Skip to content

Vulnerability Management

Vulnerability Management in Escape gives Security Engineers a powerful way to identify, prioritize, and remediate the security issues and sensitive data exposures uncovered during Inventory and DAST scanning. This module leverages comprehensive filtering, bulk actions, and intelligent features like Machine Learning–based hashing to streamline your workflow, helping you focus on what truly matters: securing your applications.

Viewing Vulnerabilities

all-issues.png

Issues and sensitive data can be viewed inside a scan (in a scoped view), or globally to the organization in the All Risks section:

  • Scoped (Per-Scan) View: After initiating and completing a DAST scan (see Start a new Scan and Understanding Results for details), you can drill into that specific application’s vulnerabilities. This scoped view helps you see issues in the direct context of a single API or SPA.

  • All Risks Section (Global View at Scale): For a broader overview including Inventory and DAST findings, navigate to the All Risks section. This is your organization-wide “control tower,” listing every vulnerability (issues and sensitive data) detected by Escape DAST across all scanned applications. From here, you can quickly spot overarching patterns and manage large batches of findings.

Bulk Editing of Issues and Sensitive Data

Large organizations often deal with hundreds or thousands of vulnerabilities at once. Bulk editing makes your remediation workflow more efficient by enabling actions on multiple findings simultaneously:

  • Assign vulnerabilities to the right owners or teams.
  • Ignore specific false positives.
  • Label vulnerabilities with a custom tag that can be used for filtering and reflected in the Inventory.
  • Add a comment with a consistent remediation note or reference.

This significantly reduces the operational overhead, especially when triaging common or repeated issues.

Intelligent Query Builder

query-builder.png

The Query Builder in the All Risks section allows you to locate and categorize vulnerabilities using multiple criteria:

  • Filter by severity, risk level, environment (production vs. dev), technology (GraphQL, REST, SPA), and labels defined in the Inventory or DAST scans.
  • Search by keywords or specific vulnerability IDs.
  • Sort results based on attributes like detection date, risk score, or impacted services.

By building flexible queries, Security Engineers can tailor the interface to suit their immediate needs—whether it’s prioritizing urgent vulnerabilities or investigating suspicious patterns. Save your queries as they are reflected in the URL, so you can share them with your team.

Ignoring Vulnerabilities

ignore-issue.png

Escape DAST’s proprietary engine—focused on business logic security—significantly reduces false positives by testing how data and requests flow through an application. Because it prioritizes risk according to real-world impact, you should rarely encounter purely “noise” vulnerabilities.

Still, there are valid reasons why teams may choose to ignore specific findings:

  • Accepted Risk: You’ve determined the vulnerability’s impact is low or otherwise mitigated by design.
  • Operational Constraints: Fixing the issue may not be feasible in the near term, and you prefer to temporarily remove it from your main queue.
  • False Positives: On rare occasions when a vulnerability isn’t actually exploitable.

How Ignoring Works

  1. Add Comments: Provide context when ignoring a vulnerability—e.g., “risk accepted,” “pending redesign,” or “legacy endpoint to be deprecated.” These notes help your team stay aligned on why certain issues are left unaddressed.

  2. Machine Learning Hashing: Escape uses a hashed signature for each ignored vulnerability. If the same issue reappears exactly as before, it remains ignored. However, if there’s a material change in context—like a new parameter or endpoint—Escape raises it again as a new finding, ensuring you don’t accidentally ignore fresh threats.

  3. Transparent Tracking: Ignored items aren’t deleted; they’re simply moved out of the active risk queue. You can revisit or unignore them at any time (for example, if business priorities shift).

When to (and When Not to) Ignore

  • Consider Ignoring

    • An issue is a known, truly acceptable business risk.
    • A vulnerability is tied to an application scheduled for decommissioning, and short-term mitigation isn’t necessary.

  • Consider Fixing

    • Issues involving critical or sensitive data flows.
    • Repeat occurrences that indicate a deeper, systemic flaw.
    • Anything mapped to a high-risk score in the Risk-Based Prioritization matrix.

By thoughtfully employing the ignore feature, you can keep your vulnerability queue focused on high-impact issues—without losing visibility into lower-risk findings that might warrant attention in the future.

Risk-Based Prioritization

Even with an efficient system, not all vulnerabilities have the same urgency. Escape employs a Risk Matrix to assign priority scores, ensuring you target the most dangerous issues first. All issues are filtered by risk level, and can be sorted by risk score.

Risk Application Service Security Issue
Not Tested The application service has not been tested by Escape DAST. Not applicable (N/A).
Tested in Production Only The application service is tested in production mode without mutating or destructive tests. Not applicable (N/A).
External Exposure The application service is externally accessible. The issue is publicly reachable, increasing exploitation risk.
Unauthenticated The application service does not enforce authentication. The issue is exploitable without credentials (public user).
Open Schema The API or GraphQL schema is publicly accessible. The vulnerability is tied to an openly exposed schema.
Leaking Schema The schema can be reconstructed without official publication or authentication. The vulnerability arises from unintentionally leaked schema details.
Sensitive Data The service is leaking sensitive data (PII, tokens, secrets). The issue involves the exposure of sensitive information.
Critical Vulnerability The service has a critical flaw that could be exploited to compromise data or operations. Requires immediate remediation to prevent severe breaches.

How Risk Influences Your Workflow:

  • External vs. Internal Assets: Publicly reachable APIs usually outrank internal ones in urgency.
  • Unauthenticated vs. Authenticated: If an attacker can exploit a flaw without credentials, it’s top priority.
  • Sensitive Data Leaks: Potential compliance breaches often get immediate attention.
  • Critical Vulnerabilities: Emergency fix—no questions asked.

