CodeWallDocs
Guidance

Interpreting Results

How to understand and act on CodeWall's penetration testing findings.

After a test completes, CodeWall produces findings categorized by type, severity, and confidence. This guide explains how to interpret them effectively.

Finding types

Validated findings

Vulnerabilities that CodeWall has confirmed are exploitable. Each includes:

  • A complete attack chain with step-by-step reproduction
  • Proof-of-concept exploit with request/response evidence
  • CVSS score and CWE classification
  • Remediation guidance

Action: These are real vulnerabilities. Prioritize remediation based on severity and business impact.

Informational findings

Potential security issues that the agent identified but could not fully exploit. These may include:

  • Suspicious behavior that suggests a vulnerability but lacks conclusive proof
  • Configuration weaknesses that don't directly lead to exploitation
  • Information disclosure that could aid an attacker

Action: Review these to strengthen your security posture, but prioritize validated findings first.

Severity ratings

CodeWall uses CVSS (Common Vulnerability Scoring System) to rate severity:

SeverityCVSS RangeMeaning
Critical9.0 – 10.0Immediate exploitation risk, full system compromise possible
High7.0 – 8.9Significant impact, relatively easy to exploit
Medium4.0 – 6.9Moderate impact or requires specific conditions
Low0.1 – 3.9Limited impact, difficult to exploit
InformationalN/ANot directly exploitable, but worth noting

CWE classification

Each finding is mapped to a CWE (Common Weakness Enumeration) identifier, providing a standardized taxonomy. Common CWEs you may see:

  • CWE-79 — Cross-site Scripting (XSS)
  • CWE-89 — SQL Injection
  • CWE-287 — Improper Authentication
  • CWE-639 — Authorization Bypass Through User-Controlled Key (IDOR)
  • CWE-918 — Server-Side Request Forgery (SSRF)
  • CWE-78 — OS Command Injection

Reading an attack chain

Each validated finding includes an attack chain showing exactly what the agent did:

  1. Discovery — how the vulnerable endpoint was found during reconnaissance
  2. Analysis — what indicated the endpoint might be vulnerable
  3. Exploitation — the exact requests, payloads, and responses that confirmed the vulnerability
  4. Impact — what an attacker could achieve (data access, privilege escalation, etc.)

Prioritizing remediation

Not all Critical findings are equal. Consider:

  • Business context — a Critical SQLi on a public-facing login page is more urgent than one on an internal admin tool
  • Exploitability — does it require authentication? Special conditions?
  • Data exposure — what data is at risk?
  • Blast radius — could this be chained with other findings for greater impact?

Handling false positives

If you believe a finding is incorrect:

  1. Review the proof-of-concept carefully — reproduce it manually to verify
  2. Mark it as False Positive in the findings dashboard with a note explaining why
  3. CodeWall learns from false positive feedback to improve future tests

Guiding Tests

How to provide context to CodeWall's AI agent for better penetration testing results.

How-to Guides

Step-by-step instructions for common tasks and workflows in CodeWall.

On this page

Finding typesValidated findingsInformational findingsSeverity ratingsCWE classificationReading an attack chainPrioritizing remediationHandling false positives