In Patrowl, we have a rule: never raised a non-exploitable vulnerability as “Qualified vulnerability”.

Our goal is to save you some time, and qualified vulnerabilities are only raised when they can be really exploited by an attacker (we call it “Real vulnerabilities”). All other “non exploitable” vulnerabilities could be found in Risk Insight part, but will never be considered by Patrowl as Qualified Vulnerabilities.

It could be disturbing at first, as most of your scanner or tools, even Pentest, have become accustomed to raised non qualified vulnerabilities, afraid of the famous “empty report”. At Patrowl, the lack of result is a result. If our automation and our Pentester did not find anything exploitable on an asset, you will not have any qualified vulnerabilities meaning nothing could be exploitable using state of the art technic of opportunist attackers.

However, if you want to check if our scans and automation has correctly been performed, you can directly see the full list of offensive and passive control performed in the single asset view.

Then, no qualified vulnerabilities = no problem, for the moment.