Overview: What is Vetting?

Last updated: June 3, 2026

Summary

Vetting is an expert review process conducted by Astra's security engineers that validates your automated scan results for accuracy and eliminates false positives. It bridges the gap between automated scanning and human expertise, delivering high-confidence reports that reflect only true, confirmed security risks in your environment.

Who Should Read This

  • Security Engineers: To understand how Astra's experts validate and contextualize automated findings before they reach your team.

  • Developers: To know what a vetted report contains and how to prioritize remediation based on confirmed vulnerabilities.

  • Security Leads / Compliance Teams: To leverage vetted reports as reliable evidence of security posture for audits, certifications, or stakeholder reporting — especially if your organization lacks a dedicated security team.

Key Functions: What Happens During Vetting

Astra's security engineers carry out the following steps on every scan submitted for vetting:

  • Manual Review: Each vulnerability flagged by the scanner is reviewed for accuracy and relevance to your specific environment.

  • Validation: Engineers confirm that findings represent real, exploitable security risks — not theoretical or misidentified issues.

  • False Positive Removal: Any finding that does not hold up under human verification is removed from the final report.

  • Actionable Insights: The vetted report includes expert commentary and clear remediation recommendations for every confirmed finding.

Timeline and Validity

  • Turnaround time: 2–4 working days; up to 5–7 business days depending on scope and volume of findings.

  • Report validity: 90 days from the date of the vetted scan.

  • Certificate extension: If you hold an Astra Pentest certificate that is less than 180 days old, requesting a vetted scan on new features extends your certificate validity by another 180 days.

Available Actions

  • Request Vetting: Navigate to the Scans page in your dashboard, open the specific scan, and click Request Vetting in the scan settings to convert an automated scan into a vetted scan.

Best Practices

  • Act within the validity window: Since vetted reports are valid for 90 days, schedule your remediation cycles to begin promptly after receiving the report.

  • Use vetting for compliance milestones: If you're preparing for an audit or certification, request vetting well in advance to account for the 2–7 business day turnaround.

  • Extend your certificate proactively: If your Pentest certificate is approaching 180 days, use vetting on new features as an opportunity to extend it rather than initiating a full new pentest.

  • Leverage it without an in-house team: Vetting is particularly valuable for teams without dedicated security resources, as the final report is designed to be directly actionable without requiring deep security expertise to interpret.