By combining these factors, you get a comprehensive picture that automatically places your highest-threat vulnerabilities at the top of your triage list.

Interactive Prioritization Funnel

issues-funnel.png

Security Engineers often find themselves drowning in a sea of potential issues—from minor inconsistencies to full-blown, business-critical vulnerabilities. Escape’s Interactive Prioritization Funnel helps you slice through the noise by visually and contextually applying the Risk Matrix to both Issues and Sensitive Data Leaks. This makes it easier to identify and remediate the threats that pose the greatest risk to your organization.

How It Works

  1. Aggregate All Findings: The funnel starts wide, pulling in every identified issue across APIs, SPAs, and other application assets—whether discovered in production scans, development scans, or via continuous testing.

  2. Apply Contextual Filters: At each stage of the funnel, context is applied to refine the list of vulnerabilities:

    • Risk Matrix Classification: Critical vulnerabilities, public exposure, and sensitive data leaks automatically bubble to the top.
    • Business Logic Context: Escape tests how attacks flow through an application’s business logic, flagging genuinely exploitable paths over harmless anomalies.
    • Ownership and Code Mapping: By linking vulnerabilities to code owners and specific repos, you can quickly assign remediation tasks to the right teams.

  3. Use the Query Builder for Granular Views: If you need to narrow your focus further, the Query Builder lets you layer in additional conditions—e.g., “production environment,” “externally exposed,” or “unauthenticated APIs.” With each added filter, the funnel narrows, delivering a concise list of vulnerabilities that truly warrant immediate attention.

  4. Visualize the Narrowing Risk: As the funnel progresses, you’re left with a small set of issues that match your most critical risk criteria—things like publicly accessible APIs with no authentication or sensitive data leaks in a payment flow. These are presented in an intuitive, visual layout so you can see exactly how many issues were filtered out at each stage and why.

Exporting Issues and Sensitive Data Leaks

Escape allows you to export all issues and sensitive data leaks to different formats.

  • Compliance Reports in PDF, for every single compliance standard: Compliance
  • Executive Security Reports in PDF, dedicated to the Executive and Management teams: Reporting
  • Technical Security Reports in PDF, containing all the reproduction details of the issues, dedicated to the Security and Development Teams, or Auditors: Reporting
  • Technical CSV, containing all the reproduction details of the issues, for custom integrations or reporting tools.

Practical Tips for Security Engineers

  1. Use the All Risks Section Strategically: Start each day by checking the global risk dashboard. Filter for “critical” or “high-risk” issues first, then assign them to relevant dev teams.

  2. Document Everything: Comments on vulnerabilities are crucial. They provide valuable context to future you—or your teammates—on why a vulnerability was ignored or how it was addressed.

  3. Create Saved Queries: For recurring concerns (e.g., Open Schema in Production), save your query parameters for quick access. All queries are reflected in the URL, so you can share them with your team.

  4. Maintain a Feedback Loop: If you keep seeing certain false positives, consider adjusting scanning parameters or updating your code to reduce noise. Continuous improvement in scanning configurations leads to cleaner, more actionable results.

  5. Combine With Compliance Reporting: After you’ve triaged vulnerabilities, generate compliance reports to confirm you’re meeting the standards your organization cares about most. This ensures that your fixes align with external regulations and internal best practices.

Lifecycle of a Vulnerability

  1. Discovery: Escape detects a potential issue, either in production or development mode.

  2. Triage: The vulnerability shows up in either the scoped or global view. You filter, sort, and review its details, often referencing the Risk Matrix.

  3. Remediation: Assign the vulnerability to the appropriate code owner. They receive remediation advice—like cURL commands for APIs or trace viewer links for SPAs.

  4. Validation: Once fixed, run another scan or rely on Escape’s continuous scanning to confirm the issue no longer appears. If it does appear again, hashing ensures it isn’t automatically ignored if the context has changed.

  5. Compliance & Reporting: Export final reports to demonstrate your risk posture and compliance status to stakeholders or auditors.

Putting It All Together

Escape Vulnerability Management provides a robust, end-to-end solution for Security Engineers. From discovering new risks and bulk editing them en masse, to ignoring false positives with Machine Learning hashing and prioritizing issues via a dynamic risk matrix—you have the toolkit to keep your organization’s attack surface in check.

Key Takeaways:

  • Scoped vs. Global: View issues per scan or across the entire organization.
  • Bulk Editing: Save time by applying actions to multiple vulnerabilities at once.
  • Smart Ignoring: Eliminate false positives through comments and hashing.
  • Risk-Based Prioritization: Align efforts with potential impact.
  • Continuous Improvement: Use queries, comments, and insights to refine your vulnerability management strategy over time.
  • Automations & Ticketing: Streamline communication and tracking with automated workflows.

Next Steps

  • Already Completed a Scan? Explore the results in detail (see Understanding Results).

  • Time to Generate a Compliance Report? Head over to the Compliance Reports and Reporting sections to demonstrate your adherence to industry standards.

  • Need Additional Help? Reach out via our Slack channel, where our experts can guide you through complex scenarios or troubleshooting steps.

By thoughtfully incorporating these features and workflows, you’ll leverage Escape not just as a vulnerability scanner, but as a comprehensive vulnerability management platform—equipping your security team to respond quickly, decisively, and intelligently to the ever-evolving threat landscape.