DefectDojo is an open-ended product which can contribute to software security in many different ways. Here are two stories to help you understand DefectDojo's features in context.

Bill is a security engineer. He wants a place to keep track of what he's worked on, so that he can show his boss exactly what issues he reports, and statistics about how long it takes the engineering team to resolve them.

When he is asked to audit an application, Bill registers the Product he is testing in DefectDojo, and creates a new Engagement to track the audit. Here he sets some basic information, like how long he expects the Engagement will take, who will be leading the testing (himself), what Product he will be working on, and what Tests he will be doing.

Next, Bill can add a Test to the Engagement, or Upload a security tool scan to start picking out the real security vulnerabilities from the false positives. DefectDojo will automatically record the scan results as individual Findings: records of individual vulnerabilities which can be monitored and updated as Bill's team works to solve problems.

Within the Test section, Bill can add additional Findings for any issues that he has uncovered during his audit. He can assign a Severity level to the Findings, describe replication steps, mitigation strategies, and impact on the system. This will come in handy when he wants to create an Engagement Report to send to the development team, or to his manager.

Once Bill has completed his audit, he can close the Engagement to mark that he is ready to move on. He can then view the results of his Tests, and generate a report to send to the development team. Bill can also check his Findings against DefectDojo's historical data, automatically noting False Positives and Risk Acceptances recorded during previous Engagements.

Now that Bill has reported his Findings to the team, DefectDojo will help him keep everyone informed and accountable. If Bill hears back from the development team that they won't be able to fix an issue for a while, he can make a note of this on the related Finding page, and upload any related communication as Files for additional accountability. If the team decides that one of the vulnerabilities uncovered is obscure enough that they can correct it later, Bill can also note that by adding a Risk Acceptance to the related Finding. Bill will also receive Alerts for any bugs that persist longer than what his team has decided is acceptable.

Lisa is her team's QE manager. She supports multiple Product development teams. Lisa wants to keep tabs on what her team members are up to, and she wants to follow up on security problems that are taking longer than expected to fix.

Her team uses DefectDojo as the 'source of truth' for all of their work related to security bugs and vulnerabilities. Lisa creates her own DefectDojo account with Global Owner privileges so that she can view other team members' Metrics.

Lisa oversees a few different Product Teams, and she uses the Dashboard extensively to keep track of different categories of work. Using the Dashboard, Product Types and Filters Lisa can view aggregate metrics to track her team's activity and follow up with Product teams who have long-lived bugs. She can also use her filters to check up on Findings with associated Risk Acceptances, and ensure that the proper documentation or timeline has been provided for the Findings in question.

To get a better idea of what her team members are currently working on, she can start by checking the Calendar. Her team runs a batch of security tests at the end of every sprint, and records this batch in DefectDojo as an Engagement. The Calendar shows any active Engagements that her team is involved in, based on those Engagements' associated dates.

If she wants to check on a particular team member's progress, she can look at the Engineer Metrics for that user. DefectDojo has built-in aggregate dashboards which she can use to view the Findings and Engagements they've worked on over time.