Skip to main content
availability

Package: Invicti AppSec Core (on-demand)

caution

Activate email integration under Integrations before using the Reports section.

Track how your vulnerability posture changes over time

Measure whether your remediation efforts are working by comparing vulnerability metrics across a reporting period. Comparison reports show what changed between the current and previous period for your chosen scope - products, projects, targets, or teams - and deliver the results to recipients on a recurring schedule. This document explains how to create custom report templates and schedule comparison reports in Invicti AppSec Core.

Why this matters

Point-in-time vulnerability counts don't tell you whether your security posture is improving or declining. Comparison reports provide a before-and-after view of your vulnerability data so your team can see the impact of remediation work, identify areas where issues are accumulating, and make data-driven decisions about where to focus next.

Build a custom report template

Comparison reports use a template to determine which metrics appear in the output. You can use the default template or create a custom one with the specific combination of metrics your team needs. You can share custom templates with your organization so others can use them when scheduling their own reports.

  1. Select Reports > Comparison from the left-side menu.

  2. Click + Add new report.

  3. In the Template field, select Add new to open the template builder.

  4. Enter a name in the Template name field.

  5. To make the template available to all users in your organization, turn on Share with everyone.

  6. In the Available components list, click each metric name you want to include in the report. Components you add appear in bold in the Selected components preview on the right. Click an added component again to remove it. The following 16 components are available:

    • Compared items - identifies the products, projects, targets, or teams your report covers. Include this so readers can tell at a glance what's being compared.
    • Tool adoption - the percentage of projects with at least one scan per scanner. Use this to check which scanner types are active across your projects and identify gaps in scan coverage.
    • Open vulns. by tool - open vulnerabilities grouped by scanner. Use this to see which scanners are generating the most unresolved findings.
    • Open vulnerabilities - total count of open vulnerabilities in the period. Use this to track whether the overall backlog is growing or shrinking over time.
    • New vulnerabilities - vulnerabilities discovered for the first time in the reporting period. Use this to identify emerging risk early.
    • Closed vulnerabilities - vulnerabilities resolved during the reporting period. Use this to demonstrate remediation progress to stakeholders.
    • Net new vulnerabilities - the difference between new and closed vulnerabilities. A negative number means your team closed more vulnerabilities than it opened. Use this as a quick indicator of whether the backlog is improving.
    • Recurrent vulnerabilities - vulnerabilities your team closed but that reappeared. Use this when a high count may indicate issues with fix quality or root cause analysis.
    • Overdue vulnerabilities - vulnerabilities that have passed their remediation due date. Use this to identify remediations that need to be escalated.
    • Suppressed vulnerabilities - vulnerabilities marked as suppressed. Use this to verify that suppression decisions remain appropriate and aren't masking real risk.
    • Vulnerabilities with known exploits - vulnerabilities with a publicly known exploit. Use this to prioritize fixes where the risk of active exploitation is highest.
    • Vulnerabilities with open issue - vulnerabilities linked to an open issue in your issue tracker. Use this to check how many vulnerabilities are actively tracked versus those with no issue assigned.
    • OWASP Top-10 vulnerabilities - vulnerabilities mapped to the OWASP Top 10 framework. Use this to track your exposure against one of the most widely used security compliance classifications.
    • Mean time to fix (days) - the average number of days taken to resolve a vulnerability. Use this to measure remediation speed and identify teams or projects where fixes are taking longer than expected.
    • Window of exposure (days) - the average number of days a vulnerability stays open before your team resolves it. Use this to understand how long your applications are exposed to known risk.
    • Avg. vulnerability score - the average severity score across open vulnerabilities. Use this to track whether the overall severity of your open vulnerabilities is trending up or down.

  7. Click Preview to see how the report looks with your selected components.

  8. Click Save to create the template.

Schedule a comparison report

  1. Select Reports > Comparison from the left-side menu.
  2. Click + Add new report.
  3. In the Template field, set the template for this report:
    • Default - uses the preset template included with Invicti AppSec Core.
    • To use a custom template you've already created, click its name in the list. For more information, refer to Build a custom report template.
  4. Enter a descriptive name in the Report name field.
  5. In the Items to compare field, set the scope for the comparison:
    • Product - use when you want to track vulnerability trends across your product portfolio.
    • Project - use when you want to compare security progress at the project level.
    • Target - use when you want to see how vulnerability data changes across individual targets.
    • Team - use when you want to compare security posture across different teams.
  6. In the Branch or environment field, set how to filter the data:
    • Branch - filters the report to a specific branch. Set the branch scope:
      • Select all - includes data from all branches.
      • Default branch - includes data from the default branch only.
      • Type a branch name in the field to filter to a specific branch.
    • Environment - in the Environment field that appears, specify the environment to filter by.
  7. In the Recipients field, specify the users who should receive the report.
  8. In the Period field, set how often the report runs: Weekly, Monthly, Quarterly, Semi Annually, or Annually.
  9. Click Save to create the schedule.

View generated reports and manage your schedules

Select Reports > Comparison from the left-side menu. The page has two tabs with different purposes:

  • Generated reports: lists your active report schedules, showing each report's name, the template used, the comparison scope, and the next scheduled run time. Use this tab to create new schedules, edit existing ones, or delete reports you no longer need. To edit a report, click the edit icon on the right side of the entry. To delete a report and stop future deliveries, click the delete icon.
  • Schedules: shows individual report deliveries from the last 365 days. Use this tab to confirm whether Invicti AppSec delivered a specific report and when. Reports older than 365 days are no longer listed.
note

To add a new scheduled report, use the + Add new report button on the Generated reports tab. You can't create new schedules from the Schedules tab.

Troubleshooting

The report shows unexpected data

Check that the Items to compare, Branch or environment, and Period settings match your intent. If you scoped the report to Branch and expected data from all branches, confirm you've set Branch or environment to Select all.

Recipients didn't receive the report email

Confirm that the selected recipients have valid email addresses in their Invicti AppSec Core profiles. Ask them to look in their spam or junk folders. If the issue persists, contact your Invicti AppSec administrator.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?