Show progress with reports

Generate, share, and download app-level and scan-level reports to share your progress with stakeholders.

Which report should I generate?

ReportDescription
InsightAppSec Applications (Apps) Executive ReportExecutive data on all the apps scanned by InsightAppSec for a selected calendar month.

Use this report to show a CISO or other executives the monthly progress you are making with your application security program, or highlight areas you may need to make greater investments in.
InsightAppSec and InsightVMExecutive data on the apps and assets scanned by InsightAppSec and InsightVM for a selected calendar month.

Vulnerability management has many facets and, with this report, you can give your CISO or other executives a holistic view of your vulnerability management program.
InsightAppSec (App) Executive ReportExecutive data for an individual app scanned by InsightAppSec for a selected date range.
Vulnerabilities Summary ReportBasic or detailed vulnerability data on a scan run for a specific application.

Scan managers can use the Vulnerabilities Summary Report to get quick yet detailed insights into the most recent scan or particular scan they're reporting on.

This report could also benefit engineering team managers planning for resource allocation, and identifying issues that need to be addressed.
Vulnerabilities with Remediation ReportThis report provides vulnerability data on a scan by InsightAppSec for a specific application along with remediation recommendations.
Scan compliance reportsYou can use the scan compliance reports to advise on your compliance with specific regulations. These reports allow you to see how the results of a scan compare with the regulations your organization must comply with.

InsightAppSec reports are advisory only

If a report shows no vulnerabilities, or low severity or safe vulnerabilities, this should not necessarily be taken as affirmation of compliance.

Create a report for one or more apps

You can generate executive-level reports containing data on all of your apps from the Apps page and for an individual app from within the app.

Generate a report for multiple apps
  1. Click Apps in the left navigation menu.
  2. Click Generate Report.
  3. From the Generate Executive Report screen, enter a Report Name and select a calendar month. The report pulls in data for completed calendar months only, so you have to wait until the beginning of the next month to generate the report. It may take up to 7 days from the start of each month for the previous month's data to become available.
  4. In Report Types, select one of the following:
    • InsightAppSec All App Executive Report
    • Combined InsightAppSec and InsightVM Executive Report
  5. Click Generate Report.
Generate a report for one app
  1. Click Apps in the left navigation menu.
  2. Select an app from the Apps vulnerability table.
  3. Click Generate Report.
  4. On the Generate Report screen, enter a Report Name and select a date range.
  5. Select Executive Report under Report Types.
  6. Select a Format Type (PDF or HTML).
  7. Click Generate Report. Format Type - Generate Report

Create a scan-level report to view vulnerabilities

You can generate scan-level reports with vulnerability or compliance-related information from within an individual scan.

Generate an InsightAppSec scan level report
  1. Click Scans in the left navigation menu.
  2. Select a scan from the scan-level vulnerability table. You can also select scans from within an App.
  3. Click Generate Report.
  4. From the Generate Report screen, enter a Report Name and select a Report Type.
  5. Select a scan report.
  6. Select a Format.
  7. Click Generate Report.
Filter scan report data

You can add filters to a scan-level report to refine the data before generating the report.

  1. Go to the Scans page and select a scan.
  2. Select the filter criteria.
  3. Click Apply.
  4. Click Generate Report.

Applied filters are visible in a banner on the Vulnerabilities Summary and the Vulnerabilities with Remediation Report in PDF or HTML format when printed.

Vulnerability Report - Filter Banner

Download previously generated reports

You can download reports created across all apps, including previously generated reports, from the Reports page located in the left navigation menu.

Types of reports you can download

You can access all app level reports for the apps that you are assigned, including:

  • Single app executive report
  • Scan-level vulnerability reports
  • Scan-level compliance reports

You can only download the multi-app executive level reports and the combined InsightAppSec InsightVM all apps reports that you generated.

Download reports

Only reports generated after March 28, 2022 are displayed on the Reports page. Historical reports are not available.

