Skip to main content

Managing Findings

Findings are the core documentation unit in RTF. Every time you discover something during an engagement — a vulnerability, a successful technique, an interesting observation — you record it as a finding.

Findings are directly linked to MITRE ATT&CK or ATLAS techniques, so your documentation and your navigator always stay in sync.

RTF Login Screen

What Is a Finding?

A finding represents one documented result from testing a technique. It can be:

  • A successful exploitation (e.g., "Gained initial access via phishing — T1566.001")
  • An observation (e.g., "SMB signing disabled on 14 hosts — T1557.001")
  • A partial result (e.g., "Password spray partially successful — T1110.003")
  • A completed test (e.g., "Tested all external-facing ports — T1595.001")

Creating a Finding

  1. Go to Findings in the left sidebar

  2. Click Add Finding

  3. Fill in the details:

    FieldRequiredDescription
    TitleYesShort name for this finding
    MITRE PathYesThe technique this finding maps to (e.g., Reconnaissance → Active Scanning → Scanning IP Blocks)
    Attack ProfileYesMITRE ATT&CK or MITRE ATLAS
    StatusYesIn Progress or Completed
    DescriptionNoFull details of what you found and how
    ScreenshotNoAttach an image or screenshot as evidence
    SubprofileNoAssign to a specific subprofile

  4. Click Save Finding

Attaching Screenshots

You can drag and drop an image directly onto the finding form, or use the file picker. Screenshots are stored securely and attached to the finding permanently.

Selecting the MITRE Path

The MITRE path is a hierarchical selector:

  1. First select the Tactic (e.g., Reconnaissance)
  2. Then the Technique (e.g., Active Scanning)
  3. Then the Sub-technique if applicable (e.g., Scanning IP Blocks)

The path becomes the canonical link between your finding and the navigator.

Finding Status and Navigator Sync

RTF Login Screen

This is one of RTF's most powerful features — findings and the navigator are automatically kept in sync:

ActionNavigator Effect
Create finding (In Progress)Technique → In Progress
Mark finding as CompletedTechnique → Completed; Tactic → Completed (if all done)
Delete a Completed findingTechnique reverts to In Progress (only if no other completed findings for same path)

You never have to manually update the navigator when you're managing findings properly.

Updating a Finding

To update an existing finding:

  1. Click on the finding from the list
  2. Edit any field — title, description, status, screenshot
  3. Changes save automatically or click Update

Changing the status from In Progress to Completed will trigger the navigator sync.

Attaching Evidence (Screenshots)

Screenshots and images are a key part of every finding. To attach a screenshot:

  1. In the finding form, click the Attach Screenshot area
  2. Drag and drop an image, or click to browse
  3. Supported formats: PNG, JPG, JPEG, GIF, WEBP
  4. The file uploads to secure cloud storage and is permanently linked to the finding

Once attached, the screenshot appears inline when viewing the finding.

info

Each finding supports one screenshot attachment. For multiple screenshots, add them to the Description field as URLs or create multiple findings.

Filtering and Searching Findings

Use the filters at the top of the Findings list to narrow down:

  • By status — show only In Progress or Completed findings
  • By tactic — filter to a specific MITRE tactic
  • By subprofile — show only findings from a specific subprofile
  • By search — keyword search across titles and descriptions

Deleting a Finding

caution

Deleting a completed finding may revert the related technique's status in the navigator if that finding was the only completed finding for that technique path.

To delete a finding:

  1. Click on the finding
  2. Click Delete
  3. Confirm

Findings in Reports

Your findings list forms the basis of your engagement report. Each finding includes:

  • The technique it maps to (with ID and name)
  • The tactic category
  • Status
  • Full description
  • Screenshot evidence (if attached)
  • Timestamps

Tips for Good Findings

  • One finding per technique test — keep them focused
  • Always write a description — even "No vulnerability found, SMB signing enabled" is useful
  • Attach screenshots — evidence makes reports credible
  • Set status correctly — In Progress means you're still working, Completed means done
  • Use subprofiles when you have multiple target segments — it makes filtering much easier

Next Steps