Bulk finding import
onboard a backlog without rebuilding it

Native Tenable Nessus exports preserve the plugin ID, plugin family, plugin output, severity, CVSS vector, CVE references, and host details. Drop the .nessus file onto the engagement and each plugin entry lands as a finding with the original tool data attached for the audit trail.

Burp Scanner XML exports carry issue type, severity, confidence, request and response, and the affected URL. Imports preserve the request and response payloads on the finding so the reproduction evidence is part of the record from the moment of import.

For prior pentest exports, legacy tracker dumps, vendor reports, and ad-hoc spreadsheets, CSV import accepts any column layout. Map the columns once with the column-mapping template, save the template by source, and the next file from the same source imports without a manual mapping pass.

Findings from the integrated code scanner (SAST via semgrep, SCA against vulnerable dependencies) land on the same engagement with file path, line number, package and version, and rule identifier preserved. The same dedup and calibration workflow applies whether the source was a DAST tool, a SAST tool, or a manual entry.

A new client lands with three prior pentest PDFs covering the last twelve months. Bulk import the structured exports onto a baseline engagement so the catalogue starts with a known history rather than a blank slate. Aging, severity, and remediation context carries forward.

A consulting team has been tracking findings in Excel for two years across thirty engagements. Export the master sheet to CSV, map the columns to the SecPortal schema once, and migrate the catalogue onto engagement records without rekeying a single finding.

A team running pentest findings as Jira issues exports the relevant projects to CSV through the Jira filter export. Map the Jira fields (summary, description, priority, custom CVSS field, status, labels) to the SecPortal schema once, and the historical findings land on engagement records with the Jira key preserved as a reference. See the SecPortal vs Jira comparison for the rest of the migration story.

A third-party vendor delivers a vulnerability assessment as a PDF and a CSV appendix. Import the CSV onto an intake engagement, deduplicate against the existing catalogue, and roll the unique entries into the live tracker so vendor work integrates with the in-house programme.

A CI pipeline produces a nightly SAST and SCA digest. Land the batch on a continuous-testing engagement, dedupe against the prior nights, and only the genuinely new findings enter the triage queue. The pipeline does not flood the queue with the same regression each run.

A team imports a 4,000-row CSV onto an engagement that already had 1,200 findings. With no dedup pass, the catalogue inflates to 5,200 and the same TLS finding appears under three different titles across the historical and the new data. The count is wrong and the prioritisation is impossible.

A CSV with columns labelled Risk, Description, and Asset is imported with no explicit mapping. The platform guesses Risk maps to severity, but the source file used a 1-5 scale rather than CVSS, so all findings land as Critical. The first review pass is rebuilding severity rather than triaging.

A backlog import marks every finding as Confirmed because that was the default state in the source spreadsheet. The team ships a report against an unvalidated catalogue, the client schedules remediation against findings that nobody has reproduced, and the relationship pays the cost.

A CSV is imported and discarded. Three months later an auditor asks where a particular finding came from and the team cannot point at the exhibit. The audit trail starts at the finding row rather than at the original file the row came from.

Imports inherit the source severity unchanged. A scanner Default scored every missing security header as High; a prior vendor used CVSS 2 instead of CVSS 3.1; an internal team rated based on internal sensitivity rather than environmental exposure. Without a calibration pass, the new catalogue inherits three mismatched severity vocabularies in one queue.

The same hostname, URL, parameter, and method across an existing finding and an import row is the strongest dedup signal. The import flags the row as a probable duplicate and the triager confirms with a single click rather than reviewing two separate records.

Two findings that share a CWE or CVE reference on the same asset are almost always the same root issue. CWE and CVE are durable across tool vocabularies, so they dedup correctly even when the scanner-supplied titles differ.

For Nessus, the plugin ID; for Burp Suite, the issue type ID; for SAST tools, the rule ID. When the same fingerprint appears against the same asset, the import treats the new row as an update rather than a new finding.

The fallback dedup signal when stronger keys are missing. A high-similarity match is flagged for human review rather than auto-merged so the import does not collapse genuinely distinct issues into one record.

Bulk import takes the output of vulnerability assessment, DevSecOps scanning, and prior pentest cycles, and feeds scanner result triage with a clean, deduplicated queue.

Imports often kick off during pentest client onboarding when a new client arrives with a backlog. Triaged findings flow into remediation tracking and retesting without a second migration step.

The catalogue starts on the right side of dedup, severity calibration is staged for every imported row, source files are preserved on the audit trail, and the queue is ready for triage on the same day the import lands. The next engagement reuses the template rather than rebuilding it.

Every imported finding carries the source filename, the source-tool fingerprint, the original severity, and the import timestamp. When an auditor asks where a finding came from, the answer is on the record rather than in a folder somewhere. The backlog is documented, not just consolidated.