Understanding results

Aggregate results describe the true picture of your infrastructure

Security tooling usually requires an experienced engineer to contextualize results so a decision can be made. Do you patch a system now or later? Do you contact a vendor because an attack vector slipped through? This can make it difficult to understand a security posture at scale, as engineers contextualize differently.

Detect results are standardized against a lookup table (below) that classifies every test response with an objective code designed for analysis at scale.

Test results

When exiting from either the test or clean functions, use a code to specify how successful (or not) the test was. The current exit code options are:

All but the 100-block of codes are real status codes that are likely to occur organically without you needing to manually exit from a function.

0PROTECTEDThe test was removed before execution
1ERRORThe test encountered an unexpected error
2ERRORThe test was malformed
9PROTECTEDThe test process was force killed
15PROTECTEDThe test process was killed gracefully
100PROTECTEDThe test completed normally
101UNPROTECTEDThe test completed normally but should have been blocked
102ERRORThe test was stopped by the probe because it ran too long
103ERRORThe test failed to clean up
104PROTECTEDThe test is not relevant to the endpoint
105PROTECTEDThe test extracted a file which was quarantined
106PROTECTEDOutbound connection was blocked
107PROTECTEDThe test completed normally but the host is not vulnerable
126ERRORThe endpoint is incompatible with the test
127PROTECTEDThe test binary was quarantined
256ERRORThere was an unexpected execution error