Introduction

The Vulnerabilities page is your central hub for tracking and managing every security issue discovered across all your targets. Whether findings come from automated scans or manual pentests, this page gives you a single, consolidated view so your team can prioritize fixes, assign ownership, and monitor resolution progress without switching between individual scans.

Who Should Use This Page

Security leads use this page to get a bird's eye view of risk across all targets and prioritize remediation efforts. Developers use it to find vulnerabilities assigned to them and understand what needs fixing. Compliance officers use it to track resolution status and ensure issues are being addressed within required timeframes.

Key Functions

The page serves four main purposes.

It centralizes all vulnerability data across every target and scan type in one place. It lets you filter and prioritize by severity, status, assignee, and scan type. It allows you to track each vulnerability from discovery through to resolution. It supports team collaboration by letting you assign vulnerabilities to specific members.

Searching and Filtering

At the top of the vulnerabilities table you will find several tools to help you find what you need quickly.

The search bar lets you locate specific vulnerabilities by keyword. Sort By allows you to order results by Risk Score or Reported Date. The Status filter narrows results to Unsolved, Under Review, Need Help, Solved, Won't Fix, or False Positive. Assigned To filters by the team member responsible for a vulnerability. Severity filters by Critical, High, Medium, Low, or Info. The Pentest/Scan filter separates findings by Manual Pentest, Scheduled Scans, or Automated Scans.

Vulnerability Statuses Explained

Every vulnerability moves through a lifecycle. Understanding each status helps your team work efficiently.

Unsolved means the vulnerability has been identified but no action has been taken yet.

Under Review means the vulnerability is currently being investigated or a fix is being verified.

Need Help means the vulnerability requires input or assistance from another team member before it can progress.

Solved means the vulnerability has been addressed and a fix is in place.

Won't Fix means the vulnerability has been acknowledged but will not be remediated, typically because the risk is accepted or the fix is impractical.

False Positive means the vulnerability was flagged by the scanner but confirmed upon review to not be a real issue.

What Each Row in the Table Shows

Each row in the vulnerabilities table contains the following information from left to right.

Vulnerability ID is the unique identifier assigned to each finding for easy reference and tracking.

Severity shows the criticality level using color-coded labels such as Critical, High, Medium, or Low.

Vulnerability Name gives a brief description of the issue identified.

Scan Date and Time records when the scan that found the vulnerability was started.

Target Name identifies which application or system is affected.

Risk Score is a numerical value representing the potential impact of the vulnerability.

Reporter indicates whether the finding was raised by an Astra security analyst or the automated scanner.

Assigned To shows which team member is currently responsible for the vulnerability.

Vulnerability Details View

Clicking any row opens the detailed vulnerability sheet. This is divided into a left side and a right side.

The left side contains the full vulnerability description, findings explaining how it was discovered, suggested fixes with practical remediation steps, additional references and external resources, the potential impact on your application, steps to reproduce the issue, and a comments section for team discussion or AI-assisted guidance.

The right side contains meta information including current status, severity level, risk score, assigned team member, affected target, scan details, CVSS score, vulnerability category, the date it was first found, who reported it, estimated bounty or potential loss, and the number of compliance frameworks affected.

Managing a Vulnerability

From the vulnerability details view you have four resolution options.

Mark Ready for Review signals that a fix has been applied and the vulnerability is ready for verification by Astra's security team.

Ask for Help sends a request for additional support or clarification about the finding.

Accept Risk acknowledges the vulnerability will not be fixed. It remains in your results as a record that the risk was reviewed and accepted.

Mark False Positive flags the finding as incorrectly reported. You can optionally exclude that scan rule from all future scans at the same time.

Comments and AI Assistance

The comments section at the bottom of each vulnerability detail view supports two types of interaction depending on your scan type.

For automated DAST scans, the Astranaut AI chatbot is available to answer questions about the vulnerability, explain its impact, suggest remediation steps, or clarify severity. The bot already has context about the specific finding so you do not need to re-explain it.

For manual pentests, you can interact with both the AI chatbot and the Astra security analyst who reported the finding, for a limited period following the pentest.

If your organization prefers not to use AI features, this can be disabled under Target Settings, General, Basic Information, Enable AI Features.

Best Practices

Assign every vulnerability to a specific team member as soon as it is identified. Unassigned issues tend to be overlooked.

Use the Risk Score and Severity filters together to identify the highest priority issues. A Critical severity finding with a high risk score should be addressed before a Medium finding with a low risk score.

When marking a vulnerability as False Positive, always include a note explaining why. This helps your team avoid re-investigating the same issue in future scans and builds an accurate record for audits.

Address at least fifty percent of critical and high severity findings before requesting a manual rescan. This is required by Astra to initiate a rescan and ensures your engineers get the most value from each rescan attempt.

Troubleshooting

Duplicate vulnerabilities appearing: This happens when the same issue is detected across multiple scans. To see a deduplicated view, navigate to the specific scan from Pentests or Continuous Scans and review findings there rather than on the global Vulnerabilities page. Astra is working on cross-scan deduplication improvements.

Cannot change vulnerability status: If a vulnerability is part of an active automated rescan, its status cannot be changed until the rescan completes, fails, or is cancelled.

Vulnerability not appearing after a scan: Confirm the scan completed successfully by checking its status on the Continuous Scans page. If the scan was cancelled or failed mid-run, the finding may not have been recorded.

Next Steps

After reviewing your vulnerabilities, explore these related articles to take action:

• How to Request a Rescan After Fixing Vulnerabilities

• How to Mark a Vulnerability as a False Positive

• How to Use the Astranaut Chatbot for Contextual Vulnerability Guidance

• How Astra Calculates the Risk Rating and Security Grade

• Overview of Compliance Page