Discovery findings
Findings are the actionable output of discovery. Every scan produces zero or more findings per endpoint: weak ciphers, deprecated TLS, expiring certificates, self-signed, PQC vulnerabilities. Each has a severity, a suggested remediation, and a status you can advance (open → triaged → resolved).
01Finding types
| Type | Severity | Meaning |
|---|---|---|
expiring_soon | High (<30 d), Critical (<7 d) | Certificate's not_after is close. |
expired | Critical | Past not_after. |
weak_cipher | High | Handshake negotiated a cipher suite on the weak-cipher blocklist (RC4, 3DES, export). |
deprecated_tls | High (TLS 1.0/1.1), Medium (TLS 1.2 with weak kex) | TLS version below the configured minimum. |
self_signed | Medium | Cert's issuer CN equals its subject CN. |
untrusted_chain | Medium | Issuer not in the default trust store; could be an internal CA. |
pqc_vulnerable | Medium | Key algorithm classed as vulnerable by the PQC analysis (RSA ≤ 2048). |
ocsp_revoked | Critical | OCSP responder returned revoked. |
missing_sct | Low | Leaf cert has no embedded SCTs — browser may warn. |
short_validity | Informational | Validity under 30 days remaining at observation time. |
name_mismatch | High | Endpoint hostname not covered by any SAN. |
chain_integrity | Medium | Intermediate in the presented chain is incomplete or broken. |
02Severity levels
- Critical — act now; service may already be broken.
- High — act this week; active security concern.
- Medium — backlog.
- Low — advisory.
- Informational — tracked for awareness; no score impact.
03Finding lifecycle
- Open — freshly generated by a scan.
- Triaged — operator acknowledged; working on remediation. Adds a triaged by + note field.
- Resolved — operator confirms fixed. If the issue recurs on the next scan, the finding reopens automatically as a new record (history preserved).
- Suppressed — operator accepts the risk; won't reappear on subsequent scans for this cert + type. Suppression has an expiry (default 90 days).
04Working with findings
- Discovery → Findings.
- Default view: open findings sorted by severity DESC.
- Filters: severity, type, discovered cert, endpoint, source, status.
- Click a row for the full context — the cert, the endpoint(s), the suggested remediation.
- Update status from the detail panel. Add a note; it is audit-logged.
05Summary widget
The Discovery overview page summarises findings:
- Counts by severity (open only).
- Top 5 finding types by volume.
- Trend line — new findings per day over 30 days.
Sparkline helps spot sudden spikes — e.g. a misconfigured firmware rollout that enables a weak cipher fleet-wide.
06Remediation hints
Every finding ships with a remediation blob:
expiring_soon/expired→ adopt the cert into management and enable auto-renew, or ask the owning team to rotate.weak_cipher/deprecated_tls→ reconfigure the endpoint's TLS policy; link to the target's vendor docs.self_signed→ replace with a CA-signed cert unless intentional.pqc_vulnerable→ roll to ECDSA P-256/P-384 or RSA-3072+ until post-quantum is ready.
Remediation text is static — you can't customise it per-org, but the status/note fields absorb org-specific guidance.
07Notifications
Findings can route through the notification system:
discovery.finding.opened— new finding (per severity filter).discovery.finding.resolved— status change.discovery.scan.completed— scan run finished, with aggregate new-finding counts.
08Troubleshooting
Finding I resolved keeps reopening
The underlying issue isn't actually fixed. Re-check the endpoint; or if the scanner is wrong, use Suppress instead of Resolve until the scanner is corrected.
False-positive on untrusted_chain
You use an internal CA the scanner doesn't trust. Either add the CA to the backend's system trust store, or mark the finding suppressed with a note explaining the policy.