> For the complete documentation index, see [llms.txt](https://copilot-docs.bugbase.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://copilot-docs.bugbase.ai/enterprise/modules/attack-paths.md).

# Attack Paths

It is available under both:

* `Modules → External Assessment → Attack Paths`
* `Modules → Internal Assessment → Attack Paths`

<figure><img src="/files/JtJT9wQ5cyVpGniQaESs" alt=""><figcaption></figcaption></figure>

### Findings list

The list groups findings into three triage tabs. Each tab shows a live count for the currently applied filters.

| Tab                 | Meaning                                                                                      |
| ------------------- | -------------------------------------------------------------------------------------------- |
| **Valid**           | Confirmed findings that need attention. Default tab.                                         |
| **False Positives** | Findings the Validator (or a reviewer) marked as not exploitable.                            |
| **Duplicates**      | Findings that re-state an already-reported issue. Each duplicate links back to its original. |

A `N findings total` indicator on the right shows the combined count across all three tabs for the current filter set.

#### Filters

The filter bar above the tabs scopes every tab simultaneously.

* **Search**: free-text match against vulnerability name (debounced).
* **Domain** *(external)* / **Subnet** *(internal)*: multi-select. You must pick at least one target before findings load.
* **Type**: vulnerability category (XSS, SSRF, Auth Bypass, etc.).
* **Severity**: filters by the active severity display mode. CVSS mode uses Critical, High, Medium, Low, or Informational. VRT mode uses Bugcrowd-style P1-P5 priorities for external assessment findings.
* **Sort**: `Critical first` or `Informational first`.

Selected domains and subnets persist across navigations within the session.

External assessment severity display is controlled from **Settings -> External -> Severity Display**. Choose **CVSS** when you need standards-aligned severity data for compliance and remediation tracking. Choose **VRT** when your team wants bug bounty style triage against Bugcrowd's web/app Vulnerability Rating Taxonomy. See [Bugcrowd VRT](https://bugcrowd.com/vulnerability-rating-taxonomy).

#### Row layout

Each row shows: severity pill, vulnerability name, type, target host/path, and discovery date. Clicking a row opens the **Finding detail** page for that vulnerability.

***

### Finding detail page

<figure><img src="/files/ryOUOgKb1lNWzJek8Jtl" alt=""><figcaption></figcaption></figure>

Selecting a finding opens a dedicated report page at:

```
/app/modules/{external-assessment|internal-assessment}/attack-paths/{vuln_id}
```

This page is a full vulnerability report, designed to be read top-to-bottom, exported, or shared. The right-hand sidebar holds properties, actions, and a jump-to navigator.

#### Header

* Breadcrumb back to the findings list
* Vulnerability name (with target host appended)
* Severity pill, CWE, published date, and a `Verified` badge if the Validator confirmed the finding. External findings follow the active CVSS/VRT display mode.

#### Duplicate banner

If the finding is a duplicate, a banner at the top names the original it duplicates (clickable) and shows the LLM-generated reason for the duplicate match.

#### Sections

1. **Summary**: Markdown-rendered vulnerability description.
2. **Details**: severity data, CVSS score, CVE ID, CWE, type, target, and discovery date. External findings can show CVSS severity and VRT priority when VRT data is available.
3. **AI Reasoning**: a staged timeline of how the Copilot arrived at this finding:
4. **Remediation**: suggested fix, rendered from Markdown.
5. **References**: auto-linked CVE (NVD), CWE (MITRE), and any external reference URLs.
6. **Attack Path**: opens the full graph drawer (see below).

#### Sidebar

* **Properties**: severity, CVSS, CVE, CWE, type, target, date, verified status.
* **Status pill**: change the finding between `Valid`, `False Positive`, and `Duplicate`. Requires the `vulnerabilities.update_status` permission.
* **View Attack Path**: opens the graph drawer in read-only mode.
* **Retest**: opens the graph drawer in retest mode. Requires the `scans.retest` permission.
* **Jump to**: quick links to every section of the report. When indicator hits exist, a highlighted shortcut group lists each hit modification individually. The sidebar can be collapsed with the chevron in its top bar.

***

### Attack path drawer

<figure><img src="/files/Cl0RDYMw1R3DGxlJWK9R" alt=""><figcaption></figcaption></figure>

The drawer renders the full chain of nodes for the finding

#### View mode

Read-only graph for inspecting the chain. Useful for understanding *how* the Copilot reached the vulnerability.

#### Retest mode

Toggle **Retest mode** in the drawer to:

1. Pick a **start node** anywhere in the chain. The retest will replay every step from that node onward.
2. *(Internal assessments)* select the agent that should run the retest.
3. *(External assessments)* optionally pin a browser session.
4. Click **Start retest** to enqueue. Retest results flow back into the same finding and update its verification status. The button is disabled if your role lacks `scans.retest`.

<figure><img src="/files/6mf39FzJchU4DovDVuH5" alt=""><figcaption></figcaption></figure>

***

### Status workflow

| Status             | When to use it                                                                                                                |
| ------------------ | ----------------------------------------------------------------------------------------------------------------------------- |
| **Valid**          | Default for new Copilot-confirmed findings.                                                                                   |
| **False Positive** | Mark when manual review shows the vulnerability isn't exploitable. Moves the finding to the False Positives tab.              |
| **Duplicate**      | Use when the finding repeats one already reported. Pair with the duplicate metadata so the report links back to the original. |

Status changes are written immediately and reflected on the list (counts and tab membership update) without a page reload.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://copilot-docs.bugbase.ai/enterprise/modules/attack-paths.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.