BetaWe're currently in beta. Signing in will place you on our waitlist.
Running Pentests & Reading Results

Finding Continuity

The Problem Continuity Solves

When you run a pentest once, you get a snapshot of your security posture. When you run pentests repeatedly — monthly, quarterly, or after major releases — you generate a series of snapshots. Without continuity tracking, each report stands alone. You would have to manually compare reports side by side to determine which vulnerabilities are new, which persist from previous scans, and which have been fixed. For organizations with hundreds of findings across dozens of scans, this manual comparison is impractical.

Finding continuity automates this comparison. It uses cryptographic fingerprints to uniquely identify each vulnerability, then matches findings across scans to automatically classify them into three states: new, persistent, and fixed. This transforms individual pentest reports into a security posture timeline.

How Fingerprinting Works

Each finding receives a cryptographic fingerprint derived from its vulnerability characteristics. The fingerprint is computed from the vulnerability type, the affected endpoint, and the exploit signature — the stable properties that identify a specific vulnerability regardless of when it was discovered.

The fingerprint is deliberately independent of fields that change between scans, such as timestamps, CVSS scores (which may be adjusted by severity precedent), or exact response content. This stability ensures that the same underlying vulnerability produces the same fingerprint whether discovered today or six months from now.

Fingerprints are stored in the finding's fingerprint field and indexed in the database for fast matching across scans.

The Three Continuity States

When a repeat pentest completes on a target that has been scanned before, TurboPentest compares the new findings' fingerprints against all previous findings for that target. Each finding is then assigned a continuityStatus:

New

A finding with status new has a fingerprint that does not match any finding from previous scans of this target. This vulnerability was not present (or not detected) in earlier pentests. New findings deserve immediate attention because they may represent:

  • Recently introduced vulnerabilities from new code deployments
  • Vulnerabilities that were always present but previously missed (agents use different strategies each run)
  • Issues introduced by infrastructure or configuration changes

Persistent

A finding with status persistent has a fingerprint that matches a finding from a previous scan. This vulnerability was found before and has not been fixed. Persistent findings are tracked with the carriedFromScanId field, which records which earlier scan first discovered the vulnerability.

Persistent findings are a signal for action. A vulnerability that persists across three pentests is not going to fix itself. The persistence data helps security managers prioritize remediation conversations: "This critical SQL injection has been present for four months across three consecutive pentests."

Fixed

When a fingerprint from a previous scan does not appear in the current scan's findings, TurboPentest creates a fixed marker. The vulnerability was found before but was not found this time, indicating it has been remediated.

Fixed findings are tracked through a consecutiveMisses counter. When a previously known fingerprint is absent from one scan, its consecutive misses count increments. After a configured threshold of consecutive misses, the finding is confidently classified as fixed. This multi-scan confirmation prevents false "fixed" classifications caused by scan variation — sometimes a tool or agent does not re-discover a finding due to network conditions, timing, or scan depth, not because it was actually fixed.

Severity Precedent

The finding continuity system includes a severity precedent mechanism. When a fingerprint is seen for the first time, its severity, CVSS score, and CVSS vector are recorded as the precedent. On subsequent scans, if the same fingerprint is assigned a different severity, the precedent provides context for review.

This is valuable because AI agents may assess severity slightly differently between scans based on context. The precedent system ensures consistency: once a vulnerability has been classified as critical, subsequent scans maintain awareness of that classification even if the agent's current assessment differs slightly.

Severity precedents are stored globally, not per-user or per-scan. When the same vulnerability type appears on a different target, the global precedent informs the severity assessment, creating cross-target learning.

Previous Finding Context

When P4L4D1N begins Phase 2 on a repeat pentest, it receives previous finding context — a summary of what was found in earlier scans of the same target. This context includes the fingerprints, titles, severities, and statuses of previously discovered vulnerabilities.

This context serves two purposes:

Efficiency — Agents can prioritize re-checking known vulnerabilities to confirm whether they have been fixed, rather than spending time rediscovering them from scratch.

Depth — Knowing what was found before, agents can focus additional effort on discovering new vulnerabilities rather than re-treading the same ground. If the previous scan found 12 findings, the agent allocates more time to exploring unexplored attack surfaces.

Reading the Continuity Dashboard

The scan detail page presents continuity data in a clear visual format:

New findings are highlighted with a distinct indicator, drawing attention to vulnerabilities that were not present in previous scans. These are your highest-priority triage items.

Persistent findings show their history: when they were first discovered, how many consecutive scans they have appeared in, and whether their severity has changed. A finding persistent across five scans carries more urgency than one appearing for the second time.

Fixed findings appear in a resolved section, showing what was previously found and is now no longer detected. This is your remediation success story — concrete evidence that your security work is having an effect.

Tracking Security Posture Over Time

The real power of finding continuity emerges across multiple pentests. Over time, you can observe:

  • Overall trend — Is the total number of findings increasing, decreasing, or stable?
  • Severity distribution shift — Are critical findings being resolved while mediums accumulate?
  • Remediation velocity — How quickly are findings moving from new to fixed?
  • Regression detection — Do fixed findings reappear, indicating fixes that were reverted or incomplete?
  • Coverage expansion — Are new findings being discovered in previously untested areas?

This data transforms pentesting from a point-in-time exercise into a continuous security improvement program. Instead of asking "Are we secure?" you can ask "Are we getting more secure?" — and have the data to answer.

Previous

Suppression Management

Next

Course 5: Reports, Blockchain Verification & Trust

On this page