What are false positives & how to work with them?
Last updated: June 19, 2025
What This Article Covers
This article defines false positives in the context of vulnerability scanning, explains why they occur, and introduces Astra's vetted reports as a solution to minimize them. It also outlines which plans include vetted reports and provides guidance on how to work with false positives within the Astra platform.
Who Should Read This
This article is for anyone utilizing vulnerability scanners, particularly those using Astra's platform, including security engineers, developers, and IT teams responsible for triaging and remediating reported vulnerabilities.
Why This Matters
Understanding false positives is crucial for efficient vulnerability management. Accurately identifying and handling false positives saves valuable time for development and security teams, allowing them to focus on genuine threats and avoid unnecessary remediation efforts, leading to a more streamlined and effective security posture.
What are False Positives?
Vulnerability scanners are designed to report every possible vulnerability or potential vulnerability within an application. If certain conditions within the application or server match a known vulnerability signature, the scanner will report it within the dashboard, along with a description, request, response, and steps to fix the vulnerability.
Sometimes, a vulnerability gets reported because it matches all the defined conditions, but upon manual verification within the application or server, it is found not to exist. This type of reported vulnerability is called a 'False Positive'. Essentially, it's a vulnerability that a security scanner thinks exists but is not actually present upon human verification.
False positives are a common occurrence with vulnerability scanners and remain an active area of research in cybersecurity. With Astra's Pentest Platform, we strive to ensure there are minimal false positives and offer a unique option of 'vetted reports'.
Vetted Reports are vulnerability assessment reports that have been reviewed by our security engineers to ensure there are no false positives. This significantly helps organizations with lean or no dedicated security teams to receive an actionable security posture report that they can efficiently work on.
Which Plans Include Vetted Reports & How Many?
With vetted scans by Astra, every reported vulnerability is reviewed by our security experts. This process ensures that you receive a list of vulnerabilities with no false positives, thereby saving your developers a significant amount of time.
Here's a breakdown of which plans include vetted reports and the number provided:
Plan Category | Plan Name | Billing Cycle | Vetted Reports |
DAST Scanner | Scanner Lite Plan | Monthly or Annually | 0 |
DAST Scanner | Scanner Plan | Monthly | 0 |
DAST Scanner | Scanner Plan | Annually | 4 |
DAST Scanner | Scanner Agency Plan | Monthly | 4 |
DAST Scanner | Scanner Agency Plan | Annually | 4 |
Pentest | Pentest Plan | Annually | 4 |
Pentest | Pentest Plus Plan | Annually | 4 |
Pentest | Enterprise Plan | Annually | 4 |
Want to Read More About False Positives?
For those interested in delving deeper into the topic of false positives in cybersecurity and proposed solutions to tackle them, here are a few research papers:
https://www.giac.org/paper/gsec/2063/vulnerability-analysis-elimination-false-positives/103552
https://nsuworks.nova.edu/cgi/viewcontent.cgi?article=2096&context=gscis_etd
(The above papers are credited to the institutions and scholars who wrote them.)
Working with False Positives
If you find that a vulnerability reported by the automated scanner is indeed a false positive, you have the option to report it to us. Additionally, you can configure the system to exclude it from being flagged in subsequent scans. For more details on how to manage this, please refer to our guide on [Know More].
Need help? Raise a support ticket anytime from your Astra dashboard.