Validation Agents
AI agents that verify findings and confirm remediations
Agent Overview
| Agent | Purpose | When Activated |
|---|---|---|
| Finding Triage Agent | Validates and triages reported findings | After testing agents report vulnerabilities |
| Remediation Verification Agent | Confirms vulnerability fixes | On-demand and before each pentest |
Finding Triage Agent
Every vulnerability reported by testing agents passes through the Finding Triage Agent before reaching your dashboard. This ensures you only see validated, properly categorized issues.
What It Does
| Function | Description |
|---|---|
| False Positive Filtering | Validates each finding is a real, exploitable vulnerability |
| Severity Assessment | Assigns accurate severity based on actual exploitability and impact |
| Category Verification | Ensures correct CWE and OWASP classification |
| Deduplication | Merges related findings from multiple agents |
| Evidence Review | Confirms proof-of-concept evidence is complete |
How It Works
Receive Findings
Testing agents (Access Control, Injection, Auth, Scanner) report potential vulnerabilities to a shared queue.
Validate Exploitability
The Triage Agent examines each finding's proof-of-concept and confirms the vulnerability can be exploited in the application's context.
Assess & Classify
- Assigns severity using CVSS factors plus actual exploitability
- Maps to appropriate CWE and OWASP categories
- Deduplicates related findings from multiple agents
Enrich & Publish
Adds framework-specific remediation guidance. Only validated findings reach your dashboard.
Validation Process
For each finding, the Triage Agent:
- Reviews Evidence — Examines the proof-of-concept, request/response pairs, and screenshots
- Confirms Exploitability — Verifies the vulnerability can be exploited in the application's context
- Assesses Impact — Evaluates real-world consequences (data exposure, privilege escalation, etc.)
- Assigns Severity — Uses CVSS factors plus actual exploitability to set accurate severity
- Classifies — Maps to appropriate CWE and OWASP categories
- Adds Guidance — Includes framework-specific remediation steps
Why This Matters
Traditional scanners often report hundreds of findings with high false positive rates. The Finding Triage Agent ensures:
- No noise — Only validated, exploitable vulnerabilities reach your dashboard
- Accurate severity — Findings reflect real-world risk, not theoretical maximums
- Proper categorization — Each finding correctly maps to industry standards
- Complete evidence — Every vulnerability includes proof-of-concept for verification
Our goal: less than 5% false positive rate. Every finding you see has been validated by AI before reaching your dashboard.
Remediation Verification Agent
After you fix a vulnerability, how do you know it's actually fixed? The Remediation Verification Agent confirms that your remediation works.
What It Does
| Function | Description |
|---|---|
| On-Demand Verification | Tests when you mark a vulnerability as remediated |
| Pre-Pentest Verification | Re-tests all vulnerabilities before each new pentest |
| Status Management | Transitions vulnerabilities to Fixed or back to In Remediation |
| Activity Logging | Records verification results and evidence |
When It Runs
On-Demand (User-Triggered)
When you mark a vulnerability as "Remediated" in the dashboard:
User Triggers Verification
You mark a vulnerability as "Remediated" in the dashboard.
Agent Activates
The Remediation Verification Agent receives the request and loads the original vulnerability details.
Comprehensive Testing
- Re-runs the original exploit
- Tests with payload variations
- Checks for common bypasses
Status Update
Updates the vulnerability status based on results: Fixed if remediated successfully, or back to In Remediation with notes if still vulnerable.
Pre-Pentest (Automatic)
Before each scheduled or on-demand pentest:
Pentest Triggered
A new pentest is scheduled or manually started.
Scan Open Vulnerabilities
The Verification Agent re-tests all open and in-remediation vulnerabilities from previous pentests.
Update Statuses
Vulnerabilities that are now fixed are marked as such. Those still exploitable remain open.
Testing Continues
Testing agents proceed, focusing on finding new vulnerabilities rather than re-reporting fixed ones.
Verification Process
The Remediation Verification Agent thoroughly tests each fix:
- Reproduces Original Attack — Runs the exact exploit that found the vulnerability
- Tests Variations — Tries bypass techniques and payload modifications
- Checks Related Endpoints — Verifies similar patterns aren't vulnerable elsewhere
- Documents Results — Records evidence of successful remediation or continued vulnerability
Status Transitions
| Original Status | Verification Result | New Status |
|---|---|---|
| Remediated | Vulnerability fixed | Fixed |
| Remediated | Still exploitable | In Remediation (with notes) |
Example Verification
For a SQL Injection vulnerability in /api/search:
| Test | Previous Result | Current Result |
|---|---|---|
Original payload (' OR '1'='1' --) | 200 OK with data leak | 400 Bad Request |
| URL-encoded payload | Data leak | Blocked |
| Unicode bypass | Data leak | Blocked |
| Double encoding | Data leak | Blocked |
Verdict: Fixed with high confidence. All test payloads now properly rejected.
Verification in Activity Timeline
Every verification creates an activity entry on the vulnerability:
- Agent verdict — Fixed, Still Vulnerable, or Regression
- Test results — What was tested and outcomes
- Evidence — Request/response pairs demonstrating current behavior
- Timestamp — When verification occurred
This provides a complete audit trail for compliance documentation.
Integration with Pentest Workflow
Finding Triage in Testing Pipeline
Discovery Phase
Reconnaissance Agent maps the application, identifying endpoints, technologies, and input points.
Parallel Testing
Multiple testing agents (Access Control, Injection, Authentication, Scanner) test simultaneously, reporting findings to a shared queue.
Triage Phase
Finding Triage Agent validates all findings, filters false positives, assigns severity, and adds remediation guidance.
Report Generation
Only validated findings are included in the final report.
Remediation Verification in Vulnerability Lifecycle
| Stage | Description |
|---|---|
| Open | Vulnerability found and validated by Triage Agent |
| In Remediation | You've acknowledged and are working on the fix |
| Remediated | You mark as remediated; Verification Agent tests the fix |
| Fixed | Verification confirms the vulnerability is resolved |
If verification fails, the vulnerability returns to In Remediation with notes explaining what's still exploitable.
SOC 2 Compliance
Both validation agents support SOC 2 requirements:
Finding Triage Agent
Supports Trust Services Criteria CC4.1 (Monitoring Activities):
- Demonstrates systematic vulnerability assessment
- Provides evidence of finding validation methodology
- Documents severity assessment criteria
Remediation Verification Agent
Supports Trust Services Criteria CC7.2 (Remediation of Identified Matters):
- Proves vulnerabilities were actually fixed
- Provides evidence of remediation testing
- Documents the verification methodology
- Creates audit trail of fix verification
SOC 2 auditors want to see that findings are validated and fixes are verified. Our validation agents provide the documentation they need.
Next Steps
Last updated: January 11, 2026