Discovery findings
Findings are the actionable output of discovery. Every scan produces zero or more findings per endpoint: weak ciphers, deprecated TLS, expiring certificates, self-signed, PQC vulnerabilities. Each has a severity, a suggested remediation, and a status you can advance (open → triaged → resolved).
Finding types
| Type | Severity | Meaning |
|---|---|---|
expiring_soon | High (<30 d), Critical (<7 d) | Certificate's not_after is close. |
expired | Critical | Past not_after. |
weak_cipher | High | Handshake negotiated a cipher suite on the weak-cipher blocklist (RC4, 3DES, export). |
deprecated_tls | High (TLS 1.0/1.1), Medium (TLS 1.2 with weak kex) | TLS version below the configured minimum. |
weak_key | High | RSA key smaller than 2048 bits. RSA-2048 is not flagged. |
self_signed | Medium | Cert's issuer CN equals its subject CN. |
untrusted_chain | Medium | Issuer not in the default trust store; could be an internal CA. |
pqc_vulnerable | Medium | Key algorithm classed as vulnerable by the PQC analysis (RSA < 2048). |
sni_required_endpoint | Medium (0 certs), Info (some found) | An IP:port rejects SNI-less handshakes — certs are only reachable with a server name. A visible blind spot; consider an AXFR source. |
ingress_default_cert | Low | The IP:port serves a placeholder/fake default certificate (ingress/LB) for unknown SNI. |
sni_hidden_certs | Info | Multiple distinct certs are served on one IP:port by SNI (explains why endpoint count exceeds IP count). |
ocsp_revoked | Critical | OCSP responder returned revoked. |
missing_sct | Low | Leaf cert has no embedded SCTs — browser may warn. |
short_validity | Informational | Validity under 30 days remaining at observation time. |
name_mismatch | High | Endpoint hostname not covered by any SAN. |
chain_integrity | Medium | Intermediate in the presented chain is incomplete or broken. |
Severity levels
- Critical — act now; service may already be broken.
- High — act this week; active security concern.
- Medium — backlog.
- Low — advisory.
- Informational — tracked for awareness; no score impact.
Finding lifecycle
- Open — freshly generated by a scan.
- Triaged — operator acknowledged; working on remediation. Adds a triaged by + note field.
- Resolved — operator confirms fixed. If the issue recurs on the next scan, the finding reopens automatically as a new record (history preserved).
- Suppressed — operator accepts the risk; won't reappear on subsequent scans for this cert + type. Suppression has an expiry (default 90 days).
Working with findings
- Discovery → Findings.
- Default view: open findings sorted by severity DESC.
- Filters: severity, type, discovered cert, endpoint, source, status.
- Click a row for the full context — the cert, the endpoint(s), the suggested remediation.
- Update status from the detail panel. Add a note; it is audit-logged.
Summary widget
The Discovery overview page summarises findings:
- Counts by severity (open only).
- Top 5 finding types by volume.
- Trend line — new findings per day over 30 days.
Sparkline helps spot sudden spikes — e.g. a misconfigured firmware rollout that enables a weak cipher fleet-wide.
Remediation hints
Every finding ships with a remediation blob:
expiring_soon/expired→ adopt the cert into management and enable auto-renew, or ask the owning team to rotate.weak_cipher/deprecated_tls→ reconfigure the endpoint's TLS policy; link to the target's vendor docs.self_signed→ replace with a CA-signed cert unless intentional.pqc_vulnerable→ roll to ECDSA P-256/P-384 or RSA-3072+ until post-quantum is ready.
Remediation text is static — you can't customise it per-org, but the status/note fields absorb org-specific guidance.
Notifications
Findings can route through the notification system:
discovery.finding.opened— new finding (per severity filter).discovery.finding.resolved— status change.discovery.scan.completed— scan run finished, with aggregate new-finding counts.
Troubleshooting
Finding I resolved keeps reopening
The underlying issue isn't actually fixed. Re-check the endpoint; or if the scanner is wrong, use Suppress instead of Resolve until the scanner is corrected.
False-positive on untrusted_chain
You use an internal CA the scanner doesn't trust. Either add the CA to the backend's system trust store, or mark the finding suppressed with a note explaining the policy.