Skip to content

Findings & Assets#

When APHIDS runs in online mode, scan results are parsed into structured findings and assets stored in the Hive graph database.

Assets#

Assets are infrastructure components discovered during scans:

Asset Type Examples
URL https://example.com/login
Site example.com
Host web-server-01
IP 203.0.113.50
Port 443/tcp
DNS A record: example.com → 203.0.113.50
Application Apache 2.4.52, WordPress 6.4

Assets are deduplicated across scans — scanning the same target multiple times enriches the existing asset rather than creating duplicates.

Asset Relationships#

Assets are connected in the graph:

Site: example.com
  ├── DNS: A → 203.0.113.50
  │     └── IP: 203.0.113.50
  │           └── Port: 443/tcp
  ├── URL: /login
  ├── URL: /api/v1
  └── Application: Apache 2.4.52

Submitting Assets via MCP#

In MCP mode with Hive, submit assets directly:

"Submit these discovered assets: example.com resolves to 203.0.113.50,
running Apache 2.4.52 on port 443"

The submit_assets MCP tool accepts URLs, IPs, domains, ports, and applications.

Findings#

Findings are individual results from security tools, linked to the assets they affect:

  • Scanner output — Raw findings from nmap, nuclei, nikto, etc.
  • Severity levels — Critical, High, Medium, Low, Info
  • Evidence — Tool output, screenshots, request/response data
  • Deduplication — Similar findings are merged across scans

Finding to Vulnerability#

Findings can be promoted to vulnerabilities for formal tracking:

  1. Review findings in the Hive UI
  2. Promote to vulnerability (manual or via Threat Insights)
  3. Enrich with CVE/CVSS/EPSS data
  4. Track remediation status
  5. Include in reports

Submitting Findings via MCP#

In MCP mode with Hive, submit custom findings:

"Submit a finding: SQL injection vulnerability found at
https://example.com/api/users?id=1, severity high,
CVE-2024-12345"

The submit_findings MCP tool accepts name, risk level, description, URL/host, CVE, CWE, CVSS, and evidence.

AI Enrichment#

When findings are uploaded, the Hive post-processor automatically:

  1. Generates LLM summaries — Claude summarizes scan results
  2. Infers threats — AI identifies patterns like exposed admin panels, EOL software, weak crypto
  3. Correlates findings — Links related findings across different tools and scans
  4. Calculates risk scores — Composite scoring based on vulnerability severity and count

These enrichments appear in the Hive dashboard as Threat Insights with confidence scores and remediation recommendations.