Severity, categories and confidence

Before priority review

Use this page after you understand the report evidence and need to decide what to review or fix first. Severity, category and confidence should be read together because each field answers a different question. Severity explains possible impact, category explains the owning workflow, and confidence explains how strongly the evidence supports the finding. A high-severity issue with weak evidence should not jump straight into remediation without evidence review.

Compare severity category and confidence

Follow the path `Reports → Private report → Top findings → Issue detail → Severity → Confidence → Next action`.

1. Open /reports/{report} and find Top findings. Result: severity, category and confidence are visible before remediation, ticket export or publication decisions.
2. Choose the finding with the highest severity and strongest confidence first. Result: urgent, well-supported issues move ahead of lower-impact or uncertain findings.
3. Read Severity with Evidence, not by itself. Result: high impact without enough evidence does not become an automatic fix task.
4. Read Category to understand which workflow owns the issue. Result: security, accessibility, consent, checkout and content findings route to the correct review or remediation path.
5. Read Confidence before assigning work. Result: low-confidence findings go to false-positive review or artifact inspection before engineering work starts.
6. Use severity, category and confidence to choose the next page. Result: artifacts, fingerprints, remediation, monitoring and publication actions start only after priority is evidence-backed.

How priority fields work

Use the fields as a combined priority model rather than as independent labels.

• Severity reflects likely business or customer impact if the finding is real.
• Category groups the finding into the product workflow that can act on it.
• Confidence reflects evidence strength and certainty, not business impact.
• Affected URL keeps the priority tied to the scanned page where the finding was observed.
• Fingerprint keeps retests and monitoring tied to the same issue even when wording changes.

Low-confidence and mixed-signal states

Mixed signals need review before work is assigned.

• High severity with low confidence means inspect screenshots, HTML snapshots, console and network evidence before creating remediation work.
• Low severity with high confidence can wait behind urgent findings but may still be useful for monitoring or cleanup.
• Category mismatch means confirm the finding belongs to the selected page and workflow before exporting a ticket.
• Evidence incomplete means use [Evidence, screenshots and artifacts](/docs/reports/evidence-screenshots-and-artifacts) before public sharing or remediation.
• False-positive candidate means use [False-positive review](/docs/reports/false-positive-review) and keep the finding out of automated fix work until review is complete.

Continue to evidence artifacts

Continue to [Evidence, screenshots and artifacts](/docs/reports/evidence-screenshots-and-artifacts) when a priority decision depends on visual, HTML, console or network proof. Continue to [Issue fingerprints](/docs/reports/issue-fingerprints) before retests or monitoring, and use [Publication gates](/docs/reports/publication-gates) before sharing prioritized findings outside the private workspace.