Create penetration test findings based on assessment requests (prior to v19.0)

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read

    • Create penetration test findings based on the penetration test assessment request. These findings are manually-created Application Vulnerability Items (AVIs).

    Before you begin

    Role required: Ethical Hacker

    Procedure

    1. Navigate to All > Self-Service > Service Catalog > Services > Penetration Test Assessment Requests.
    2. To create an AVI for a penetration test assessment request, select the relevant request.
    3. In the Application Vulnerable Items section, select New.
    4. On the form, fill in the fields.
      Table 1. Application Vulnerable Item form (penetration test view)
      Field Description
      Number Automatically generated AVI identifier for this record.
      Assessment request Penetration test assessment request with which this AVI is associated.
      Vulnerability Vulnerability selected from the Vulnerability Entries table using the search option.
      Risk rating Quantified Risk Score separating vulnerable items into Critical, High, Medium, Low, and None. For more information on risk ratings, see Calculate risk in Application Vulnerability Response automatically.

      Starting from V16.1, by default the value is the same as the severity of the vulnerability.
      Impacts any compliance program? Confirms whether there is an impact on any compliance program. Choices are Yes and No.
      List of compliance programs impacted This field is displayed when then value of the 'Impacts any compliance program' field is set to Yes. Lists the impacted compliance programs.
      Planned release/fix version Release by when the penetration test findings must be resolved.
      State Default value is Open when the AVI is created. See Application Vulnerable Item (AVI) states for more information on how states are mapped.
      Assignment group Group selected to work on this AVI. Can be manually added or edited by an App-Sec Manager.
      Assigned to Individual from the selected assignment group that works on this AVI. Can be manually added or edited by an App-Sec Manager.
      Remediation target Date by which the AVIs must be remediated, since first identified. This field only appears when applicable.

      For more information on remediation targets, see Automate remediation target tracking in Application Vulnerability Response.
      Created Timestamp when the application vulnerable item (AVI) was created.
      Updated Timestamp when the application vulnerable item (AVI) was updated.
      Opened by User who created this penetration test finding.
      Security team contact Point of contact in the ethical hacking team.
      Short description Brief explanation of the penetration test finding.
      Details
      Technical details Technical details of the penetration test finding.
      Impact Assessment of the impact of the penetration test finding.
      Steps to reproduce Document the steps to reproduce and review the penetration test finding.
      Recommendation Record the recommended actions in this field.
      Notes
      Work notes Add notes to communicate information about state transitions and other field updates.
      V16.1: Affected URLs Further information related to the affected URLs.
      V16.1: Affected parameters Further information related to the affected parameters.
      V16.1: Affected functionalities Further information related to the affected functionalities.
    5. To save the form, select Submit.