Skip to content

Understanding Results

After scan completion, you'll be redirected to the results page. Here you can view both individual scan results and historical DAST scan data over time.

scan-summary.png

Issues, Reproduction & Remediations

Escape's AI Remediation feature helps you understand vulnerabilities in the context of your organization's security posture. Vulnerabilities are:

  • Detected and analyzed
  • Prioritized based on specific risks
  • Contextualized to focus remediation efforts

Detailed remediation guidance is provided for all GraphQL, REST, and WebApp frameworks.

remediation

For APIs:

  • Includes cURL commands for issue reproduction
  • Provides step-by-step reproduction guidance

For WebApps:

  • Includes reproduction steps to reach the appropriate page and state
  • Context will explain the inputs or DOM elements that are triggering the alert, with surrounding page content
  • Contains screenshots and crawled elements for in-depth debugging

Issue Deduplication

Issues are automatically hashed and deduplicated at the Asset level. When multiple Profiles scan the same Asset, any Issues with identical hashes are consolidated into a single Issue record. This means:

  • Only one instance of each unique Issue is visible and stored per Asset
  • Duplicate findings from different Profiles are merged automatically
  • The Asset-level view provides a clean, deduplicated list of security Issues

This deduplication ensures efficient issue management and prevents redundant remediation efforts when the same vulnerability is detected by multiple scan profiles.

Scan Score Computation

Escape assigns a numerical security score to each scan, providing a quantifiable metric for security posture assessment and trend analysis over time. The score is calculated on a normalized scale from 0 to 1, where 1 represents a perfectly secure state (no active security issues) and values approaching 0 indicate increasingly severe security concerns.

Scoring Methodology

The scan score is derived through a severity-weighted point accumulation system combined with an exponential decay function. This mathematical approach ensures that the security score degrades non-linearly as vulnerabilities accumulate, reflecting the compounding risk that multiple security issues introduce to an application.

Severity-Based Point Weighting:

Each detected vulnerability contributes a point value to the total risk calculation based on its severity classification:

  • CRITICAL and HIGH severity issues contribute substantially higher point values, reflecting their potential for immediate exploitation and significant business impact
  • MEDIUM severity issues contribute moderate point values, representing security weaknesses that require remediation but may not be immediately exploitable
  • LOW severity issues contribute minimal point values, indicating minor security concerns or informational findings
  • INFO severity findings do not contribute to the risk calculation, as they represent informational observations rather than actionable vulnerabilities

The specific point weights assigned to each severity level have been calibrated based on industry vulnerability scoring standards (CVSS) and real-world exploitation patterns observed across thousands of application security assessments.

Exponential Decay Function:

Rather than using a simple linear degradation model, Escape employs an exponential decay function to compute the final score from the accumulated risk points. This mathematical approach is essential for accurately representing security risk because:

  1. Compounding Risk: Multiple vulnerabilities create synergistic exploitation opportunities. An attacker who discovers several medium-severity issues may chain them together to achieve critical impact. The exponential function captures this risk amplification.

  2. Non-Linear Threat Escalation: The difference between zero vulnerabilities and five vulnerabilities is more significant than the difference between fifty and fifty-five vulnerabilities. The exponential decay ensures that initial security degradation is reflected more dramatically in the score.

  3. Normalized Output: The exponential function naturally produces values in the 0-1 range, enabling intuitive interpretation and consistent comparison across scan iterations.

The decay function is parameterized by a decay factor constant that controls the rate at which the score decreases as risk points accumulate. This factor has been empirically tuned to produce score distributions that align with qualitative security assessments (e.g., a score of 0.95+ represents excellent security, while scores below 0.70 indicate significant remediation requirements).

Score Calculation Scope

The scan score is computed based on all active issues discovered during the scan execution. Only issues that remain unresolved and are associated with the scan's findings contribute to the calculation. This ensures that the score accurately reflects the application's security state at the specific point in time when testing was performed.

When issues are remediated and marked as resolved, they are excluded from future score calculations, enabling scores to improve as security improvements are deployed.

Security scores should be interpreted in conjunction with the underlying vulnerability details rather than in isolation:

  • Score Trends Over Time: A declining score trajectory indicates accumulating technical security debt or newly introduced vulnerabilities. Conversely, an improving trend demonstrates effective remediation efforts.
  • Severity Distribution: Two scans with identical scores may have different risk profiles. A scan revealing several critical issues presents different remediation priorities than one with many low-severity findings.
  • Historical Comparison: Scores enable tracking security improvements across scan iterations, helping security and engineering teams measure the effectiveness of remediation efforts and identify regression patterns.

The scan score serves as a high-level security health indicator that complements detailed vulnerability analysis, enabling both executive-level reporting and technical remediation workflows.

Sensitive Data Detection

sensitive-data.png

Escape triggers alerts when detecting sensitive data and provides:

  • Detailed examination in the "Sensitive Data" tab
  • Rich contextual information about data accessibility
  • Risk assessment for each data type

Types of Sensitive Data:

  • Personally Identifiable Information (PII): Including but not limited to Social Security numbers, full names, and email addresses.
  • Financial Information: Such as credit card numbers, bank account details, and transaction histories.
  • Tokens and Secrets: Like API keys, JWT tokens, and encryption keys.

A complete list of supported data types can be found in the Data Types Reference page.

Governance & Operations

Escape's Governance & Operations section provides a comprehensive overview of how to manage and operationalize your security posture: Vulnerability Management, Reporting, Compliance, Automations & Notifications, Ticketing & Workflows, and more.