SecPortal vs Bishop Fox
operator-led offensive service vs delivery workspace
Bishop Fox is one of the most recognised names in offensive security services, organised around an operator-led delivery model: Bishop Fox employs the testers, runs the engagement, and ships the findings through Cosmos, the proprietary platform that hosts Continuous Attack Surface Testing (CAST), application pentest, red team, and cloud security assessment work. The buyer assumption is that the offensive testing capacity, the operators, the methodology, and the deliverable all come from Bishop Fox and that the customer consumes the output. SecPortal is a different shape: scanning, manual finding entry, AI report generation, branded client portal, retesting, and the engagement record live inside one workspace that your team or your firm operates. This page is the side-by-side for buyers comparing an operator-led offensive service plus its proprietary delivery platform to a delivery workspace that your team scans, reports, and ships from on its own.
No credit card required. Free plan available forever.
| Feature | SecPortal | Bishop Fox |
|---|---|---|
| Primary use case | Security delivery workspace with scanning, findings, AI reports, branded client portal, and engagement record on one tenant your team operates | Operator-led offensive security service with Bishop Fox testers running Continuous Attack Surface Testing, application pentest, red team, and cloud security work; deliverables reach the customer through the Cosmos platform |
| Who runs the test | Your team, your consultancy, or your firm runs the work inside the workspace | Bishop Fox operators run the work and the customer consumes the output |
| Engagement model with scope, ROE, and deliverables | Bishop Fox-staffed engagements with scoping, rules of engagement, and final deliverables delivered through Cosmos | |
| Client model with onboarding, contacts, and access control | Customer-facing access to the Cosmos console for engagement intake, finding review, and remediation tracking | |
| Branded white-label client portal on your tenant subdomain | ||
| You bring your own testers (consultancy bench, MSSP team, or in-house security function) | ||
| Built-in external vulnerability scanning (16 modules: SSL, headers, DNS, ports, subdomains, technology fingerprinting, CVE correlation) | External attack surface discovery and continuous reconnaissance is core to Cosmos and runs under Bishop Fox operators rather than as a self-serve scanner stack the customer drives | |
| Authenticated web application scanning (DAST, 17 modules) | Authenticated application testing is delivered as Bishop Fox-led application pentest work rather than a customer-driven DAST stack | |
| Code scanning (SAST and SCA via Semgrep) | SAST and SCA may be in scope on Bishop Fox application pentest or secure code review engagements rather than a customer-driven repository scanner stack | |
| Subdomain enumeration and external attack surface discovery | Continuous attack surface discovery is the core mechanic of Cosmos and runs under Bishop Fox operators | |
| Operator-led Continuous Attack Surface Testing (CAST) with named human testers driving discovery, validation, and exploitation | ||
| Bishop Fox-led red team engagements with adversary emulation, social engineering, and physical scope | ||
| Manual finding entry with full editor | Findings originate from Bishop Fox operators inside Cosmos rather than from operator-authored manual entry on the customer side | |
| AI-powered narrative report generation (executive, technical, remediation) | Bishop Fox-authored deliverables and Cosmos console views rather than customer-side AI-drafted narratives from a live findings record | |
| 300+ finding templates with remediation guidance | Bishop Fox-authored finding writeups under the operator brand rather than a customer-curated template library | |
| CVSS 3.1 vector parsing and auto-scoring | CVSS on Bishop Fox-authored findings inside Cosmos | |
| Scanner result import (Nessus, Burp Suite, CSV) | Customer-side scanner ingestion is not the primary intake path; Cosmos findings originate from Bishop Fox operators | |
| Encrypted credential vault for authenticated scans (AES-256-GCM) | Authentication is handled by Bishop Fox during engagements rather than configured by the customer through a stored credential vault | |
| Retest workflow paired to original finding | Bishop Fox-led retest cycles against original findings inside Cosmos | |
| Exception register with eight-field decision chain (named approver, scope, rationale, hard expiry, compensating control, refresh trigger, effective period, framework reference) | Exception and risk acceptance state lives on the customer side of Cosmos rather than as a structured decision-chain register the customer operates | |
| Continuous scheduled scanning cadence (daily, weekly, biweekly, monthly) operated by the customer | Continuous testing is operator-driven on Bishop Fox time rather than a workspace schedule the customer configures | |
| Scan-to-scan diff and change-event generation across scheduled runs | Attack surface change views derived from Bishop Fox continuous discovery and operator analysis | |
| Compliance framework templates | 21 frameworks including OWASP, ISO 27001, SOC 2, PCI DSS, NIST 800-53, NIST 800-171, FedRAMP, MITRE ATT&CK, DORA, NIS2, CIS Controls, Essential Eight, PTES, HIPAA, GDPR, Cyber Essentials | Bishop Fox deliverables can reference the framework relevant to the engagement (PCI DSS, SOC 2, HIPAA, NIST) and the deliverable is mapped accordingly by the operator team |
| Bulk finding import from existing scanner output (Nessus, