Security Finding Validation

Determine whether a security finding is a true positive or false positive. Produce a determination with supporting evidence.

Input

The user provides a finding as a file path or pasted text. If neither is provided, ask for one.

Extract: vulnerability class, specific claim, affected endpoint, code location, and any existing validation evidence.

Validation Workflow

Step 1: Understand the Finding

Identify:

• The vulnerability class (BFLA, BOLA, XSS, SQLi, SSRF, etc.)
• The specific claim being made (what authorization check is missing, what input is unsanitized, etc.)
• The affected endpoint and HTTP method
• The code location