Skip to content

Findings & severity

A finding is a single issue Vex Raptor detected on a target. Each one carries a severity, a confidence level, evidence, and (when confirmed) a reproducible proof of concept.

Anatomy of a finding

Field Description
Name The issue and where it was found (e.g. the vulnerable parameter)
Severity Business impact: Critical / High / Medium / Low / Info
Confidence How it was verified — see Confidence pipeline
CWE / OWASP / MITRE Standard classifications for the vulnerability class
Evidence The request/response signals that triggered detection
Proof of concept For confirmed findings: the exact steps/curl to reproduce
Remediation How to fix it

Severity vs. confidence

These are two independent axes and it is important not to confuse them:

  • Severity = how bad it is if real (impact).
  • Confidence = how sure we are that it is real (evidence).

A Critical finding at UNVERIFIED confidence means "high impact if real, but we could not confirm it — review manually." A High finding at CONFIRMED confidence means "proven, act on it." The report shows both.

Exploit chains

Individual medium findings can combine into a critical compromise (for example IDOR + mass assignment → privilege escalation). Vex Raptor groups related findings into attack chains with a combined severity and a narrative that explains the real-world path, so the report communicates aggregate risk rather than a flat list.

Clustering and deduplication

Repeated instances of the same issue (for example the same SQLi across many database backends, or a header missing on many paths) are clustered into a single master finding with an instance count, so the report stays readable.