Explore and fix XBOW results

After you start an assessment, the “Run assessment” page shows results as they are detected. In addition, you can view a summary of the configuration for the assessment.

Exploring results

Screenshot of the Findings table showing the ID, Name, Path, Severity, Status, Last seen, and Actions fields.

By default, findings are sorted by severity. You can click any column header to change the sort order. When you see a finding you want to explore, click the table row to view detailed information about that vulnerability.

  • CVSS score: Including how it was calculated.
  • CWE classification: The vulnerability type (see Vulnerability classification).
  • Detailed explanation: Description of the problem found in your application.
  • Exploit details (for validated findings): Full exploit information, reproduction steps, and proof (see Interpreting XBOW results).
  • Impact assessment: How the vulnerability could affect your application.
  • Mitigation guidance: How to fix the vulnerability.

You can also view the complete trace of the AI agent’s testing process by clicking View Trace or scrolling to the bottom of the page.

To return to the table of findings, use your browser back button or use the breadcrumb shown at the top of the page.

Mitigating findings

For each finding, XBOW proposes how you can mitigate the vulnerability. This advice is tailored as closely as possible to the specific vulnerability found in your target. If you chose to upload source code to guide testing, XBOW uses this information to provide more precise instructions.

Use the mitigation advice to fix each finding that you decide is important.

For findings you choose not to remediate immediately, you can:

  • Document the risk acceptance decision
  • Plan to address them in a future release
  • Mark them for review in the next assessment

Retesting to confirm fixes

After fixing vulnerabilities, you can retest to verify the fixes are comprehensive. XBOW will try the original exploits and, if those fail, will attempt alternative approaches.

Note: Lightspeed users can run one retest per assessment. Make sure you fix all the findings you need to fix before you start a retest.

Start a retest (All users)

  1. When you have fixed all the vulnerabilities you plan to remediate, view the assessment results page.
  2. Click Retest to display the “Retest previous vulnerabilities” dialog box.
  3. Select every vulnerability that you want to retest.
  4. Click Retest to start the retest assessment.

When the retest completes, the findings table updates to show confirmed fixes. A new version of the Penetration Test report is generated with updated statuses.

Alternative method (Enterprise users only)

Enterprise users can also create a new assessment for the target and select Retest previous vulnerabilities as the assessment type.

Next steps