Reports
Last Updated: 2025-10-21
Purpose
This article describes the layout of the Reports and its content.
Introduction
Reports in the Outpost24 Portal provide a structured way to analyze and present vulnerabilities, compliance issues, delta comparisons, and remediation solutions for one or multiple assets, enabling security teams to gain actionable insights into their environment. Reports allows users to generate tailored reports with customizable detail levels—such as summary, management, or detailed views—in formats like PDF for visual clarity, Excel for tabular data, or XML for system integration, with options for secure compression and password protection. By supporting on-demand generation or scheduled delivery via email, direct download, or storage in the Report Library, reports streamline security assessments, facilitate compliance with industry standards, and enhance decision-making by delivering precise, accessible data to stakeholders. Reports integration with view templates and tag-based scoping ensures focused reporting, while alignment with CVSS v2 metrics and OWASP-guided SWAT testing provides robust vulnerability analysis, making it essential for maintaining a secure and compliant infrastructure.
Requirements
It is assumed that the reader has basic access to the OUTSCAN/HIAB account.
Reports
Report types:
Vulnerabilities
Delta
Solutions
Ways to export:
Finding based reports - can be exported for one or more findings from the Vulnerabilities or Solutions views and contain all the selected vulnerability findings.
Asset based reports - can be exported for one or more assets from the Asset view and contain all vulnerability findings associated with the selected assets.
Asset group based reports - can be exported for one or more asset group from the Asset group view and contain all vulnerability findings associated with the selected asset groups.
View Templates
View Templates are saved views which include applications, filters, grouping, and columns. Reports use View Templates to filter the reports by predefined templates. There are some built in templates, but more can be customized by the user.
For more information, see View Templates.
Report Levels
The detail level can be adjusted based on the target recipient of the report. The amount of information varies in each type, thus making each report exclusive depending on the functionality and audience. There are three report levels available:
Management
Summary
Detailed
All reports contain the following sections:
Title page
Report information
Executive summary
Additionally, depending on the selected report level, the following sections will be included:
Report Type / Report Level | Management | Summary | Detailed |
|---|---|---|---|
Technical details | (no additional sections) | Web application summary | Web application summary |
Title Page
This is the first page of each report with the title and the date when the report was generated:
Name and content may differ between Management, Summary, or Detailed reports.
Executive Summary
The Executive Summary shows the trend information, risk families and solutions. It provides a highly visual overview which is informative and useful to report findings to the top management:
Trend
Trend shows how each risk level changes over time.
Delta Overview
Top 10 Findings
Top 10 Solutions
Risk Summary
This section provides the information like, number of findings and their severity, number of virtual hosts discovered, and scanning interval.
Risk Details
The Risk Details section provides information such as Risk factor, CVSS scores, Description, Status, CWE, CAPEC, OWASP, Impact, Solution among others.
The Risk Details are only available when selecting a detailed report.
Risk
Status - Indicates the different statuses for a finding. Can be marked as:
Accepted - Displays if the risk is accepted or not
False Positive - The scanner is finding a risk that has been marked by someone to be a false positive and is not supposed to pick up on.
Fixed - Shows if the vulnerability has been marked as fixed.
Irreproducible - AppSec not able to reproduce finding
Pending Verification - Shows if there is any pending verification request
Present - (Default) Shows that a Finding is present after scanning
Tags - Displays the available tags associated with the finding.
Risk factor
CVSS - The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation such as Low, Medium, High, and Critical to help organizations properly assess and prioritize their vulnerability management processes
Description - A detailed explanation of the finding with information about the nature of the vulnerability and its potential impact on the affected system.
Information
Solution - The solution section provides an actionable advice on how to remediate the vulnerability as well as detailed information about the context of the vulnerability where it was found.
Category - Solution category: Workaround, Patch, Update, Contact Vendor,
Reference
Vendor - Links to vendor for information about the solution
Advisory - Links to advise about the solution
CVE - Common Vulnerabilities and Exposures (CVE) entry of the vulnerability. CVE is a list of publicly disclosed computer security flaws that's been assigned a CVE ID number. https://www.cve.org/
CWE - Common Weakness Enumeration (CWE™) is a community-developed list of common software and hardware weaknesses that have security ramifications. A weakness is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities.
Bugtraq - Bugtraq ID of the vulnerability.
CAPEC - Common Attack Pattern Enumerations and Classifications (CAPEC™) is a catalog of known cyber security attack patterns used to prevent attacks. Same information as in the Detailed tab.
OWASP Top 10 2004, 2013, 2017, 2021 - The Open Worldwide Application Security Project (OWASP) Top 10 is a standard awareness document for developers and web application security, and represents a broad consensus about what the most critical web application security flaws are.
Farsight risk - <num> The Likelihood feature in Outpost24® Farsight provides an easier way to address vulnerabilities that are relevant and may impact an organization irrespective of the CVSS score or the presence of an exploit for a vulnerability.
Farsight risk delta - <num>
Farsight risk update date - <date>
Threat activity - <date>
Age - Number of days since the finding was first detected.
Check ID
Explicit Exceptions
The following tests were not executed during the testing:
Denial of Service Attacks - The result of a denial of service attack might cause the application to cease normal behavior. Therefore, attacks of this type will not be executed, unless explicitly requested by the customer.
Social Engineering - In social engineering, an adversary attempts to gain access or otherwise manipulate an application by attacking the people and employees with privileged access, e.g. by enticing them to divulge information.
Physical Security - Physical security is the protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious loss or damage to an enterprise, agency, or institution.
