unpwnddocs
Open app

Read your first audit

getting startedUpdated Jul 2026

When an audit finds something, it doesn't just flag it — it proves it. Here's how to read a finding: its severity, its source → sink trace, and the fix you can hand straight to your coding agent.

Severity, at a glance

Each finding is ranked from critical to low and classified against CWE and the OWASP Top 10, so it maps directly onto how you already track and report vulnerabilities. Findings are also deduped by fingerprint across scans, so the same issue doesn't keep reappearing once it's already open.

Follow the source-to-sink trace

Every finding includes the path a value takes from where untrusted input enters to the dangerous operation it reaches — hop by hop, at file and line. That's the reasoning you're reviewing, not a black-box score: you can see for yourself why something is exploitable.

Copy the paste-ready fix

Each finding ships with a remediation prompt already scoped to that specific issue. Copy it into your coding agent or editor and review the change it proposes — the research is already done; what's left is a review-and-paste.