Custom exit codes supply granular insights per test

Security tooling usually requires an experienced engineer to contextualize results so a decision can be made. Do you patch a system now or later? Do you contact a vendor because an attack vector slipped through? This can make it difficult to understand security posture at scale, as engineers contextualize differently.

Detect results are standardized against a lookup table (below) that attaches a code to every test response.

Exit codes

When a test finishes, it uses an exit code to specify if it was PROTECTED or UNPROTECTED. The current exit code options are shown below.

The operating system includes many codes by default, which are not outlined in the table.

0PROTECTEDThe test was removed before execution
1ERRORThe test encountered an unexpected error
2ERRORThe test was malformed
9PROTECTEDThe test process was force killed
15PROTECTEDThe test process was killed gracefully
100PROTECTEDThe test completed normally
101UNPROTECTEDThe test completed normally but should have been blocked
102ERRORThe test stopped itself because it ran too long
103ERRORThe test failed to clean up
104PROTECTEDThe test is not relevant to the endpoint
105PROTECTEDThe test extracted a file which was quarantined
106PROTECTEDOutbound connection was blocked
107PROTECTEDThe test completed normally but the host is not vulnerable
126PROTECTEDThe endpoint is blocking execution of test
127PROTECTEDThe test binary was quarantined
137PROTECTEDThe test received a SIGKILL signal
256ERRORThere was an unexpected execution error