EVIDENCE & REPORTS Output your team can defend

Reports for review, not alert queues.

Every ZeroQuarry finding can carry severity, CVSS, PoC artifacts, source references, adversarial review history, confidence, human validation, patch context, and exports for the people who need to act.

Open a report -> See the finding record

ZQ-2042 invoice-api/routes.patch High

Tenant boundary bypass enables cross-account write.

A user-controlled tenant value reaches invoice update without an ownership check. The red-team agent proved write impact; vendor review challenged scope; rebuttal sustained with a file-line trace.

Confidence

90%

State

SUSTAINED

Attack

NETWORK

Output

POC + PATCH

evidence/adversarial-review.md

vendor: prove write impact beyond read-only IDOR

red: PATCH /invoices/42 changes owner_id at routes.py:88

final: exploitable · confidence verified

01 · Finding record

Evidence stays attached
to the claim.

Findings should not collapse into a title and severity. ZeroQuarry keeps the proof, debate, score, patch, and operator decisions together so reviewers can understand why the issue matters.

SEVERITY

CVSS and impact

Findings include normalized severity, score, and CVSS vector when enough evidence exists to derive one.

PROOF

PoC artifacts

Artifacts can include proof-of-concept code, request streams, notes, or deployment packages for review.

SOURCE

References

Source findings link back to files and lines; remote findings preserve the URL or request chain that triggered the issue.

REVIEW

Adversarial discussion

Vendor challenges, red-team rebuttals, revisions, and retractions remain visible in the report.

CONF

Confidence state

Confidence is recomputed from review outcomes, repeated appearances, and human validation or invalidation signals.

FIX

Patch context

Patch proposals, GitHub PRs, Jira issues, and ServiceNow records link back to the original finding.

02 · Exports

Different reviewers
need different formats.

Engineers, executives, customers, auditors, and vendors do not consume evidence the same way. ZeroQuarry makes the same finding available in the channels they already use.

PDF

Pentester-style PDF

Export executive summaries, finding overviews, per-asset lists, and branded report covers.

MARKDOWN

Markdown

Move detailed findings into internal docs, disclosure packages, or engineering review notes.

HTML

Single-file HTML

Share a self-contained report view without giving recipients access to the full workspace.

JIRA

Jira

Create issues from findings and preserve a deep link back to ZeroQuarry evidence.

SNOW

ServiceNow

Create enterprise records on the configured table for vulnerability operations teams.

Secure share links

Send password-protected, expiring finding bundles to vendors, auditors, customers, or external reviewers.

03 · Review trail

Show what happened,
not just what was found.

A mature vulnerability program needs traceability. ZeroQuarry records the scan, review, artifact, patch, and human-decision events that shape a finding's final state.

SCAN

Run history

Track queued, running, failed, completed, and batch-finalized scan states.

REVIEW

Agent outcome

Record vendor verdict, rebuttal result, retractions, revisions, and confidence.

HUMAN

Validation signals

Accept or invalidate findings with reason codes and notes for later review.

FIX

Remediation trail

Connect patch versions, PR links, ticket records, and disclosure state to the finding.