NullSquare
conceptbeginnerReviewed May 18, 2026

Reporting and exports

The different reports NullSquare produces, what each one contains, and how to share them safely with stakeholders.

Reports are how an assessment becomes something you can share. NullSquare produces a few kinds: per-run reports that summarize one assessment, evidence files that back individual findings, activity summaries that capture what the agent did, and readiness reports for compliance work. Each one has a different audience and a different shelf life.

This page covers all of them — what each report contains, when to use it, and the basic etiquette for sharing the output internally.

What you will learn

  • Run reports. A single assessment as a written narrative.
  • Evidence files. The proof behind a finding, suitable for engineering handoff.
  • Activity summaries. What the agent did, for audit or replay.
  • Readiness reports. Compliance posture summary, with explicit limitation language.

Related app areas

/runs/findings/compliance

Run reports

When a run finishes, the Reports tab on the run detail page holds the stakeholder-ready writeup. It is a narrative version of the same information you can see in the findings, assets, and activity tabs — written for an audience that does not want to click through the platform.

  • Executive summary — what was tested, what was found, what to do next.
  • Scope and limitations — what was in bounds, what was excluded, what the agent could not reach.
  • Validated findings — issues with evidence, severity, and remediation guidance.
  • Evidence references — direct pointers to the proof behind each finding.
  • Remediation guidance — specific, actionable next steps.
  • Retest recommendations — what to verify after fixes ship.

Evidence files

Every finding carries its supporting evidence as files (HTTP exchanges, artifacts, code locations, timeline notes). These are the most useful thing to share with engineering when a finding gets handed off — they reproduce the issue and remove ambiguity about what is being fixed.

  • Validate a finding before assigning remediation.
  • Share proof directly with the team that owns the affected asset.
  • Support compliance readiness when an evidence file is mapped to a control.
  • Compare original behavior with retest behavior after a fix.

Activity summaries

The Activity tab on a run captures what the agent did during execution — discovery summaries, request volumes, decision points. Use it when you want to audit a run, replay what happened, or understand why the agent took a specific path.

Readiness reports

Readiness reports are the compliance-specific output. They summarize the readiness matrix at a point in time, cite the evidence behind each control, list gaps, and recommend next steps. They always include the limitation language ("not certification, not auditor opinion") in the document itself.

Sharing internally

Reports are designed for internal sharing — engineering, leadership, compliance, security ops. They never include internal platform details (orchestration mechanics, prompt content, raw traces). If you need to share with an external party (a customer, an auditor, an acquirer), prefer the written reports over screenshots of the app, and review the report for any internal-only context (asset owner names, escalation contacts) before sending.

Reports are written for humans, not the audit auto-pass

Sending a run report to an auditor is fine — sending it as proof of certification is not. Readiness reports state this directly; per-run reports describe the technical work performed, not its regulatory consequence.

Export formats

Reports are available as PDF and HTML; evidence files are available in their original format. Each export is a snapshot — re-running an assessment produces a new report rather than mutating the old one, so historical exports stay stable.

Related articles