Capability architecture
A finding is not real until the evidence supports it.
The findings model is built for analysts, developers, executives and risk teams to work from the same proof, not separate interpretations.
01Why it matters
- Security teams are flooded with theoretical findings, duplicate alerts and weak severity scores.
- Developers need reproduction steps and remediation context, not vague vulnerability labels.
- Executives need to know business impact and whether the risk is realistically exploitable.
02ThreatCanary approach
- Links every confirmed finding to observations, tests, evidence, affected assets, APIs, owners and attack-path context.
- Separates hypothesis, validation, finding and remediation so the decision trail is auditable.
- Reassesses findings as assets, APIs and exposure change over time.
03Evidence included
- Affected asset, API endpoint, method, path, protocol and environment context.
- Request/response evidence, callback evidence, scanner output or validation traces where applicable.
- Exploitability rationale, confidence, severity drivers and attack-path relationships.
- Remediation guidance, owner mapping, retest status and workflow links.
04Outputs
- Analyst-ready technical detail.
- Developer-ready reproduction and remediation steps.
- CISO-ready risk summaries and trend reporting.
- GRC-ready evidence packages and control mappings where applicable.
