docs: update expected counts in manual test documentation

Update CVE affected application counts to reflect current test data:
- CVE-2025-31651: 72 → 70 apps
- CVE-2025-41248: 22 → 21 apps
- CVE-2025-22233: 79 → 77 apps

Author: ChrisEdwards

manual-tests/list-applications-by-cve-manual-test.md

@@ -25,10 +25,10 @@ The organization has applications with various CVEs. Below are representative sa
 | CVE ID | Severity | Library | Affected Apps | Description |
 |--------|----------|---------|---------------|-------------|
 | CVE-2021-44228 | Critical | log4j-core | 20 | Log4Shell - remote code execution via JNDI |
-| CVE-2025-31651 | Critical | tomcat-embed-core | 72 | Apache Tomcat rewrite rule bypass |
-| CVE-2025-41248 | High | spring-security-core | 22 | Spring Security annotation bypass |
-| CVE-2025-22233 | Low | spring-context | 79 | Spring Framework disallowedFields bypass |
-| CVE-2025-48989 | High | tomcat-embed-core | 72 | Apache Tomcat reset attack |
+| CVE-2025-31651 | Critical | tomcat-embed-core | 70 | Apache Tomcat rewrite rule bypass |
+| CVE-2025-41248 | High | spring-security-core | 21 | Spring Security annotation bypass |
+| CVE-2025-22233 | Low | spring-context | 77 | Spring Framework disallowedFields bypass |
+| CVE-2025-48989 | High | tomcat-embed-core | 70 | Apache Tomcat reset attack |
 
 ### Sample Applications for Verification
 
@@ -71,7 +71,7 @@ use contrast mcp to find applications affected by CVE-2025-31651
 
 **Expected Result:**
 - `found: true`
-- ~72 affected applications
+- ~70 affected applications
 - Library: tomcat-embed-core (various versions 8.5.x, 9.0.x, 10.1.x, 11.0.x)
 - Applications include: WebGoat_service27, petclinic applications, buildpack applications
 - Description mentions "Apache Tomcat" and "rewrite rule"
@@ -88,7 +88,7 @@ use contrast mcp to find applications affected by CVE-2025-41248
 
 **Expected Result:**
 - `found: true`
-- ~22 affected applications
+- ~21 affected applications
 - Library: spring-security-core (versions 6.4.2, 6.4.4)
 - Description mentions "@PreAuthorize", "@EnableMethodSecurity", "authorization bypass"
 - Applications include: WebGoat_service27, webgoat-pavanr, Buildpack applications
@@ -105,7 +105,7 @@ use contrast mcp to find applications affected by CVE-2025-22233
 
 **Expected Result:**
 - `found: true`
-- ~79 affected applications (larger impact)
+- ~77 affected applications (larger impact)
 - Library: spring-context (many versions from 2.0.1 to 6.2.6)
 - Description mentions "disallowedFields" and "Spring Framework"
 - Applications include widespread WebGoat and petclinic applications
@@ -290,10 +290,10 @@ use contrast mcp to find applications affected by CVE-2025-31651 and show impact
 
 **Expected Result:**
 - `impactStats` object with:
-  - `impactedAppCount`: ~72
+  - `impactedAppCount`: ~70
   - `totalAppCount`: ~8010 (total apps in org)
-  - `impactedServerCount`: ~118
-  - `totalServerCount`: ~227
+  - `impactedServerCount`: ~116
+  - `totalServerCount`: ~224
   - `appPercentage`: ~0.9% of apps affected
   - `serverPercentage`: ~52% of servers affected
 
