Every external scan ends the same way: a long list of findings, all wearing the same serious face. Somewhere in there is the thing an attacker would actually use, surrounded by two hundred items that deserve a ticket, eventually, from somebody. The first question a human asks about any row has never been "what is the CVSS score." It is simpler: can someone use this against us right now, or is it just untidy?
Resensor now answers that question on the finding itself. Every finding carries one of three triage classes, exploitable, fix, or hygiene, computed from exploit evidence rather than from severity. It shows up as a badge in the app, a field in the API, and a pill in the PDF report, and it is the same answer in all three places.
Severity was never a triage decision
CVSS measures how bad a vulnerability could be under lab conditions: what an attacker could reach, corrupt, or take over if they exploited it. That is worth knowing. It says nothing about whether anyone on earth is actually exploiting it, whether working exploit code exists, or whether the affected host is reachable in the first place.
Sorting by severity feels rigorous, and it is how most teams process a report. But it quietly ranks a critical that has never been exploited anywhere above a high that is on CISA's known-exploited list with a Metasploit module. An attacker reading the same list makes the opposite call without hesitating. We wrote about that gap from the attacker's side in what an attacker sees when they look at your company: their short list is built from reachability and exploit availability, not from the score column.
The triage class moves that call from the reader to the product, so the list arrives already sorted by the question that matters.
Three answers to one question
Exploitable means there is a known, evidenced exploit path today. A finding earns it when at least one of four things is true: a CVE on it sits in CISA's Known Exploited Vulnerabilities catalog, public exploit code exists for it, its EPSS score puts the odds of exploitation in the next 30 days at better than a coin flip, or one of our safe checks demonstrated access directly instead of inferring it. This is the short list. It is usually short.
Fix means it is a real vulnerability or misconfiguration you should remediate, but there is no exploit-path evidence yet. It carries CVEs, or it is a medium or higher weakness, and nothing indicates active or packaged exploitation. This is your normal patch cycle, scheduled like an adult rather than paged about at 2 a.m.
Hygiene means posture: hardening with no exploit path attached to it. Unfinished email authentication like SPF, DKIM, and DMARC. Missing security headers. TLS configuration that is dated but not practically attackable. Informational observations. Hygiene does not mean ignore. An unfinished DMARC policy is exactly how brand impersonation happens, and we grade it honestly on its own track. It means this queue is batched and finished, not firefought.
One line of logic decides the class, and every surface shares it. The app badge, the API field, and the PDF report cannot drift apart, because there is only one rule to drift from.
The evidence behind the word
The class is not an opinion. It is compiled from the same signals an attacker weighs when they pick a target for the evening.
CISA KEV is the strongest: a government-maintained catalog of vulnerabilities confirmed exploited in the wild, not predicted, observed. Public exploit availability comes from correlating findings against sources like Metasploit and Exploit-DB, and we distinguish a proof of concept from a weaponized, point-and-fire module. EPSS, from FIRST, contributes a live probability of exploitation over the next 30 days, and we only let it promote a finding on its own when that probability crosses 50 percent. And in the narrow cases where one of our checks can safely demonstrate access itself, an exposed datastore answering unauthenticated, for instance, the finding is marked from direct evidence rather than any feed.
Two honest limits. First, these are prioritization signals, not a penetration test; Resensor validates exposures with evidence, it does not run exploits against you. Second, the class is deliberately not frozen at scan time. It is resolved from live enrichment, so when a CVE you carry lands on KEV on Thursday, or a proof of concept appears over the weekend, the same finding re-grades from fix to exploitable without waiting for anything. Weekly rescans keep the finding set itself current underneath.
Where the badge shows up
In the app, the class sits on every row of the findings list and in the finding drawer, next to the severity it now qualifies. In the API, it is a field on the finding payload, so the same three-way split can drive your ticket routing or your SOAR playbook without re-deriving our logic. And in the PDF report it appears as a pill on each finding, which matters more than it sounds: the report is the version your executives, your auditors, or your MSP clients read, and "9 exploitable, 41 to fix, 130 hygiene" is a sentence a board understands on the first pass.
If you run reports for other people, this is the difference between a deliverable that says "trust my highlighting" and one that shows its reasoning on every line.
Monday morning, with a queue that reads itself
The workflow this enables is not complicated, which is the point. Start with exploitable: it is the queue where speed matters, and it usually fits on one screen. Put fix into your normal remediation cycle with dates instead of adrenaline. Batch hygiene into cleanup sprints and actually finish them, because posture debt compounds quietly.
Resensor's noise policy has worked this way internally for a while, rescuing anything with KEV or high EPSS from the low-severity floor so it cannot be hidden by default. The triage class takes the same logic out of the internals and prints it on every finding, where your team, your tickets, and your clients can all see the same word and mean the same thing by it.
Severity tells you how bad. The class tells you when, as in now, scheduled, or batched. If you want to see your own external surface sorted this way, start a scan: the first list you get back will already know which of its rows are ammunition.
Triage, printed on every finding
Run a scan and your first findings list arrives pre-sorted: what is exploitable now, what to schedule, and what to batch. The same grading in the app, the API, and the report you hand to your clients.