Severity scale

Every finding carries a severity label. Pentestas uses a five-level scale that maps cleanly onto CVSS 3.1 bands and onto how security teams actually triage:

Level	CVSS band	Meaning
CRITICAL	9.0–10.0	Arbitrary control of data, users, or infrastructure. Page someone.
HIGH	7.0–8.9	Sensitive-data access or privilege escalation without user interaction. Fix this sprint.
MEDIUM	4.0–6.9	Exposure requiring some attacker work (chaining, user interaction, prior foothold). Fix this quarter.
LOW	0.1–3.9	Hardening / defence-in-depth gaps. Fix when you touch the surrounding code.
INFO	0.0	Observable fact (open port, detected tech stack). Not a vulnerability on its own.

How Pentestas assigns severity

Three inputs combine:

CWE base score — a baseline from the finding's CWE (e.g. CWE-89 SQL injection → HIGH floor).
CVSS 3.1 calculation — computed from exploit-ability (attack vector, complexity, required privilege) + impact (confidentiality, integrity, availability). Context like "this finding is inside an authenticated area" lowers the score; "trivially reachable from the internet" raises it.
AI adjustment (Pro+) — Claude re-reads the finding, considers the business context ("this endpoint returns all users' SSN"), and may raise severity one level. It can also lower severity when it concludes the finding is a false positive (though the finding is usually filtered out entirely in that case).

New finding classes

Pentestas continuously adds detector classes. Recently introduced types you'll see in scans:

vuln_type	Typical severity	What it means
`EXPLOIT_CHAIN`	CRITICAL	The exploitation orchestrator demonstrated end-to-end impact (admin login walked, AWS keys extracted, etc.). See Exploitation chains.
`CREDENTIAL_DUMP`	CRITICAL / HIGH	An endpoint returned a credential blob: plaintext passwords, AWS HMAC, GitHub PAT, JWT swarm, or private key material in the response body.
`PREDICTABLE_TOKEN`	CRITICAL / HIGH	Reset PIN, API key, or auth code with insufficient entropy. Includes timestamp-seeded and sequential-id detection.
`WERKZEUG_DEBUGGER`	CRITICAL	Werkzeug debugger console reachable. Full RCE if the deterministic PIN is computed.
`GRAPHQL_INTROSPECTION`	MEDIUM / LOW	GraphQL endpoint exposes schema introspection, no depth/complexity limit, or both.
`AI_PROMPT_INJECTION`	CRITICAL / HIGH	LLM endpoint accepts instruction-override payloads, confirmed by per-request nonce echo. May escalate to data exfil via Chain H.
`AI_SYSTEM_PROMPT_LEAK`	HIGH	The model leaks its initialisation prompt verbatim when asked.
`AUTH_RECOVERY_LEAK`	HIGH / MEDIUM	Forgot-password / reset endpoint echoes the recovery PIN, advertises a too-short PIN length, or has no rate-limit on PIN-attempt brute force.

Mapping to bug-bounty platforms

If you use HackerOne / Bugcrowd / Intigriti, Pentestas severities map cleanly:

Pentestas	HackerOne	Bugcrowd VRT
CRITICAL	Critical	P1
HIGH	High	P2
MEDIUM	Medium	P3
LOW	Low	P4
INFO	None	P5 (or out-of-scope)

"Why is this CRITICAL?"

Every finding includes a rationale block:

Evidence — the exact request + response that demonstrates the issue.
Validation steps — numbered reproduction.
CVSS vector — e.g. AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
CWE + OWASP category — reference lookup.
AI narrative (Pro+) — plain-English description of what an attacker could do.
AI impact — what the business consequence looks like.

Read those in order. If the evidence convinces you the finding is real, the severity is usually right.

Disagreeing with a severity

Open any finding → Adjust severity → pick a new level + write a justification. The change is audit-logged (tenant-wide). The underlying CVSS score is kept separately; you're overriding the display label, not the computation.

Severity vs. priority

Severity is a property of the finding. Priority is a property of your team's roadmap. A HIGH on a staging box with no production data is lower priority than a MEDIUM on customer-facing checkout. Pentestas doesn't try to set your priority — that's your call based on business context the scanner can't see.