Package: Invicti AppSec Core (on-demand)
Triage and manage vulnerabilities for a target
Review, triage, and act on every security vulnerability found in your target - all from a single list. This document explains how to navigate the vulnerabilities page, understand issue status indicators, take bulk actions, manage false positives, and export findings.
Why this matters
Keeping your vulnerability list current and properly triaged ensures your security team focuses on real risks. Marking false positives reduces noise, assigning tickets keeps remediation on track, and accepting risks with documented justification supports compliance and audit readiness.
View target vulnerabilities
The vulnerabilities page lists all security findings identified for the target. From here you can drill into vulnerability details or take action on existing findings.
To view target vulnerabilities:
- Select Inventory > Targets from the left-side menu.
- Click the target name to open the target.
- Select the Vulnerabilities tab.
The table displays the following columns by default: Issue (ticket status indicator), ID, Vulnerability name, Status, Severity, CVSS, Tags, and First seen.
Two controls above the table change what you see:
- AppSec and AppSec duplicates tabs - switch between original findings and deduplicated entries.
- Group view dropdown - reorganize the table. Select Table for the default flat view, or choose any other criterion (file/path/resource, CVE ID, CWE name, scanner, severity, or target image) to add a second-level grouping dropdown.
Filter and search
Use the toolbar above the table to narrow down the list:
- Quick filters - select a pre-defined filter to show a specific subset of vulnerabilities: untriaged, discovered in the last 30 days, OWASP (2021) Top-10, critical and high severity, highlighted, or those with a known fix.
- Search vuln name - type part of a vulnerability name to filter the list in real time.
- Click the filter icon to apply additional custom filters by any combination of fields.
- Use the Per page dropdown to control how many results appear per page.
Issue status indicators
Each vulnerability row displays a colored circle on the left side indicating the issue manager ticket status:
| Indicator | Meaning |
|---|---|
| Blue circle | A ticket has been created on the issue manager and its status is still open. |
| Grey circle | No ticket has been created on the issue manager for this vulnerability. |
| Red circle | The ticket on the issue manager has been closed. |
Triage a vulnerability
To triage a vulnerability:
- Select Inventory > Targets from the left-side menu.
- Open a target that has vulnerabilities.
- Select the Vulnerabilities tab.
- Click the page icon on the rightmost side of the vulnerability row to open the details panel.
The details vary depending on the scanner that identified the vulnerability.
The panel shows two areas of information:
- Vulnerability metadata - scanner, tags, branch, target URL, confidence percentage, API endpoint, HTTP method, and the full HTTP request and response. Below that, a description, technical details, and remediation guidance specific to the vulnerability type.
- Triage and tracking - toggle controls for Risk accepted, False positive, and True positive; issue assignment status; Notes; Remediation notes; and Add attachment. Use these to record triage decisions and track remediation directly from the details panel.
The Status changes section at the bottom of the panel shows a history of status transitions for the vulnerability.
Customize table columns
Click the gear icon in the upper-right corner of the vulnerability table to modify which columns are displayed.
Triage multiple vulnerabilities at once
Select one or more vulnerabilities using the checkboxes, then choose an action from the Choose an action dropdown:
- Assign issue: create tickets on the issue manager for the selected vulnerabilities. A modal opens where you can choose to create a single ticket for all selected vulnerabilities or a separate ticket for each one.
- False positive: mark vulnerabilities as not being actual security issues. You can set an optional expiration date and provide a justification.
- True positive: confirm that vulnerabilities are genuine security issues requiring remediation.
- Risk accepted: mark vulnerabilities as tolerable business risks. Classify them as Mitigated (risk has been reduced) or Won't fix (risk accepted as-is), and set an optional expiration date.
- Close: close manually imported vulnerabilities.
- Reopen: reopen previously closed, manually imported vulnerabilities. You can set the status to New or Recurrent.
- Add or remove flags: assign or remove custom flags to organize vulnerabilities into custom groups.
Vulnerabilities that already have an open ticket (blue circle) can't be selected when using the Assign issue action.
If you group multiple vulnerabilities into a single ticket, automated workflows such as validation scans or vulnerability status sync stop working until all grouped vulnerabilities reach a Closed status.
False positive management
How false positive handling works depends on your user role:
- Team Lead and Admin users can mark vulnerabilities as false positives directly by entering a description.
- Developer users can submit a false positive request, which a Team Lead or Admin must approve.
Export vulnerabilities
Click the Actions button in the upper-right corner of the page and select the export option to download the vulnerability table in CSV format. The export includes the columns currently displayed in the table.
Troubleshooting
A vulnerability is missing from the list
The vulnerabilities page shows all findings for the target. If a vulnerability you expect to see isn't there, check whether any filters are active - clear all filters and search again. If the vulnerability was closed or marked as a false positive, switch the status filter to include those states.
The Assign issue action is greyed out for some vulnerabilities
Vulnerabilities that already have an open ticket can't be selected for the Assign issue action. Look for the blue circle indicator on those rows. To create a new ticket, first close or unlink the existing one.
My false positive request isn't approved yet
Developer users submit false positive requests that a Team Lead or Admin must approve. Check with your team lead, or navigate to the suppression requests section to see the status of your request.
The export is missing columns I can see in the table
The CSV export only includes columns currently visible in the table. Click the gear icon in the upper-right corner to add the columns you need, then re-export.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center