Vulnerability scanners are built to report every possible vulnerability or potential vulnerability in the application. If certain conditions within the application or server match a known vulnerability, the scanner reports the vulnerability within the dashboard along the description, request, response & steps to fix the vulnerability.

Sometimes, a vulnerability gets reported as it matches all the conditions but doesn't exist upon verification within the application/server. This vulnerability is called a 'False Positive' - essentially a vulnerability that a security scanner think exists but isn't the case upon verification.

False positives are common occurrence with vulnerability scanners, and still a problem under research. With Astra's Pentest Platform, we try hard to ensure there are minimal false positives and also give a unique option of 'vetted' reports.

Vetted Reports are vulnerability assessment reports reviewed by our security engineers to ensure there are no false positives. This helps organizations with lean or no security teams to get an actionable security posture report which they can work on.

Which Plans Include Vetted Reports & How Many?

With vetted scans by Astra, every vulnerability is reviewed by security experts to ensure you receive a list of vulnerabilities which have no false positives, saving your developers a ton of time.

Plan NameVetted Reports
Scanner Plan0
Expert Plan (billed annually)4
Pentest Plan4



You can request a 'Automated (Vetted)' scan while initiating the scan.

Want to Read More About False Positives?

Here are a few research papers which talk about false positives in cyber security and propose solutions to tackle them.

https://www.giac.org/paper/gsec/2063/vulnerability-analysis-elimination-false-positives/103552
https://nsuworks.nova.edu/cgi/viewcontent.cgi?article=2096&context=gscis_etd

(the above papers are credited to the institutions and scholars to wrote them)
Was this article helpful?
Cancel
Thank you!