Skip to content

Understanding Results

After scan completion, you'll be redirected to the results page. Here you can view both individual scan results and historical DAST scan data over time.

Issues, Reproduction & Remediations

Escape's Contextual Remediation feature helps you understand vulnerabilities in the context of your organization's security posture. Vulnerabilities are:

  • Detected and analyzed
  • Prioritized based on specific risks
  • Contextualized to focus remediation efforts

Detailed remediation guidance is provided for all GraphQL, REST, and SPA frameworks.

remediation

For APIs:

  • Includes cURL commands for issue reproduction
  • Provides step-by-step reproduction guidance

For SPAs:

  • Includes Trace Viewer link showing exact reproduction steps
  • Based on Playwright trace format
  • Contains screenshots and crawled elements for in-depth debugging

Sensitive Data Detection

sensitive-data.png

Escape triggers alerts when detecting sensitive data and provides:

  • Detailed examination in the "Sensitive Data" tab
  • Rich contextual information about data accessibility
  • Risk assessment for each data type

Types of Sensitive Data:

  • Personally Identifiable Information (PII): Including but not limited to Social Security numbers, full names, and email addresses.
  • Financial Information: Such as credit card numbers, bank account details, and transaction histories.
  • Tokens and Secrets: Like API keys, JWT tokens, and encryption keys.

A complete list of supported data types can be found in the Data Types Reference page.

Risk-Based Prioritization

risks.png

Issues and related Services are prioritized based on the risk they pose to your organization according to the risk matrix.

Risk Application Service Security Issue
Not Tested The application service has not been tested by Escape DAST. Not applicable (N/A).
Tested in Production Only The application service is tested by Escape DAST in production mode only, without executing mutating or destructive security tests. Not applicable (N/A).
External Exposure The application service is exposed to the public Internet. The issue relates to a service that is publicly accessible, increasing the risk of exploitation.
Unauthenticated The application service does not enforce authentication. The issue is exploitable without any credentials, using the public user.
Open Schema The application schema (e.g., OpenAPI or GraphQL Introspection) is publicly accessible on the Internet. The issue is associated with an application exposing its schema openly.
Leaking Schema The application schema is not officially public but can be reconstructed from the Internet without authentication. The issue stems from schema information being unintentionally leaked.
Sensitive Data The application service is leaking sensitive information. The issue involves the exposure of sensitive data (e.g., PII, tokens, or secrets).
Critical Vulnerability The application service has a critical security flaw. The issue is classified as critically severe and requires immediate remediation.

Compliance Reports

compliance.png

Generate comprehensive compliance reports with a single click:

  • Download tailored security reports for each compliance standard.
  • Choose to generate reports for the entire organization or specific applications, accommodating various auditing needs.
  • Share these reports with auditors, partners, customers, and other stakeholders to demonstrate your commitment to cybersecurity.

The Compliance Matrix offers a visual overview of your organization's compliance status across all standards, allowing you to see at a glance where your security posture stands.

matrix.png

Escape supports major compliance standards including:

  • OWASP TOP 10: Key document outlining the top ten web application security risks.

  • CWE: Identifies common software security weaknesses.

  • WASC: Produces best-practice security standards.

  • PCI-DSS: Standards for organizations handling branded credit cards.

  • MITRE ATT&CK: Knowledge base of adversary tactics and techniques.

  • HIPPA: Protects sensitive patient data.

  • GDPR: Protects the personal data and privacy of EU citizens.

  • SOC-2: Framework for managing customer data.

  • PSD-2: Regulates EU payment services.

  • ISO27001: International information security standard.

  • HDS: French standard for health data hosts.

  • NIST Framework: U.S. guidelines for managing cybersecurity risk.

  • HITRUST CSF: Framework for regulatory compliance and risk management.

  • FedRAMP: U.S. government-wide program for cloud security.

  • NIS2: EU legislation enhancing cybersecurity.

  • ...and many more on the horizon.

Compliance is a continuous journey, not a one-time achievement. With Escape's Compliance feature, you are equipped not just to meet current security standards but also to adapt to future regulatory challenges.

Reporting

reporting

Escape's Security Reporting feature provides essential visibility into your organization's security posture. As applications and updates are continuously deployed, our system:

  • Tracks and analyzes potential security vulnerabilities

  • Generates comprehensive security reports

  • Keeps security teams informed and proactive

  • Trend Analysis: With the increasing complexities of applications, tracking vulnerabilities over time becomes crucial. Our reporting module provides a chronological overview of detected issues, enabling your team to identify patterns, peak vulnerability periods, and measure the efficacy of remediation strategies.

  • Categorization of Risks: Not all vulnerabilities bear the same weight. We categorize risks by their type, ensuring that high-priority threats don't get lost in the noise. This categorization enables teams to allocate resources efficiently and address critical vulnerabilities on a priority basis.

Report Export

All security reports can be exported to PDF format for:

  • Internal reviews
  • Board meetings
  • Compliance audits
  • Stakeholder communications

One of the key features of the Reporting section is its ease of exportability. All security reports can be quickly exported to PDF format, allowing for seamless sharing with relevant stakeholders. Whether it's for internal reviews, board meetings, or compliance audits, you can easily distribute these comprehensive reports to keep everyone informed about the organization's API security posture.