Overview
This article provides a detailed explanation of the fields that appear when creating or editing a finding — whether using a template or starting from scratch.
Some fields are mandatory, while others are optional or dependent on your organization’s maturity and risk assessment frameworks.
Basic Information
Finding Name
A short, descriptive title. Required for blank findings; auto-filled if using a template.Finding Type
Choose one of the following:Vulnerability – A confirmed security gap
Potential – A suspected issue with no evidence (can be updated later)
Capability – A connection (not a vulnerability) used to visualize attack paths
Engagement Name
Select the engagement to associate with this finding. Only engagements where you have Administrator or Editor with Finding & Graph Initiator permissions will appear.Severity
Choose from Critical, High, Medium, Low, or Informative. Severity is color-coded and influences risk calculations and prioritization:
Descriptive Fields
Summary
A short explanation that may include system-specific details like server names or IPs.Description
A detailed explanation of the issue, how it works, or what it impacts.Business Impact
Describe the organizational risk if this finding were exploited.Mitigation Recommendations
List recommended actions to address the finding. You can set order using drag-and-drop.
Classification & Context
Security Domain
Choose the relevant domain, e.g.:Governance and Policies
Network-level Security
Identity Management
Sensitive Data Protection
Status
Reflects the finding’s current lifecycle stage:Pre-open: Draft, Awaiting Approval, Approved, Not Approved
Open: A newly discovered finding
To Do, In Progress, On Hold: Actively being worked on
Fixed: Issue resolved and awaiting verification:
Reopen: Was marked fixed, but reopened
Acceptable Risk: Not being remediated due to tolerance
Not Relevant: Duplicate or linked to an out-of-scope asset
Applicable: A confirmed vulnerability previously marked as Potential
Probability & Risk
Probability
The likelihood the vulnerability will be exploited. This is auto-calculated based on:Complexity
Exploitability
Popularity
User Interaction
You can override this value manually if needed.
See: [Configuring a Finding Probability]
Remediation Details
Remediation Cost
Estimated – Based on industry averages
Actual – Real cost to your organization
Remediation Effort
Estimated – Based on Hyver's internal data
Actual – Actual resource time, in hours, days, or weeks
Frameworks and Standards
NIST
Required fields if your organization uses the NIST Cybersecurity Framework.Must complete for the primary framework
Optional to include other frameworks
Compatible with CSF version 1.1 or 2.0
MITRE ATT&CK
Classify the finding based on MITRE tactics and techniques.CVSS Vector
Enter the CVSS classification (if available).Kill Chain
Classify the stage of the attack based on the Cyber Kill Chain model.Verification Complexity
Indicates how difficult it is to verify that the finding has been resolved (Simple or Complex). This can be modified manually.
Ownership and Tags
Owner
Assign the team member responsible for remediation.Tags
Add or create tags to organize findings. Tags improve filtering, searching, and reporting.
Wrap-up / Next Steps
Understanding these fields ensures your findings are complete, contextualized, and useful in remediation planning. Be as detailed as necessary — Hyver uses this information to drive risk analysis and prioritization.