Vulnerability Reference
Detectify detects vulnerabilities across your web applications, APIs, and external attack surface. This reference explains how detection works, what an introduction to vulnerability types that are covered, and how to interpret and remediate findings.
How Detection Works
Detectify uses payload-based detection, not signature or fingerprint matching. This is a fundamental distinction:
- Payload-based detection sends actual exploit payloads to your applications and evaluates the responses to confirm whether a vulnerability is exploitable. This approach produces high-confidence findings because each vulnerability is validated through real interaction.
- Signature-based detection (used by many other scanners) relies on matching known patterns in responses, which can produce false positives when a pattern is present but the vulnerability is not actually exploitable.
Every finding reported by Detectify has been confirmed by sending a payload and observing a response that indicates exploitability.
Severity Levels
Findings are classified into four severity levels:
| Severity | Description | Examples |
|---|---|---|
| Critical | Immediately exploitable with significant impact. Requires urgent attention. | Remote code execution, SQL injection with data access, authentication bypass |
| High | Serious risk that could lead to data exposure or unauthorized access with moderate effort. | SSRF to internal services, BOLA, stored XSS |
| Medium | Moderate risk requiring specific conditions or additional steps to exploit. | Reflected XSS, SSTI with limited scope, information disclosure |
| Low | Minor issues or informational findings with limited direct impact. | Missing security headers, version disclosure, weak SSL/TLS configuration |
Detection Sources
Vulnerabilities are detected through two complementary systems:
Crowdsource Modules
Detectify’s security research community contributes vulnerability detection modules that are continuously updated. These modules power detection across all four products: Attack Surface Management, Web Application Security Testing, API Security Testing, and Internal Scanning. See Crowdsource Modules for details.
Alfred AI Modules
Alfred is Detectify’s AI-powered system that automatically generates detection modules for newly disclosed CVEs. Alfred complements Crowdsource by providing rapid coverage for emerging vulnerabilities. See Alfred AI Modules for details.
Related Resources
- Vulnerability Categories — Detailed reference for each vulnerability type
- Remediation — Guidance on fixing detected vulnerabilities