Exports · 4 min read

Export findings as PDF, CSV, or NDJSON

Three formats, one keyboard shortcut. ⌘E opens the export sheet — pick your format, choose what to include, save. Use PDF for monthly reports, CSV for spreadsheet analysis, and NDJSON when you're piping into a SIEM.

PDF report

Multi-page document with a cover page, per-host detail sections, and a remediation summary. Suitable as the attachment on a monthly security review, a client deliverable, or evidence for an audit.

• Cover — fleet snapshot date, host count, finding totals by severity, top 5 critical findings.
• Per-host — host metadata, scan timestamp, full finding list grouped by category, severity, and remediation column.
• Compliance appendix (optional) — see compliance mapping.

Generated client-side via Apple's PDFKit; nothing leaves your Mac. Default page size: US Letter; toggle to A4 in Settings → Exports → PDF page size.

CSV (flat findings)

One row per finding, one finding per row. Designed for spreadsheet pivot-table analysis or as the input to a custom reporting pipeline. Columns:

scan_id,host_id,host_name,host_address,scanned_at,
finding_id,severity,category,title,detail,
package,cve_id,cvss_v3,kev,epss,
remediation,first_seen_at,last_seen_at

RFC 4180 compliant — fields with commas, newlines, or quotes are double-quoted; embedded quotes are doubled. Unicode is UTF-8 with a BOM prefix so Excel opens it without the user choosing an encoding.

NDJSON for SIEM ingest

JSON Lines — one JSON object per line, LF-delimited. Wazuh, Splunk, Elastic / OpenSearch, Loki, and most other log aggregators accept this format directly. Each line is a flat finding event; the schema:

{
  "timestamp": "2026-04-27T03:14:22Z",
  "host": {
    "id": "uuid",
    "name": "edge-nuc",
    "address": "10.0.1.42",
    "port": 22,
    "tags": ["homelab", "ubuntu-24.04"]
  },
  "finding": {
    "id": "uuid",
    "severity": "high",
    "category": "cve",
    "title": "CVE-2024-3094",
    "detail": "...",
    "cve_id": "CVE-2024-3094",
    "cvss_v3": 10.0,
    "kev": true,
    "epss": 0.94,
    "remediation": "apt-get install --only-upgrade xz-utils"
  },
  "tags": { "env": "prod", "region": "eu-west" }
}

Global tags (env, region, etc.) are user-configurable in Settings → Exports → SIEM tags. Every event gets the same tag map, which simplifies filtering downstream (e.g., a Splunk query like search noxen tags.env=prod severity=critical).

Scope picker

The export sheet asks "what do you want to export?" with three options:

• This host's latest scan — quickest, smallest export. Useful when you're focused on one box.
• All hosts, latest scan — fleet snapshot. The default for monthly reports.
• Date range — every scan between two dates, across every host. Useful for historical analysis or proving a finding was open for N days during an audit.

Where the file lands

Standard macOS save panel — pick anywhere you have write access. The default filename includes the scope and date:

• noxen-edge-nuc-2026-04-27.pdf
• noxen-fleet-2026-04-27.csv
• noxen-fleet-2026-04-27.ndjson

Full keyboard flow: ⌘E → select format → ↵ to confirm scope → ↵ to confirm save panel. Three keystrokes from "I want a report" to "report saved".