Skip to content

Reporting in Business Logic Aware DAST

One of the key features of the Reporting section of a Business Logic Aware DAST scan is its ease of exportability. Security reports can be exported to PDF and shared with stakeholders, for internal reviews, leadership updates, or audits, so everyone stays aligned on API security posture.

Modular template reporting

Reporting is context-aware and modular. You start an export from the area that defines scope, for example Assets, Issues, an Application (profile), or a Scan, then choose which blocks (block kinds) to assemble into the PDF. That replaces a single fixed "executive vs technical" split: you tailor the same engine for management summaries, engineering detail, or auditor-ready evidence by selecting the right blocks.

The main block groups are:

  • Asset context: in-scope assets in tabular form (names, types, first seen and last seen).
  • Scan context: high-level scan overview (scope, timing, health, authentication, findings, and related statistics). Only offered when exporting from a scan or application (profile) context, not when the export is driven from the global Assets or Issues views alone.
  • Issue summary: findings summarized by severity.
  • Issue list: issues in scope as a list.
  • Issue details: full write-up per finding (context, remediation, reproduction evidence such as cURL where available). Intended for narrow scope, in practice when tied to a single scan; very large asset or issue selections may disable this block to protect performance.
  • Compliance: one or more compliance sections for frameworks enabled for your organization (each framework corresponds to its own block kind in the product).

In the product, compliance maps to many concrete block kinds (one per enabled framework). The other groups above are the main context and issue blocks, plus methodology, which is always part of the generated PDF.

Export a Single Issue as PDF

When you need to share one finding with a developer, auditor, or stakeholder who isn't on Escape, export it directly from the issue side panel without running a bulk report across a folder or project.

  1. Open the issue you want to share.
  2. Open the Actions menu in the issue side panel.
  3. Under Export, click Export as PDF.

Export as PDF in the issue side panel Actions menu Export as PDF from the issue side panel Actions menu: one finding, full report with evidence.

The PDF covers only the issue you're viewing. It uses the same reporting engine as bulk exports, with the Issue details block scoped to that single finding: severity, context, remediation guidance, and reproduction evidence (including cURL where available).

The file downloads when generation completes. The UI shows progress while the export job runs.

Understanding Severity Levels

While CVSS scores provide a numerical risk measure, they don't always capture the full picture. Escape Severity considers various factors such as:

  • The type of vulnerability
  • Its exploitability in the context of your API
  • CVSS score
  • Other risk factors specific to your application

This comprehensive approach ensures that the severity levels assigned to vulnerabilities accurately reflect their potential impact on your specific API environment.

Reporting at Scale

reporting

Escape's Security Reporting feature provides essential visibility into your organization's security posture. As applications and updates are continuously deployed, our system:

  • Tracks and analyzes potential security vulnerabilities

  • Generates comprehensive security reports

  • Keeps security teams informed and proactive

  • Trend Analysis: With the increasing complexities of applications, tracking vulnerabilities over time becomes crucial. Our reporting module provides a chronological overview of detected issues, enabling your team to identify patterns, peak vulnerability periods, and measure the efficacy of remediation strategies.

  • Categorization of Risks: Not all vulnerabilities bear the same weight. We categorize risks by their type, ensuring that high-priority threats don't get lost in the noise. This categorization enables teams to allocate resources efficiently and address critical vulnerabilities on a priority basis.