Severity & scoring

Every finding is ranked by severity — how serious the issue is. Severity is the main signal you use to decide what to fix first, and it drives sort order and the overview charts on a report.

Severity levels

BestDefense uses a standard set of severity levels:

• Critical — severe issues that warrant urgent attention.
• High — serious issues that should be addressed soon.
• Medium — issues worth fixing, with less urgency.
• Low — minor issues with limited impact.
• Informational — observations and hardening suggestions rather than direct vulnerabilities.

These levels follow industry-standard conventions, so they should feel familiar if you’ve used other security tooling. Where it helps, findings also reference industry-standard classifications such as CWE identifiers.

Using severity to triage

A practical way to work through a report:

1. Start at the top. Findings are sorted by severity, so Critical and High findings come first.
2. Decide an action for each. Fix it now with AI remediation, hand it to your tracker with a Jira ticket, or accept the risk if you’ve decided not to fix it now.
3. Work down the list. Move to Medium and Low once the most serious findings are handled.
4. Use the overview. The report’s severity breakdown gives you a quick sense of where the risk concentrates.

Tip

Severity tells you how serious a finding is in general, not how it ranks for your specific business. Use it as the starting point, then weigh exposure and context when you prioritize.

Note

Accepting a risk removes a finding from the active remediation pipeline but doesn’t change its severity. See Accepted risks.