Skip to main content
This page defines the core objects used across CyStack VulnScan. Understanding these terms helps teams read scan results consistently, compare Web UI and CLI workflows, and design a repeatable vulnerability management process.

Workspace

A VulnScan instance operates as one workspace. The workspace stores members, assets, scan history, findings, reports, mail configuration, license state, and runtime data. Administrators manage workspace-wide settings such as:
  • Member access and roles.
  • Mail delivery through SendGrid, AWS SES, or custom SMTP.
  • License activation, expiration, target scope, target limits, and feature availability.
  • Shared asset inventory and scan history.
Personal settings are separate. A user’s display name, email address, password, language, and logout action live in the user menu.

Asset

An asset is a licensed target that VulnScan is allowed to discover, scan, report, and count toward usage limits. Common asset types:
Asset TypeExampleTypical Use
Domainacme.comDiscover subdomains, web services, TLS, WAF/CDN, technologies, and vulnerable components across a business domain.
URLhttps://app.acme.comFocus on one application entry point.
IP address203.0.113.21Check exposed services and known CVEs on one host.
CIDR203.0.113.0/28Inventory and assess a small public network range.
Assets are not only labels. They provide the scope boundary that links discovery, scans, findings, reports, and license enforcement together.

Target

A target is the exact value passed into a scan, such as a URL, hostname, IP address, CIDR range, or target file entry. One asset can produce multiple scan targets. For example, the asset acme.com can lead to targets such as app.acme.com, api.acme.com, vpn.acme.com, and 203.0.113.21 after discovery. Before scanning, VulnScan normalizes targets and validates them against the active license scope.

Discovery Result

Discovery results describe what VulnScan learned before and during vulnerability testing:
  • Subdomains and live hosts.
  • Open ports and protocol services.
  • HTTP status, redirects, titles, headers, and response metadata.
  • TLS certificate issuer, subject, SANs, expiration, protocol, and cipher posture.
  • WAF/CDN signals such as Cloudflare when detected.
  • Technologies, frameworks, CMS, plugins, themes, service banners, and CPE candidates.
  • Crawled URLs, forms, API routes, parameters, and interesting endpoints.
Discovery results help users verify scope and explain why a finding was or was not produced.

Scan Run

A scan run is one execution of the scanner against one or more targets. Each standard scan stores:
  • Asset and target linkage.
  • Scan source: Web UI, CLI, or scheduled job.
  • Authentication context type, when used.
  • Status, progress, start time, finish time, and duration.
  • Discovery metadata, technologies, services, and findings.
  • Report jobs and export history.
Because Web UI, CLI, and scheduled scans use the same database-backed history, analysts can run automation from the CLI and review the results later in the Web UI.

Finding

A finding is an actionable security issue or informational observation tied to a target. Important finding fields:
FieldMeaning
TitleHuman-readable issue name.
SeverityCritical, High, Medium, Low, or Info.
Risk score0-100 prioritization score that combines severity, exploitability, confidence, exposure, and intelligence signals.
ConfidenceHow strong VulnScan considers the collected evidence.
Affected locationURL, host, port, service, path, parameter, component, or package affected by the issue.
EvidenceThe technical proof used to create the finding.
StandardsCVE, CWE, OWASP Top 10, OWASP WSTG, CVSS, EPSS, and CISA KEV where available.
RemediationPractical guidance for fixing or reducing the risk.
StatusThe workflow state used by the team, such as open, fixed, accepted risk, or false positive.
Findings should be triaged from both technical severity and business context. A High issue on an Internet-facing login endpoint can be more urgent than a Critical issue on an unreachable lab host.

Evidence and Confidence

VulnScan separates evidence quality from severity. Evidence can come from:
  • Direct active verification.
  • Safe response comparison.
  • Product and version fingerprinting.
  • Known vulnerable CPE/CVE matching.
  • Exposed files, headers, panels, services, or protocol states.
  • AI-assisted evidence review when enabled.
Confidence helps teams decide whether a finding should become an immediate remediation ticket, a review item, or an accepted risk record.

Authenticated Context

Authenticated context is user-provided access information that allows VulnScan to test areas behind login. Supported context includes:
  • Session cookies.
  • Custom HTTP headers.
  • Bearer tokens or API keys.
  • HTTP Basic Authentication credentials.
Use dedicated test accounts with the minimum permissions required for the assessment. Rotate or revoke sensitive tokens after the test when required by policy.

Report Job

A report job is a database-backed export task. CSV and JSON exports are intended for technical workflows and automation. PDF exports run as background jobs because large reports can take longer to render. Users can close the browser while the job continues. When mail delivery is configured, the report creator receives an email when the PDF is ready.

AI-Assisted Analysis

AI can be enabled as an additional analysis layer when the license and configuration allow it. It can assist with:
  • Suspicious endpoint and parameter identification.
  • Evidence interpretation.
  • Vulnerability detection support.
  • False-positive reduction.
  • Deduplication and grouping.
  • Remediation explanation.
  • English and Vietnamese report text.
AI does not replace technical evidence. Findings still need scan data such as affected location, request/response evidence, product version, CVE/CWE mapping, CVSS, EPSS, KEV status, and confidence.

Source Labels

VulnScan normalizes public source labels before showing them to users. The goal is to explain the type of check or intelligence source without exposing internal implementation details. Examples:
Public LabelMeaning
VulnScan VerificationA CyStack-maintained active or high-confidence check.
VulnScan IntelligenceA finding enriched or matched through vulnerability intelligence.
Web Application CheckA web or API security check.
Service Exposure CheckA network service, protocol, or exposure check.
AI-Assisted ReviewOptional AI analysis contributed to interpretation or prioritization.