Explore and fix XBOW results

After you start an assessment, the “Run assessment” page shows results as they are detected. In addition, you can view a summary of the configuration for the assessment.

Exploring results

Screenshot of the Findings table showing the ID, Name, Path, Severity, Status, Last seen, and Actions fields.

By default, findings are sorted by severity. You can click any column header to change the sort order. When you see a finding you want to explore, click the table row to view detailed information about that vulnerability.

  • CVSS score: Including how it was calculated.
  • CWE classification: The vulnerability type (see Vulnerability classification).
  • Detailed explanation: Description of the problem found in your application.
  • Exploit (for validated findings): Full exploit information, reproduction steps, and proof (see Interpreting XBOW results).
  • Impact: Explanation of how the vulnerability could affect your application. To view any underlying evidence, click Demonstration efforts. The depth of this evidence depends on the level of impact demonstration you set for the assessment. See Impact demonstration.
  • Mitigation: Guidance on how to fix or reduce the severity of the vulnerability.

You can also view the complete trace of the AI agent’s testing process by clicking View Trace or scrolling to the bottom of the page. To export the trace as Markdown, click Download Trace.

To return to the table of findings, use your browser back button or use the breadcrumb shown at the top of the page.

Mitigating findings

For each finding, XBOW proposes how you can mitigate the vulnerability. This advice is tailored as closely as possible to the specific vulnerability found in your target. If you chose to upload source code to guide testing, XBOW uses this information to provide more precise instructions.

Use the mitigation advice to fix or reduce the potential impact of each finding that you decide is important.

For findings you choose not to address immediately, you can:

  • Open a ticket internally to address the finding in a future release
  • Document the risk-acceptance decision as outlined by your organization’s security policy
  • Mark the finding as “Intended” in the XBOW Console

Retesting to confirm fixes

After fixing vulnerabilities, you can retest to verify the fixes are comprehensive. XBOW will try the original exploits and, if those fail, will attempt alternative approaches.

Note: Lightspeed users need to run retests within their 30-day assessment window.

Start a retest (All users)

  1. When you have addressed the vulnerabilities you prioritized, view the assessment results page.
  2. Click Retest to display the “Retest previous vulnerabilities” dialog box.
  3. Select every vulnerability that you want to retest. Findings that are already marked “Fixed” or “Intended” are not available for retesting.
  4. Click Retest to start the retest assessment.

When the retest completes, the findings table updates to show confirmed fixes. A new version of the Penetration Test report is generated with updated statuses.

Alternative method (Enterprise users only)

Enterprise users can also create a new assessment for the target and select Retest previous vulnerabilities as the assessment type.

Next steps