OWASP Top 10 2021 Description
The OWASP Top Ten is a powerful awareness document for web application security, which represents a broad consensus
about what the most critical web application security flaws are.
A01 | Broken Access Control | Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits. |
A02 | Cryptographic Failures | Poor protection of data in transit and/or at rest. For example, passwords, credit card numbers, health records, personal information, and business secrets require extra protection, mainly if that data falls under privacy laws, e.g., EU's General Data Protection Regulation (GDPR), or regulations, e.g., financial data protection such as PCI Data Security Standard (PCI DSS). |
A03 | Injection | Injection flaws occur when an attacker can manipulate user input to inject malicious code into an application as part of a command or a query and execute it. This can lead to data loss, corruption, or unauthorized access to sensitive data. |
A04 | Insecure Design | Insecure design is a broad category representing different weaknesses, expressed as “missing or ineffective control design". An insecure design cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks. |
A05 | Security Misconfiguration | Security misconfigurations occur when security features are not configured properly. This includes presence of improperly configured permissions, default accounts and their passwords, stack traces or overly verbose error messages as well as poor hardening of the used frameworks and libraries leaving systems and applications vulnerable to attacks. |
A06 | Vulnerable and Outdated Components | Vulnerabilities introduced by the use of third-party or open source components with known security issues. These components may contain unpatched vulnerabilities, which can be exploited by attackers to gain unauthorized access, steal data, or execute malicious code. |
A07 | Identification and Authentication Failures | Vulnerabilities related to the verification of user identity and access control. This can include weak password policies, lack of multi-factor authentication, insufficient user validation, and improper session management. These vulnerabilities can be exploited by attackers to bypass authentication mechanisms, impersonate legitimate users, gain unauthorized access to sensitive data or functionalities, and conduct other malicious activities. |
A08 | Software and Data Integrity Failures | Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs). An insecure CI/CD pipeline can introduce the potential for unauthorized access, malicious code, or system compromise. |
A09 | Security Logging and Monitoring Failures | Lack of proper logging and monitoring of security events. This can include issues such as missing or incomplete logs, insufficient monitoring, and inadequate incident response procedures. These vulnerabilities can be exploited by attackers to evade detection and remain undetected on the affected system for an extended period, leading to further compromises and data theft. |
A10 | Server-Side Request Forgery (SSRF) | SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL). |
Common Vulnerability Scoring System (CVSS) v2 Description
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. Scores are calculated based on a formula that depends on several metrics that approximate ease of exploit and the impact of exploit. Scores range from 0 to 10, with 10 being the most severe. While many utilize only the CVSS Base score for determining severity, Temporal and Environmental scores also exist, to factor in availability of mitigation and how widespread vulnerable systems are within an organization, respectively.
Access Complexity (AC)
Metric Value | Description |
|---|---|
High (H) | Specialized access conditions exist. For example: |
Medium (M) | The access conditions are somewhat specialized; the following are examples: |
Low (L) | Specialized access conditions or extenuating circumstances do not exist. The following are examples: |
Access Vector (AV)
Metric Value | Description |
|---|---|
Local (L) | Vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account. Examples of locally exploitable vulnerabilities are peripheral attacks such as Firewire/USB DMA attacks, and local privilege escalations (e.g., sudo). |
Adjacent Network (A) | Vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software. Examples of local networks include local IP subnet, Bluetooth, IEEE 802.11, and local Ethernet segment. |
Network (N) | A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such vulnerability is often termed "remotely exploitable". An example of a network attack is an RPC buffer overflow. |
Authentication (Au)
Metric Value | Description |
|---|---|
Multiple (M) | Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time. An example is an attacker authenticating to an operating system in addition to providing credentials to access an application hosted on that system. |
Single (S) | One instance of authentication is required to access and exploit the vulnerability. |
None (N) | Authentication is not required to access and exploit the vulnerability. |
Confidentiality Impact (C)
Metric Value | Description |
|---|---|
Partial (P) | There is considerable informational disclosure. Access to some system files is possible, but the attacker does not have control over what is obtained, or the scope of the loss is constrained. An example is a vulnerability that divulges only certain tables in a database. |
Complete (C) | There is total information disclosure, resulting in all system files being revealed. The attacker is able to read all of the system's data (memory, files, etc.) |
None (N) | There is no impact to the confidentiality of the system. |
Integrity Impact (I)
Metric Value | Description |
|---|---|
Partial (P) | Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited. For example, system or application files may be overwritten or modified, but either the attacker has no control over which files are affected or the attacker can modify files within only a limited context or scope. |
Complete (C) | There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the entire system being compromised. The attacker is able to modify any files on the target system. |
None (N) | There is no impact to the integrity of the system. |
Availability Impact (A)
Metric Value | Description |
|---|---|
Partial (P) | There is reduced performance or interruptions in resource availability. An example is a network-based flood attack that permits a limited number of successful connections to an Internet service. |
Complete (C) | There is total information disclosure, resulting in all system files being revealed. The attacker is able to read all of the system's data (memory, files, etc.) |
None (N) | There is no impact to the availability of the system. |
Test case appendix - SWAT
SWAT is a hybrid service delivery covering automated monitoring and web application scanning as well as at least quarterly penetration testing, including application logics, of web applications under service.
The test-cases are oriented around the OWASP TESTING GUIDE, and for the application the following controls has been performed. Note that a control will be marked as audited either if found present and audited, or were found not present and hence not auditable - This to show that the application has been audited for this class of risks.
Related Articles
Copyright
© 2025 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Trademark
Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.