Core concepts
Every ANTHRION scan — across every surface — produces the same normalized finding model. A prompt-injection finding from an AI scan and a SQL-injection finding from a code scan have the same shape, so you can read, triage and automate against one format.
The finding model
Each finding has these fields:
| Field | What it is |
|---|---|
| severity | One of CRITICAL, HIGH, MEDIUM, LOW, INFO |
| category | A stable machine-readable slug (e.g. prompt-injection, taint-sql-injection) |
| title | A one-line human summary of the finding |
| description | What was found and why it matters |
| evidence | The supporting detail — the request/response, code path, or signal behind the finding |
| recommendation | Concrete guidance on how to fix it |
Severity scale
| Severity | Meaning |
|---|---|
| CRITICAL | Exploitable now, high impact — fix before shipping |
| HIGH | Serious weakness; likely exploitable |
| MEDIUM | A real issue with limited impact or preconditions |
| LOW | Minor or defense-in-depth |
| INFO | Informational — context, not a vulnerability |
In the developer surfaces, severities travel uppercase on the wire (HIGH). The
CI/CD action gates on the same scale via its fail-on threshold.
Scan lifecycle
A scan moves through a small set of states:
QUEUED— accepted and waiting to startRUNNING— in progress; progress streams live (Real-time results)DONE— finished; findings and a report are availableFAILED— could not complete (e.g. the target was unreachable)
A target that resolves to no meaningful contact ends as FAILED, not a misleading clean DONE.
The report
A finished scan produces a report: a severity summary plus the full findings list, each with its evidence and recommendation. Reports are downloadable and private to your account.
Honesty
A clean scan means ANTHRION's checks did not surface a finding — not that the target is provably secure. Coverage is reported honestly: where a scan could only partially cover a target, the report says so rather than overclaiming a "clean" result.