Managing severity and validity

Triage findings consistently so the highest-risk issues get attention and false positives stay out of the way.

V12 gives every finding an initial machine-generated severity and validity signal, but the final call belongs to your team.

Use severity and validity together:

Severity answers how bad the issue would be if it matters.
Validity answers whether the issue is real, accepted, or still waiting on human review.

Severity levels

Level	Meaning
Critical	Severe, exploitable impact that needs immediate attention.
High	Significant security risk that should be prioritized quickly.
Medium	Meaningful issue that deserves investigation and likely remediation.
Low	Lower-risk problem or a minor weakness.
QA	Quality or hygiene issue worth tracking, even if it is not a security bug.
Untriaged	No final severity has been set yet.

State	Meaning
Unreviewed	Nobody on your team has made a final call yet.
Valid	Confirmed as a real issue.
Invalid	False positive, not applicable, or otherwise not actionable.
Acknowledged	Real or relevant enough to keep visible, but intentionally accepted for now.

In the findings list, click either badge:

Inside a finding, use the evaluation controls to mark it Valid, Invalid, or Acknowledged.

Click the active state again to return it to Unreviewed.

A reliable first pass usually looks like this:

Review Critical and High findings first.
Open the Proof of concept tab when available to understand exploitability.
Use Invalid aggressively for clear false positives.
Use Acknowledged when the team accepts the issue, dependency, or tradeoff and wants that decision recorded.
Revisit Unreviewed items until the queue is empty.

Good triage does more than clean up the list: