Reports

Product Context Awareness

All resources in the Scanning API (such as scans, targets, schedules, and reports) are product-specific.

Before creating, updating, or querying any resource, ensure that the correct product is currently active.

Always switch to the appropriate product using the Change User Product endpoint before interacting with product-specific resources.

Confidentiality & Security Notice
Reports may contain sensitive details about your infrastructure, services, and security posture.

Please:

Download reports only when necessary

Store them in a secure location

Avoid sharing reports with unauthorized parties

Protecting report data is essential to maintaining your organization’s security.

Reports represent the final output of a scan.
They act as structured containers (buckets) of all results collected during a scan, including both vulnerabilities and informative findings for the scanned assets.

Each report reflects the security posture of the assets at the time the scan was completed and remains immutable for audit and historical purposes.

What Reports Contain

Vulnerability findings with severity, evidence, and remediation guidance

Informative results, such as detected services, configurations, and observations

Metadata related to the scan, targets, and product used

Reports are always tied to:

A specific scan

A specific product

A specific point in time

Report Generation & Availability

Depending on the selected product, reports can be:

Generated after scan completion

Downloaded later, without re-running the scan

Reports are generated on demand and remain available for future access as long as retention policies allow.

Report Types per Product

Different products provide different PDF report formats, designed for technical, executive, or compliance use cases.

PCI Compliance

Attestation of Scan Compliance (AOSC)

Detailed PCI Report

Executive PCI Report

VRMS (Vulnerability Assessment)

Vulnerability Assessment Report

Vulnerability Summary Report

Executive VRMS Report

Penetration Testing

Penetration Test Report (Detailed)

Penetration Test Executive Report

Each report type serves a different audience while using the same underlying scan data.

Exceptions Handling

If a vulnerability exception has been:

Submitted by a user, and

Approved by the SOC team,

then

The vulnerability will still appear in the report

Its severity will be shown as Low

The exception justification and description will be included

PCI-Specific Behavior (DoS Findings)

For PCI Compliance reports, special rules apply:

Denial of Service (DoS) vulnerabilities are not considered compliance failures

Even if a DoS issue has a high severity (e.g. CVSS 10.0), it does not cause PCI compliance to fail

Such findings are still included in the report for visibility

This behavior follows PCI ASV requirements.

What Reports Contain#

Report Generation & Availability#

Report Types per Product#

PCI Compliance#

VRMS (Vulnerability Assessment)#

Penetration Testing#

Exceptions Handling#

PCI-Specific Behavior (DoS Findings)#