— Reports

The deliverable your auditor accepts on the first read.

Every finding ships with a reproducible PoC, CVSS v3.1 score, CWE class, plus OWASP 2021 / PCI DSS 4.0 / CWE Top 25 mapping. White-label PDFs flow straight into customer security reviews on Pro and above.

— Sample report

Customer deepdive — three pages.

Refreshed on each scan cycle (weekly revalidation, monthly big rescan). Hand to your auditor, your customer, or your board.

ΛISEC
SECURITY ASSESSMENT
Acme Inc — Q2 2026
Continuous Penetration Test
REPORT ID · ASMT-2891
PERIOD · 01 Apr → 30 Jun 2026
TARGETS · 7 · CHAINS · 14
CRITICAL · 03 · HIGH · 07
SHA-256 · 7b2c…d91a CONFIDENTIAL
P. 01 — Cover
FND-2891-014 CRITICAL
Account takeover via /v1/auth/reset → JWT confusion
CVSS9.1 (CRITICAL)
CWE-287Improper Authentication
CVE
Assetapp.aisec.tools/api/v1
Reproduced24/24 attempts
The reset endpoint accepts a forged JWT signed with alg=none. Combined with email enumeration on /api/users/:id, an unauthenticated attacker takes over any account in two requests.
$ curl -X POST app.aisec.tools/v1/auth/reset \
-H "Authorization: Bearer eyJhbGciOiJub25lIn0..." \
-d '{"email":"target@…"}'
→ 200 OK
P. 14 — Finding
CHAIN-2891-A · CRITICAL
Unauthenticated → admin in 2 hops
1
Recon — exposed staging staging-2.aisec.tools discovered via cert-transparency
2
Probe — JWT alg=none accepted POST /v1/auth/reset returns 200 for forged token
3
Enumerate — IDOR /api/users/:id email harvested for any UUID in 0…1M range
4
Verify — admin takeover session minted as [email protected], 200 OK
P. 22 — Attack chain
Request sample PDF
What's in every report

Built for engineering. Accepted by audit.

PoC

Reproducible proof

Every finding ships curl + HTTP scripts. Re-run them yourself. They pass on exploit, fail on patch.

CVSS

CVSS v3.1 scoring

Vector string included. Severity rationalised against business impact, not just CVSS class.

CWE

CWE / CVE mapping

Every finding ties to a CWE class. Where a known CVE exists, we cite it and link the upstream advisory.

CF

Control-framework mapping

OWASP 2021, PCI DSS 4.0, and CWE Top 25 mapped automatically per finding. Premium adds full compliance-pack PDF.

WL

White-label

Premium and Enterprise reports carry your brand, your typography, your customer disclaimer. Yours to ship.

Δ

Diff vs. last cycle

Every report opens with what's new, what's fixed, what regressed. No diff-archaeology in your inbox.

#

Chain of custody

SHA-256 hash chain across the report, evidence, and PoC artifacts. Tamper-evident by default.

EX

Export anywhere

White-label PDF for the auditor, structured JSON for your SIEM / ticket queue. CSV export of audit trail on Premium and above.

EXP

Exploitability score

0–100 score per finding combining auth-required, payload complexity, recon bonuses, and CVSS. Sort criticals by who actually gets owned first.

Sample finding · live

The finding card, the way engineering reads it.

Same data, no PDF. Findings render as live cards in the dashboard, with a one-click "open in CLI" replay.

IDFND-2891-014
SeverityCRITICAL · CVSS 9.1
CWECWE-287 — Improper Authentication
Assetapp.aisec.tools/api/v1
First seen2026-06-12 04:14 UTC
Reproduced24 / 24 attempts
SOC 2CC6.1 · CC6.6
ISO 27001A.9.4 · A.14.2
Account takeover via /v1/auth/reset → JWT confusion

The reset endpoint accepts a forged JWT signed with alg=none. Combined with email enumeration on /api/users/:id, an unauthenticated attacker takes over any account in two requests.

replay in CLI open Jira export PDF copy curl
$ aisec replay FND-2891-014
POST app.aisec.tools/v1/auth/reset
   Authorization: Bearer eyJhbGciOiJub25lIn0...
   Body: {"email":"[email protected]"}
→ 200 OK · session=admin

GET /api/users/00000000
→ 200 OK · {"role":"admin", ...}

chain: recon → auth-bypass → idor → takeover
verified · CVSS 9.1 · 24/24 burst

$ aisec evidence FND-2891-014 --pdf
→ audit-FND-2891-014.pdf (812 KB)
— Retention & access

Findings stick. Logs don't.

We keep the things you need to defend an audit, and forget the things you don't. All exports respect your retention window — even the auditor's copy.

Findings & reports
12 months

Auto-deleted afterwards. Export early to your auditor's portal if you need a longer retention.

Raw scan logs
90 days

Agent action trace, payloads, response bodies. Useful for forensic replay; rotated automatically.

Access scope
Per account

Findings are isolated per account; team members see only what their role grants. SAML SSO + SCIM on Premium and above.

Right to erase
30 days

GDPR-grade account deletion cascades all scans, findings, projects, and API keys within 30 days.

Get a real report from your real stack.

One target, daily continuous coverage. The first chain lands before tomorrow's standup.

Activate protection Request sample PDF