Pentographer
Docs/Core Features/Finding Status Workflow

Finding Status Workflow

Understand the five finding statuses in Pentographer, when to set each one, and how status changes affect report snapshots and risk summaries.

Every finding in Pentographer carries a status that reflects its position in the remediation lifecycle. Setting statuses accurately helps your team triage work and gives clients a clear picture of what still needs attention.

The Five Statuses

Open

The default status when you create a finding. Use it for any confirmed vulnerability that has not yet been addressed. Open findings drive the risk summary counts in your reports and the dashboard severity breakdown.

In Review

Use this when a finding is being actively examined: you are still writing it up, a colleague is peer-reviewing the write-up, or you are waiting for additional information before drawing a conclusion.

[!WARNING] If you publish a report while findings are In Review, those findings are excluded from the exported deliverable. Confirm all write-ups are complete before publishing.

Remediated

Mark a finding Remediated when the client reports that the fix is deployed. The finding remains visible in the report as a record of the original vulnerability and the corrective action taken. If you are conducting a re-test, use the remediation steps in the finding description as your verification baseline.

Accepted Risk

Use Accepted Risk when the client formally acknowledges the vulnerability but has decided not to fix it. Document the decision rationale in the finding description. The status makes the decision auditable, which matters for compliance reviews and future engagements.

False Positive

If further investigation reveals that a finding is not exploitable or was caused by a benign configuration, mark it False Positive. False positive findings stay in the record but are excluded from risk summary counts and severity tallies in the report.

Changing a Status

There is no enforced transition order. You can move a finding between any statuses at any time. Owners, Admins, and Members can change finding statuses. Viewers have read-only access.

To change a finding's status:

  1. Open the target finding.
  2. Click the status badge at the top of the editor.
  3. Select the new status from the dropdown.
  4. Click Save to commit the change as a new version.

To change status via an AI agent connected to your workspace, use the update_finding_status MCP tool and pass the finding ID and the new status value. See the MCP Server Setup guide for connection instructions.

Effect on Reports

When you publish a report, Pentographer freezes each finding at its current version and status. Status changes after publishing do not alter the published report. To reflect post-publication changes, create a new report from the updated project state.

Risk summary counts (for example, "3 Critical, 2 High") include only Open findings. Remediated, Accepted Risk, and False Positive findings appear in the findings appendix with their status clearly labeled, giving the reader the full picture without inflating the open risk count.

Was this article helpful?

Help us improve the Pentographer documentation.

Subscribe to security audits for builders

Get technical write-ups on building deterministic AI pipelines, self-hosting secure apps, and automating pentesting workflows. No marketing spam.

← Previous articleGraphQL API ReferenceNext article →Environment Variables Configuration