Skip to content

Reporting in Business Logic Aware DAST

One of the key features of the Reporting section of a Business Logic Aware DAST scan is its ease of exportability. Security reports can be exported to PDF and shared with stakeholders—for internal reviews, leadership updates, or audits—so everyone stays aligned on API security posture.

Modular template reporting

Reporting is context-aware and modular: you start an export from the area that defines scope—for example Assets, Issues, an Application (profile), or a Scan—then choose which blocks (block kinds) to assemble into the PDF. That replaces a single fixed “executive vs technical” split: you tailor the same engine for management summaries, engineering detail, or auditor-ready evidence by selecting the right blocks.

The main block groups are:

  • Asset context: in-scope assets in tabular form (names, types, first seen / last seen).
  • Scan context: high-level scan overview (scope, timing, health, authentication, findings, and related statistics). Only offered when exporting from a scan or application (profile) context—not when the export is driven from the global Assets or Issues views alone.
  • Issue summary: findings summarized by severity.
  • Issue list: issues in scope as a list.
  • Issue details: full write-up per finding (context, remediation, reproduction evidence such as cURL where available). Intended for narrow scope, in practice when tied to a single scan; very large asset or issue selections may disable this block to protect performance.
  • Compliance: one or more compliance sections for frameworks enabled for your organization (each framework corresponds to its own block kind in the product).

In the product, compliance maps to many concrete block kinds (one per enabled framework); the other groups above are the main context and issue blocks, plus methodology, which is always part of the generated PDF.

Understanding Severity Levels

While CVSS scores provide a numerical risk measure, they don't always capture the full picture. Escape Severity considers various factors such as:

  • The type of vulnerability
  • Its exploitability in the context of your API
  • CVSS score
  • Other risk factors specific to your application

This comprehensive approach ensures that the severity levels assigned to vulnerabilities accurately reflect their potential impact on your specific API environment.

Reporting at Scale

reporting

Escape's Security Reporting feature provides essential visibility into your organization's security posture. As applications and updates are continuously deployed, our system:

  • Tracks and analyzes potential security vulnerabilities

  • Generates comprehensive security reports

  • Keeps security teams informed and proactive

  • Trend Analysis: With the increasing complexities of applications, tracking vulnerabilities over time becomes crucial. Our reporting module provides a chronological overview of detected issues, enabling your team to identify patterns, peak vulnerability periods, and measure the efficacy of remediation strategies.

  • Categorization of Risks: Not all vulnerabilities bear the same weight. We categorize risks by their type, ensuring that high-priority threats don't get lost in the noise. This categorization enables teams to allocate resources efficiently and address critical vulnerabilities on a priority basis.