Skip to main content
The Findings API returns security issues that Trident has detected across all of its scan surfaces — red-team campaigns, the runtime firewall, SAST tools, cloud posture scanners, MCP safety audits, and agent self-reports. The response shape mirrors the Findings Inbox in the dashboard, making it straightforward to build custom alert pipelines, CI gates, or compliance exports.

GET /api/public/trident/findings

Fetch findings for your project with optional filters and a configurable look-back window. Endpoint: GET https://app.usetrident.dev/api/public/trident/findings Authentication: HTTP Basic — see Authentication

Query parameters

agentId
string
Return findings for a specific agent only. Omit to return findings across all agents in the project.
redteamRunId
string
Filter to findings produced by a specific red-team or campaign run. Useful in CI pipelines to retrieve findings from the run you just triggered without picking up stale findings from earlier scans against the same agent.
severity
string | string[]
One or more severity levels: LOW, MEDIUM, HIGH, CRITICAL. You can pass the parameter multiple times to include several levels — ?severity=HIGH&severity=CRITICAL.
status
string | string[]
One or more statuses: OPEN, ACKNOWLEDGED, IN_PROGRESS, RESOLVED, WONT_FIX, DUPLICATE. Repeatable like severity.
source
string | string[]
Filter by the scanner that produced the finding. Accepted values: REDTEAM, FIREWALL, CERT, INTENT, SBOM, NETWORK, SAST, MONITOR, CSPM, KSPM, IAC, SECRET, VULN, RUNTIME, MCP, SELF_REPORT.
sinceDays
number
default:"30"
Look-back window in days. Must be between 1 and 180. Findings older than this window are excluded.
limit
number
default:"50"
Maximum number of findings to return. Minimum 1, maximum 200.

Example request

curl
CREDENTIALS=$(echo -n "$TRIDENT_PROJECT_PUBLIC_KEY:$TRIDENT_PROJECT_SECRET_KEY" | base64)

# Critical and high findings from red-team runs in the last 7 days
curl "https://app.usetrident.dev/api/public/trident/findings\
?severity=CRITICAL\
&severity=HIGH\
&source=REDTEAM\
&sinceDays=7\
&limit=20" \
  -H "Authorization: Basic $CREDENTIALS" \
  -H "Accept: application/json"

Example response

{
  "count": 2,
  "findings": [
    {
      "id": "find_01HY8ZQXKB4T5V3NP2M7W0R1J",
      "agentId": "prod-rag-assistant",
      "severity": "CRITICAL",
      "source": "REDTEAM",
      "category": "prompt-injection:indirect",
      "status": "OPEN",
      "title": "Indirect prompt injection via retrieved document chunk",
      "traceId": "01HY8ZQ000000000000000ABC",
      "redteamRunId": "e3f7b2d1-9a0c-4b5e-8f1d-7c6a2e9b3d4f",
      "certificateId": null,
      "createdAt": "2025-06-10T14:22:07.000Z",
      "riskScore": 9.1,
      "owaspCode": "LLM01"
    },
    {
      "id": "find_01HY7YQXKB4T5V3NP2M7W0R2K",
      "agentId": "prod-rag-assistant",
      "severity": "HIGH",
      "source": "REDTEAM",
      "category": "data-exfiltration:pii",
      "status": "ACKNOWLEDGED",
      "title": "Agent can be instructed to repeat user PII in response",
      "traceId": null,
      "redteamRunId": "e3f7b2d1-9a0c-4b5e-8f1d-7c6a2e9b3d4f",
      "certificateId": null,
      "createdAt": "2025-06-10T13:58:44.000Z",
      "riskScore": 7.4,
      "owaspCode": "LLM06"
    }
  ]
}

Response fields

count
number
required
Number of findings returned in this response. Limited by the limit parameter.
findings
array
required
Array of finding objects, sorted by severity descending then creation date descending.
In CI/CD pipelines, combine redteamRunId (returned when you trigger a scan) with severity=CRITICAL to gate deployments on zero critical findings from the latest scan run.