If the AI agent receives a question to write a finding and it has no information available, it could only write a generic text and/or hallucinate.
The first step should be to search through notes and other findings to find further information.
If it doesn't find anything, it should have the option to ask the pentester one or more questions such as:
- Is the vulnerability exploitable without authentication?
- It requires standard permissions
- It requires high-privilege permissions
- It is exploitable without authentication
- Your answer: ...
- Can you provide the HTTP request that exploits the vulnerability?
- What URL is vulnerable?
- What is the impact of the SQL injection?
- Database read access
- Database write access
- Database read/write access
- Your answer: ...
This could allow the agent to write more custom finding descriptions.
If the AI agent receives a question to write a finding and it has no information available, it could only write a generic text and/or hallucinate.
The first step should be to search through notes and other findings to find further information.
If it doesn't find anything, it should have the option to ask the pentester one or more questions such as:
This could allow the agent to write more custom finding descriptions.