Findings

Findings are security issues discovered by your integrations — vulnerabilities, compliance gaps, and misconfigurations. QuantAssure's AI re-assesses each finding's severity based on your organisational context.

AI-Adjusted Severity

Raw scanner severities don't reflect your actual risk. QuantAssure's AI analyses each finding considering multiple factors:

  • Transitive dependencies: Is it actually reachable in your runtime?
  • Environment context: Production vs development vs test environments
  • System criticality: Data classification and business impact
  • Your organisation's policies: Security policies provide risk context

The AI-adjusted severity is what you see throughout the dashboard — not the raw scanner output.

A "Critical" Dependabot alert in a CI-only transitive dependency might be reclassified to "Low" — because the actual risk is minimal.

Browsing Findings

Navigate to the Findings page to view all security issues across your systems.

Filter Options

  • Status: new, open, in_progress, resolved, dismissed, accepted
  • Severity: 1 (info) through 5 (critical)
  • Source: dependabot, mosyle, securityhub, and more
  • Category: vulnerability, compliance, misconfiguration
  • System: Filter by monitored system

Sorting and Search

Sort findings by last seen, severity, or created date. Use the search bar to find specific findings by title or description.

Finding Detail

Click any finding to view its complete details and context.

AI Analysis

Each finding includes AI-generated insights:

  • Risk assessment summary: What's the actual risk?
  • Impact analysis: What could happen if exploited?
  • Recommended actions: How to fix it
  • Risk score: Numerical score from 0–100 for prioritization

Severity Comparison

The finding detail shows both the original scanner severity and the AI-adjusted severity. When they differ, the AI explains its reasoning for the reclassification.

Metadata

Technical details about the finding:

  • Source integration and category
  • CVE IDs and CVSS scores (for vulnerabilities)
  • Affected asset or repository
  • First and last seen timestamps
  • Dependency path (for transitive dependencies)

Acting on Findings

Remediation

Some findings offer automated fix actions that can be applied directly from the dashboard:

  • GitHub: Create a pull request to update the vulnerable dependency
  • Mosyle: Push a compliance policy to affected devices

To apply a fix:

  1. Click "Fix" on the finding detail page
  2. Review the proposed change before confirming
  3. QuantAssure will execute the remediation action

Risk Acceptance

For findings you've assessed and decided to accept rather than remediate:

  1. Click "Accept Risk" on the finding detail page
  2. Provide justification for accepting the risk
  3. Set an expiry date (when the risk should be reassessed)
  4. Submit for approval (if your organisation has configured approvals)

Accepted findings are tracked in the Risk Register report and don't count against your security posture score.

Dismissing

For false positives or irrelevant findings:

  • Click "Dismiss" on the finding detail page
  • Dismissed findings are hidden from default views
  • They can be restored later if needed

Risk acceptance vs dismissing: Use risk acceptance for real security issues you've chosen to accept. Use dismissing for false positives and findings that aren't actually security issues.

Findings and Compliance

Findings are automatically mapped to relevant ISM controls by QuantAssure's AI:

  • Linked findings appear as evidence on control detail pages
  • Resolving findings improves your compliance readiness score
  • The AI considers your findings when assessing control implementation status

See Evidence Collection for details on how findings support your compliance reporting.