@@ -308,8 +308,8 @@ use contrast mcp to compare the impact of CVE-2025-31651 vs CVE-2025-41248
 ```
 
 **Expected Result:**
-- CVE-2025-31651 (Tomcat): ~72 apps, ~52% servers
-- CVE-2025-41248 (Spring Security): ~22 apps, ~15% servers
+- CVE-2025-31651 (Tomcat): ~70 apps, ~52% servers
+- CVE-2025-41248 (Spring Security): ~21 apps, ~15% servers
 - Different libraries have different adoption rates
 
 ---
@@ -588,9 +588,9 @@ use contrast mcp to find apps affected by CVE-2021-44228 and verify one app exis
 | Test # | Category | Purpose | Expected Behavior |
 |--------|----------|---------|-------------------|
 | 1 | Basic | Log4Shell lookup | Returns ~20 apps, log4j libraries |
-| 2 | Basic | Tomcat CVE lookup | Returns ~72 apps, tomcat libraries |
-| 3 | Basic | Spring Security CVE | Returns ~22 apps |
-| 4 | Basic | Low severity CVE | Returns ~79 apps |
+| 2 | Basic | Tomcat CVE lookup | Returns ~70 apps, tomcat libraries |
+| 3 | Basic | Spring Security CVE | Returns ~21 apps |
+| 4 | Basic | Low severity CVE | Returns ~77 apps |
 | 5 | Basic | Tomcat DOS CVE | Returns affected apps |
 | 6 | Format | Uppercase CVE | Success |
 | 7 | Format | Lowercase CVE | Success or validation error |

manual-tests/search-attacks-manual-test.md

@@ -28,7 +28,7 @@ search_attacks(quickFilter="ALL", pageSize=100)
 
 ### Step 2: Derive Expected Values Using Code
 
-**CRITICAL: Do NOT manually count values by visually inspecting the JSON response.**
+**CRITICAL--THIS IS EXTREMELY IMPORTANT!!!: Do NOT manually count values by visually inspecting the JSON response.**
 Manual counting is error-prone, especially for nested arrays like `rules`. You MUST use
 `jq` or equivalent code to compute all baseline metrics programmatically.
 
@@ -115,6 +115,53 @@ echo "$BASELINE" | jq 'reduce .items[] as $item ({}; .[$item.source] += [$item.a
 | `HIGH_PROBE_ATTACK` | `.items \| max_by(.probes) \| .attackId` |
 | `MULTI_APP_ATTACKS` | `[.items[] \| select((.applications \| length) > 1)] \| length` |
 
+### Complete Baseline Script
+
+Save the baseline JSON to a file, then run this script to compute all metrics at once:
+
+```bash
+#!/bin/bash
+# Usage: ./compute_baseline.sh baseline_attacks.json
+
+BASELINE=$(cat "${1:-baseline_attacks.json}")
+
+echo "=== STATUS COUNTS ==="
+echo "TOTAL_ATTACKS: $(echo "$BASELINE" | jq '.totalItems')"
+echo "EXPLOITED_COUNT: $(echo "$BASELINE" | jq '[.items[] | select(.status == "EXPLOITED")] | length')"
+echo "BLOCKED_COUNT: $(echo "$BASELINE" | jq '[.items[] | select(.status == "BLOCKED")] | length')"
+echo "PROBED_COUNT: $(echo "$BASELINE" | jq '[.items[] | select(.status == "PROBED")] | length')"
+echo "EFFECTIVE_COUNT: $(echo "$BASELINE" | jq '[.items[] | select(.status != "PROBED")] | length')"
+
+echo ""
+echo "=== RULE-BASED COUNTS ==="
+echo "SQL_INJECTION_COUNT: $(echo "$BASELINE" | jq '[.items[] | select(.rules[] | contains("SQL Injection"))] | unique_by(.attackId) | length')"
+echo "COMMAND_INJECTION_COUNT: $(echo "$BASELINE" | jq '[.items[] | select(.rules[] | contains("Command Injection"))] | unique_by(.attackId) | length')"
+echo "XXE_COUNT: $(echo "$BASELINE" | jq '[.items[] | select(.rules[] | contains("XML External Entity"))] | unique_by(.attackId) | length')"
+echo "LOG4SHELL_COUNT: $(echo "$BASELINE" | jq '[.items[] | select(.rules[] | contains("Log4"))] | unique_by(.attackId) | length')"
+echo "DESERIALIZATION_COUNT: $(echo "$BASELINE" | jq '[.items[] | select(.rules[] | contains("Deserialization"))] | unique_by(.attackId) | length')"
+echo "PATH_TRAVERSAL_COUNT: $(echo "$BASELINE" | jq '[.items[] | select(.rules[] | contains("Path Traversal"))] | unique_by(.attackId) | length')"
+echo "XSS_COUNT: $(echo "$BASELINE" | jq '[.items[] | select(.rules[] | contains("Cross-Site Scripting"))] | unique_by(.attackId) | length')"
+
+echo ""
+echo "=== TEMPORAL AND AGGREGATE METRICS ==="
+echo "OLDEST_ATTACK: $(echo "$BASELINE" | jq '.items | min_by(.startTimeMs) | {attackId, startTime, source}')"
+echo "NEWEST_ATTACK: $(echo "$BASELINE" | jq '.items | max_by(.startTimeMs) | {attackId, startTime, source}')"
+echo "HIGH_PROBE_ATTACK: $(echo "$BASELINE" | jq '.items | max_by(.probes) | {attackId, probes, source}')"
+echo "MULTI_APP_ATTACKS: $(echo "$BASELINE" | jq '[.items[] | select((.applications | length) > 1)] | length')"
+
+echo ""
+echo "=== UNIQUE SOURCE IPS ==="
+echo "$BASELINE" | jq 'reduce .items[] as $item ({}; .[$item.source] += [$item.attackId])'
+
+echo ""
+echo "=== ATTACKS WITH 1 PROBE ==="
+echo "$BASELINE" | jq '[.items[] | select(.probes == 1)] | .[] | {attackId, source, probes}'
+
+echo ""
+echo "=== ATTACK WITH MOST RULES ==="
+echo "$BASELINE" | jq '.items | max_by(.rules | length) | {attackId, source, rules_count: (.rules | length), rules}'
+```
+
 ### Step 3: Execute Tests
 
 Use the derived values as expected results for all tests below. Tests reference these values using `{METRIC_NAME}` notation.