Introduction

A false positive is a vulnerability that the scanner flags because it matches a known signature, but does not actually exist when manually verified. Scanners are built to catch every potential issue, which means they can occasionally report findings that turn out to be non-issues on closer inspection.

False positives are common across all vulnerability scanners and an active area of research in cybersecurity

How Astra Reduces False Positives: Vetted Reports

Vetted Reports are vulnerability assessment reports reviewed by Astra's security engineers to confirm that every listed finding is genuine. This is especially useful for teams without a dedicated security function, as it delivers a report you can act on immediately without spending time triaging noise.

Plans that include vetted reports:

• Scanner Lite Plan (monthly or annually): 0 vetted reports

• Scanner Plan (monthly): 0 vetted reports

• Scanner Plan (annually): 4 vetted reports per year

• Scanner Agency Plan (monthly): 4 vetted reports per year

• Scanner Agency Plan (annually): 4 vetted reports per year

• Pentest Plan (annually): 4 vetted reports per year

• Pentest Plus Plan (annually): 4 vetted reports per year

• Enterprise Plan (annually): 4 vetted reports per year

How to Mark a False Positive in Astra

If you identify a false positive in your scan results, you can report it and optionally exclude it from all future scans. See the guide on how to mark a vulnerability as a false positive and exclude it from future scans for step-by-step instructions.

Troubleshooting

I marked a false positive but it reappeared in a later scan. This happens if you did not check the "Exclude scanning of this vulnerability in all future scans" option when marking it. Re-open the vulnerability, mark it as a false positive again, and ensure that checkbox is selected.

I'm unsure whether a finding is a false positive or a real vulnerability. Use the Astranaut chatbot on the vulnerability details page to get contextual guidance. For manual pentest findings, you can comment directly on the vulnerability to ask the assigned security analyst.

I want all my findings reviewed for false positives but my plan doesn't include vetted reports. Contact help@getastra.com or raise a support ticket to discuss upgrading your plan or purchasing a vetted scan as an add-on.

Want to Read More About False Positives?

For those interested in delving deeper into the topic of false positives in cybersecurity and proposed solutions to tackle them, here are a few research papers:

• https://www.giac.org/paper/gsec/2063/vulnerability-analysis-elimination-false-positives/103552

• https://nsuworks.nova.edu/cgi/viewcontent.cgi?article=2096&context=gscis_etd

(The above papers are credited to the institutions and scholars who wrote them.)

Working with False Positives

If you find that a vulnerability reported by the automated scanner is indeed a false positive, you have the option to report it to us. Additionally, you can configure the system to exclude it from being flagged in subsequent scans. For more details on how to manage this, please refer to our guide on [Know More].

Need help? Raise a support ticket anytime from your Astra dashboard.