Findings & Evidence
Findings are detected vulnerabilities with severity ratings, CVSS scores, and remediation guidance.
Severity matrix
Each finding's severity is computed from a three-axis matrix:
Data sensitivity
Credentials, system prompt, PII, internal config, or operational data exposed.
Agent resistance
Immediate compliance, refusal, or safe response from the agent.
Action risk
Code execution, data exfiltration, privilege escalation, or info leak.
CVSS 4.0 scoring
Every finding includes a CVSS 4.0 vector string and score. The vector is adjusted based on the agent's actual response. Refused responses get lower CIA impact, while immediate compliance receives full severity.
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Evidence modal
Each finding has an evidence viewer showing the raw agent response, the probe payload, CVSS breakdown, and attack path steps. Compliance framework badges link findings to relevant controls.
curl https://api.orithos.dev/v1/findings/{finding_id}/evidence -H "Authorization: Bearer {api_key}"Confidence scoring
Each finding includes a confidence score (0-1) combining the LLM evaluator's signal strength with probe consistency. Labels: HIGH (≥0.85), MEDIUM (≥0.65), LOW (≥0.40), or UNCERTAIN.