Severity scale
Every finding carries a severity label. Pentestas uses a five-level scale that maps cleanly onto CVSS 3.1 bands and onto how security teams actually triage:
| Level | CVSS band | Meaning |
|---|---|---|
| CRITICAL | 9.0β10.0 | Arbitrary control of data, users, or infrastructure. Page someone. |
| HIGH | 7.0β8.9 | Sensitive-data access or privilege escalation without user interaction. Fix this sprint. |
| MEDIUM | 4.0β6.9 | Exposure requiring some attacker work (chaining, user interaction, prior foothold). Fix this quarter. |
| LOW | 0.1β3.9 | Hardening / defence-in-depth gaps. Fix when you touch the surrounding code. |
| INFO | 0.0 | Observable fact (open port, detected tech stack). Not a vulnerability on its own. |
How Pentestas assigns severity
Three inputs combine:
- CWE base score β a baseline from the finding's CWE (e.g.
CWE-89SQL injection β HIGH floor). - CVSS 3.1 calculation β computed from exploit-ability (attack vector, complexity, required privilege) + impact (confidentiality, integrity, availability). Context like "this finding is inside an authenticated area" lowers the score; "trivially reachable from the internet" raises it.
- AI adjustment (Pro+) β Claude re-reads the finding, considers the business context ("this endpoint returns all users' SSN"), and may raise severity one level. It can also lower severity when it concludes the finding is a false positive (though the finding is usually filtered out entirely in that case).
Mapping to bug-bounty platforms
If you use HackerOne / Bugcrowd / Intigriti, Pentestas severities map cleanly:
| Pentestas | HackerOne | Bugcrowd VRT |
|---|---|---|
| CRITICAL | Critical | P1 |
| HIGH | High | P2 |
| MEDIUM | Medium | P3 |
| LOW | Low | P4 |
| INFO | None | P5 (or out-of-scope) |
"Why is this CRITICAL?"
Every finding includes a rationale block:
- Evidence β the exact request + response that demonstrates the issue.
- Validation steps β numbered reproduction.
- CVSS vector β e.g.
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. - CWE + OWASP category β reference lookup.
- AI narrative (Pro+) β plain-English description of what an attacker could do.
- AI impact β what the business consequence looks like.
Read those in order. If the evidence convinces you the finding is real, the severity is usually right.
Disagreeing with a severity
Open any finding β Adjust severity β pick a new level + write a justification. The change is audit-logged (tenant-wide). The underlying CVSS score is kept separately; you're overriding the display label, not the computation.
Severity vs. priority
Severity is a property of the finding. Priority is a property of your team's roadmap. A HIGH on a staging box with no production data is lower priority than a MEDIUM on customer-facing checkout. Pentestas doesn't try to set your priority β that's your call based on business context the scanner can't see.
See also
- Validation β how Pentestas filters false positives
- Attack chains β why combining two MEDIUMs can equal a CRITICAL
- Glossary β CWE, CVSS, OWASP explained