1. Horangi Academy
  2. Working with Storyfier

Anatomy of a Finding

Understand the different parts of a Storyfier Finding and see how they all contribute to the Finding's story.

Findings form Storyfier's backbone. A finding is an output that results from a particular scan.


The title of the finding.


A short overview of what the finding is, and what can happen if you don’t address it.

Issue Summary

The issue summary contains a more in-depth view of the finding itself.

Create Issue

This option allows you to export the finding to an issue for any of our supported Web Applications.

To know more about how to add these integrations to your Storyfier account, navigate to our Integrations page.


Tags allow you to sort through your findings according to what kind of finding they are.

Severity Ranking

To assist in prioritizing remediation, Horangi provides a severity ranking based on the impact to an organization. The risk severity model is based on the Common Vulnerability Scoring System (CVSS) version 3 published by the National Vulnerability Database.


Severity CVSS 3 Score Description
Critical 9.0 - 10.0 Critical severity findings indicate that the discovered weakness requires immediate remediation and/or mitigation. Critical findings typically represent weaknesses that were leveraged to gain access to systems or data that commonly have financial or reputation loss factors attributed.
High 7.0 - 8.9 High severity findings indicate that the discovered weakness is publicly disclosed and trivial to abuse. High findings typically represent weaknesses that were leveraged to gain privileged access to networks, systems, or applications.
Medium 4.0 - 6.9 Medium severity findings indicate weaknesses are likely to lead to compromise but either requires other attacks to be significantly impactful, resulting in limited access, or require advanced knowledge and techniques to execute the attacks.
Low 0.1 - 3.9 Low severity findings indicate weaknesses that are not directly exploitable. Low findings typically require a chain of weaknesses to exploit fully, disclose non-sensitive technical information, or do not lead to any additional compromise within an environment.
Informational N/A Informational severity findings are reserved for weaknesses that represent a deviation from best practice or a weakness that should be reviewed because it may expose other weaknesses or lead to future vulnerability. While these weaknesses don’t directly lead to compromise, they still represent potential risk and should be addressed.


The description is a brief explanation of the finding. 


Compliance talks about which specific compliance regulations are relevant to that particular finding.


The implication is what would the finding’s impact be on the organization if not addressed.


The recommendation is a guide on how to remediate this particular finding.


The references contain links to more information and context about a specific finding and why it’s important.

Affected Targets

These are the locations - ie. resources - where this particular finding was detected.