  1. Click Reports in the left navigation menu.
  2. Select the report(s) you want to download and click Download icon.

Learn more about reports

App Reports

InsightAppSec Apps Executive Report

This report provides an overview of all apps scanned during a selected month. The report contains the number of apps scanned, unreviewed vulnerabilities, high severity vulnerabilities and remediated vulnerabilities with each of these compared to the previous month. It also shows the top vulnerability types and the vulnerabilities by severity and status.

Combined InsightAppSec and InsightVM Executive Report

This report provides an overview of the assets and apps scanned by InsightAppSec and InsightVM. The report contains sections relating to your overall vulnerability management programs, including details on apps and assets scanned along with the vulnerabilities found and remediation efforts. Where applicable, it also showcases details on location, owner, and criticality tags.

Vulnerability Reports

Vulnerabilities Summary

The Vulnerabilities Summary is an overview of the vulnerabilities found in the app during the scan. The report is organized by vulnerability and the number of vulnerabilities found during the scan for the app.

Vulnerabilities with Remediation Report

The Vulnerabilities with Remediation report contains all vulnerabilities found in an app from the chosen scan and the recommended remediation. Before making the report, you can use a filter to focus on certain vulnerabilities. Within the report, you can view the attack type, recommendation, and replay the attack using the Rapid7 Chrome Plugin.

OWASP Reports

The OWASP foundation focused on helping organizations build more secure applications. They educate the community about top security risks to web applications along with top remediations. The OWASP Top 10 is a popular reference framework used by developers and web application security teams for guidance on the most critical security risks to web applications.

OWASP TOP 10 API Security Risks - 2023

Based on scan data, the OWASP Top 10 API Security Risks - 2023 Report shows whether the API passed or failed on each of the top 10 OWASP API security risks and related attacks. It also shows vulnerabilities within each of the top 10 issues along with the response and request data for the vulnerability.

OWASP 2021 Report

The OWASP 2021 Report shows the top 10 risks in 2021 that OWASP determined. The report shows whether you passed or failed on each OWASP Top 10-based attack for the scan. It also shows vulnerabilities within each of the top 10 issues along with the response and request data for the vulnerability.

The Log4Shell attack is not included in our OWASP Top 10 2021 attack

Although the Log4Shell Out of Band (OOB) attack is listed in the OWASP Top Ten of 2021, we exclude this attack in the OWASP 2021 attack template for efficiency.

The OOB Injection for Log4j attack significantly extends scan times, so we kept it separate from the OWASP Top 10 and All Modules attack templates. To scan specifically for Log4shell, use the Out of Band Injection for Log4j attack.

OWASP 2017 Report

The OWASP 2017 Report shows the top 10 OWASP issues and whether you passed or failed on each for the scan. It also shows vulnerabilities within each of the top 10 issues along with the response and request data for the vulnerability.

OWASP 2013 Report

The OWASP 2013 Report shows the top 10 OWASP issues and whether you passed or failed on each for the scan. It also shows vulnerabilities within each of the top 10 issues along with the response and request data for the vulnerability.

Compliance Reports

Payment Card Industry Report (PCI Report)

The Payment Card Industry report helps you prepare for an audit, an assessment, or a questionnaire around PCI compliance. Uncovering potential issues that will affect the outcome of any of these exercises allows you to take action and secure critical vulnerabilities on any assets that deal with payment card data.

SOX Report

The SOX (Sarbanes-Oxley Compliance) details compliance issues and whether you passed or failed on each, for that particular scan. The report shows each requirement and the details of the vulnerabilities that caused you to fail, if you did.

HIPAA Compliance Results

The HIPAA compliance report shows each requirement, if you passed or failed, and the details of the vulnerabilities that caused you to fail, if you did.

GDPR Report

The GDPR report is an advisory report that shows how vulnerabilities in scanned targets might jeopardize your GDPR compliance and highlights which vulnerabilities need to be addressed.

