Not every finding reported by a scanner is a genuine vulnerability. A false positive is a finding that has been incorrectly identified as a security issue. S4E provides tools to mark, manage, and learn from false positives so they do not clutter your findings list or deflate your security score.

What Is a False Positive?

A false positive occurs when a scan module detects a pattern that resembles a vulnerability but is not actually exploitable. Common causes include:

• Custom WAF rules that alter responses in ways that mimic vulnerabilities.
• Application behavior that matches detection signatures without being vulnerable.
• Duplicate parameters that trigger injection checks but are sanitized server-side.
• Honeypot responses intentionally designed to look vulnerable.

Marking a Finding as False Positive

1. Navigate to the finding you want to mark.
2. Click Status on the finding detail page.
3. Select False Positive from the status dropdown.
4. Provide a description explaining why this is a false positive. This is required and helps build institutional knowledge.
5. Click Update Status.

Impact of Marking False Positive

When a finding is marked as false positive:

• It is excluded from the asset's security score calculation.
• It moves out of the default findings view (but remains accessible via filters).
• Future scans that detect the same issue on the same asset will automatically inherit the false positive status.

What's Next?

• Finding Status -- Full lifecycle of finding statuses.
• Understanding Scan Results -- Anatomy of a scan result.
• Actions -- Automate remediation for confirmed findings.