Findings & severity¶
A finding is a single issue Vex Raptor detected on a target. Each one carries a severity, a confidence level, evidence, and (when confirmed) a reproducible proof of concept.
Anatomy of a finding¶
| Field | Description |
|---|---|
| Name | The issue and where it was found (e.g. the vulnerable parameter) |
| Severity | Business impact: Critical / High / Medium / Low / Info |
| Confidence | How it was verified — see Confidence pipeline |
| CWE / OWASP / MITRE | Standard classifications for the vulnerability class |
| Evidence | The request/response signals that triggered detection |
| Proof of concept | For confirmed findings: the exact steps/curl to reproduce |
| Remediation | How to fix it |
Severity vs. confidence¶
These are two independent axes and it is important not to confuse them:
- Severity = how bad it is if real (impact).
- Confidence = how sure we are that it is real (evidence).
A Critical finding at UNVERIFIED confidence means "high impact if real, but we could not confirm it — review manually." A High finding at CONFIRMED confidence means "proven, act on it." The report shows both.
Exploit chains¶
Individual medium findings can combine into a critical compromise (for example IDOR + mass assignment → privilege escalation). Vex Raptor groups related findings into attack chains with a combined severity and a narrative that explains the real-world path, so the report communicates aggregate risk rather than a flat list.
Clustering and deduplication¶
Repeated instances of the same issue (for example the same SQLi across many database backends, or a header missing on many paths) are clustered into a single master finding with an instance count, so the report stays readable.