Mapping OWASP Categories to Attack Modules

Web Application

OWASP 2021 TOP 10 CategoriesAttack Module
A01:2021-Broken Access ControlAnonymousAccess
CORS
CSRF
DirectoryIndexing
EmailCheck
ForcedBrowsing
InformationDisclosure
InformationLeakage
JavaGrinder
LocalStorageUsage
LogicAttack
PrivacyDisclosure
PrivilegeEscalation
RemoteFileInclude
ResourceFinder
ScriptCheck
ServerConfiguration
SourceCodeDisclosure
UnvalidatedRedirectCheck
XPoweredByHeader
A02:2021-Cryptographic Failures CredentialsOverUnEncryptedChannel
FormCheck
HTTPDowngradable
SensitiveOverInsecureChannel
SessionStrength
A03:2021-Injection BLDAPInjection
BSQLInjection
ExpressionLanguageInjection
HttpResponseSplitting
LDAPInjection
NoSQLInjection
NoSQLInjectionBlind
OSCommanding
ParameterTampering
PHPCodeExecution
ServerSideInclude
ServerSideTemplateInjection
SQLInjection
SQLInjection_Auth
SqlParameter
XPathInjection
OutOfBandStoredXSS
OutOfBandXSS
WebMethod
XSS_DOM
XSS_DOM_Comprehensive
XSS_Persistent
XSS_PersistentActive
XSS_Reflected
XSS_Simple
A04:2021-Insecure Design ArbitraryFileUpload
BrowserCacheModule
LocalStorageUsage
PasswordExposure
SqlErrors
SessionInHttpQuery
UrlRewriting
ViewStateCheck
A05:2021-Security Misconfiguration AspNetMisconfiguration
AutocompleteCheck
ClientsCrossDomainPolicy
CookieAttributes
CSPHeaders
FrontPageChecks
HSTSDetection
WebBeacon
XmlExternalEntity
A06:2021-Vulnerable and Outdated Components ApacheStruts2
ApacheStrutsDetection
HeartbleedCheck
NginxNullCode
OutOfBandLog4ShellJNDIInjection
RemoteCodeExecution
A07:2021-Identification and Authentication Failures BruteForce
BruteForceForm
CommentCheck
FormSessionStrength
HttpAuth
SessionFixation
SessionUpgrade
A08:2021-Software and Data Integrity Failures AspNetSerialization
SecureAndNotSecureContentMix
SubresourceIntegrity
A09:2021-Security Logging and Monitoring Failures
A10:2021-Server-Side Request Forgery ServerSideRequestForgery
ReverseProxy

API

OWASP 2023 TOP 10 CategoriesAttack Module
API1:2023-Broken object level authorization LogicAttack
API2:2023-Broken authentication BruteForce
HTTPAuth
SessionFixation
SessionStrength
SessionUpgrade
API3:2023-Broken object property level authorization EmailCheck
InformationDisclosure
InformationLeakage
PrivacyDisclosure
Server Configuration
SQLErrors
XPoweredByHeader
API4:2023-Unrestricted resource consumption
API5:2023-Broken function level authorization AnonymousAccess
Arbitrary File Upload
Cross Origin Resources Sharing (CORS)
CSRF
Forced Browsing
HTTPS Downgrade
API6:2023-Unrestricted Access to Sensitive Business Flows ServerSideRequestForgery
API7:2023-Server side request forgery CookieAttributes
HTTPHeaders
HTTPSEverywhere
SSLStrength
Unvalidated Redirect
X-Content-Type-Options
API8:2023-Security misconfiguration
API9:2023-Improper inventory management
API10:2023-Unsafe consumption of APIs ASP.NET Serialization
BLDAPInjection
BSQLInjection
ExpressionLanguageInjection
LDAPInjection
NoSQLInjection
Blind NoSQLInjection
OSCommanding
OutOfBandLog4ShellJNDIInjection
Out of Band Cross-site scripting (XSS)
Out of Band Stored Cross-site scripting (XSS)
Out of Band SQL Injection (OOB SQLi)
ParameterTampering
SQLInjection
SQLInjection_Auth
SQL Information Leakage
SqlParameter
SQL Parameter Check
XMLExternalEntity
XPathInjection
XSS_Persistent