |
Pick your values and click Save. The score (0.0 to 10.0) and the full vector string (e.g.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) are written onto the finding.
The calculator modal: metric toggles on the left, the computed score and severity on the right.
Severity levels
The default severities and colors (all editable in Settings → Defaults):
| Severity | Default color |
|---|---|
| Critical | Red |
| High | Orange |
| Medium | Yellow |
| Low | Green |
| Info | Blue |
To change a finding's severity, click its badge in the editor header and pick from the dropdown. Your chosen colors carry through to the exported DOCX as colored severity badges.
Reordering
Drag a finding by its row in the sidebar to reorder; a purple line shows where it will land, and the order saves automatically. You can also sort by severity (Critical-first or Info-first) with the sidebar's sort button.
Sorting by severity is a display convenience. Drag-and-drop sets the actual order used in your export.
Custom fields
Add a field to a single finding by expanding it in the sidebar, clicking Add field, typing a name, and pressing Enter. The field is added to that finding only.
To hide a default field that doesn't apply, select it, open the ⋯ menu, and choose Delete field. For default fields this hides them on that finding; for custom fields it removes them entirely.
Deleting a finding
Select the finding, open the ⋯ menu, choose Delete finding, and confirm. This permanently removes the finding and all its content.
Starting from templates
The template browser lets you drop in pre-written findings and tweak them per engagement. A fresh install ships with one example, SQL Injection, to show the format, and you build your own library from there.
See Finding Templates for creating, editing, and organizing your library.