Starting state
You have run one or more scans and collected findings. Hosts and services are on the Network Map, results have streamed into the live store, and you are ready to move from investigating to writing up what matters.
Inputs
- The workspace state: the hosts, services, and exposure boundary built up during recon.
- Structured findings: the objects produced by your scans, already tied to their hosts.
- A target audience: who reads this (leadership, an auditor, your own technical team).
Key steps
- 1. Treat findings as structured objects. A finding produced anywhere in the workspace (a nuclei hit, a flagged host, a Next Actions result) is a structured object rather than a line in a text file. That is what makes the rest of this flow possible without manual re-entry.
- 2. Summarize from real objects in the chat sidebar. Open the chat sidebar and @mention the hosts and findings you care about. The assistant summarizes from the real objects you reference, so your notes describe what was actually found instead of what you remembered to log.
- 3. Review the Reports / Compliance page. Move to the Reports / Compliance page, which assembles your structured findings into output. Here you decide what is in scope for this report and at what depth.
- 4. Map findings to a compliance framework. Choose from the available compliance frameworks and map each finding to the controls it touches. This is where raw findings become language an auditor or a board recognizes.
- 5. Assemble the report from evidence. Build the document from the findings and their evidence rather than from prose written after the fact. The output traces back to the objects in the encrypted local SQLite store, so every claim has a source.
# chat sidebar: ground the summary in real objects
summarize @host:dc01 @finding:smb-signing-disabled for leadership
# then: Reports / Compliance page
map findings -> framework -> assemble report
Shared context for small teams
Because findings persist as objects in the local store, the next person sees exactly what the last person found. A two-person security team does not lose half its work when someone is out. The workspace is the shared record, so handoffs read the same investigation rather than reconstructing it from memory.
Expected outputs
A board-ready report assembled from real evidence, consistent quarter over quarter because it is built from the same structured findings each time. Board-ready report. No $50k pentest required. When you run the next quarter, the format holds and leadership can compare like for like.
Why structure beats notes
Manual logging drifts: severity gets inconsistent, evidence goes missing, and last quarter's report looks nothing like this one. Assembling from structured findings keeps the report tied to evidence and repeatable, which is what makes quarter-over-quarter comparison meaningful.
Common operator decisions
- Severity. Set severity per finding based on exposure and impact, looking past the tool's default label. A medium on an internal host can be a high on the public-exposure boundary.
- Leadership versus technical appendix. Decide what belongs in the body for leadership (impact, risk, what to fix) versus the technical appendix (commands, raw evidence, host detail). Keep the front of the report readable.
- Framework choice. Pick the compliance framework your auditors or board already speak. Mapping to the right one up front saves a rewrite later.
Get AD security drops in your inbox
Release notes, identity attack-path research, and early access. Low volume, real signal only. Unsubscribe anytime.