# Vulnerability states and definitions

We’ve renamed Finding state to Vulnerability state. This change gives you more visibility and control over how vulnerabilities are managed during engagements and continuous offerings.

Vulnerabilities display with any one of the following states on the Vulnerabilities page in the NetSPI Platform and/or remediation reports. Each Vulnerability state's meaning is described below. States can move from one state to another state. 

## Vulnerability states set by NetSPI Platform users

| Vulnerability State       | Condition                                                      |
| -------------------- | -------------------------------------------------------------- |
| Remediation in Progress | You can set a state to **Remediation in Progress**  while you are working on a vulnerability to keep track of the remediation process. Only available after the initial report has been delivered for point-in-time engagements. For continuous engagements, available at any time. |
| Ready for Retest     | You can set a state to **Ready for Retest** when you have remediated it from your end and want NetSPI to retest it to confirm the vulnerability is resolved. Only available after the initial report has been delivered for point-in-time engagements. For continuous engagements, available at any time. **Note:** Moving to the Ready for Retest state does not automatically initiate a retest. Once all applicable vulnerabilities have been remediated, clients must schedule a retest through the platform or coordinate with their CDM to have the retest engagement initiated. |
| Remediated           | You can set a state to **Remediated** when you have remediated the vulnerability, completed your own testing, and consider remediation complete; NetSPI does not retest in this state. Only available after engagement completion for point-in-time engagements. For continuous engagements, available at any time. |
| Accepted Risk        | You can set a state to **Accepted Risk** when you acknowledge the vulnerability but consider it a low priority. NetSPI does not retest in this state. Only available after the initial report has been delivered for point-in-time engagements. For continuous engagements, available at any time.  |
| False Positive       | You can set a state to **False Positive** only when the engagement is set to complete, or you have a continuous engagement. |

!!!
**Note:** After an engagement is completed, only client users will have the ability to change the finding state.
Any post-engagement finding state changes made by clients will be view-only by NetSPI staff.
!!!

## Finding states set by NetSPI Platform agents

| Vulnerability State       | Condition                                                      |
| -------------------- | -------------------------------------------------------------- |
| Open                 | The **Open** vulnerability state is set by the NetSPI Agent when they publish a new, verified vulnerability for your organization. |
| Not Remediated       | The NetSPI Agent sets the vulnerability state to **Not Remediated** if that specific vulnerability or risk is still present.                             |
| Remediation Verified | The NetSPI Agent sets the vulnerability state to **Remediation Verified** once they have tested and confirmed the vulnerability has been fixed by your organization.                |
| Unable to Retest     | The NetSPI Agent sets the vulnerability state to **Unable to Retest** for a variety of reasons that will be included along with the state. This state is often applied to groups of published vulnerabilities that are unable to be retested.   |
| Retesting Not in Scope    | The NetSPI Agent sets the vulnerability state to **Retesting Not in Scope** when it’s not included in the scope of work.    |

## Vulnerabilities and the different NetSPI Platform modules

If you subscribe to more than one NetSPI Platform module (i.e., PTaaS, EASM, and/or BAS) then your vulnerabilities are viewed
and treated by each of the different modules as described below.

| A vulnerability created by the following: | Displays/acts as follows under the following module activity: |
| ----------- | --------------- |
| PTaaS engagement | The Vulnerability State is updated and used by both PTaaS and EASM if an EASM scan discovers a vulnerability affecting an asset in the PTaaS engagement.  |
| PTaaS engagement or EASM with a CVE (Common Vulnerabilities and Exposures) | The Vulnerability State table displays the CVE ID for that vulnerability.|
| PTaaS engagement and BAS | The Vulnerability State is updated and is used by both BAS and PTaaS when a BAS play runs that affects an asset in that PTaaS engagement.  |
| EASM | The vulnerability state table displays EASM in the Identified By column in the Vulnerability State table.  |

# Engagement and Continuous Vulnerability State Flow Diagrams

## Engagement Vulnerability State Flow
<img width="2054" height="1840" alt="EngagementVulnStateFlow-External (1)" src="https://github.com/user-attachments/assets/767d9246-ca20-40bb-bccb-7d74596e7f79" />

## Continuous Vulnerability State Flow
<img width="1415" height="1842" alt="ContinuousVulnStateFlow-External (1)" src="https://github.com/user-attachments/assets/8f0bb230-9268-4eff-aa6a-ed8b3bdb53fc" />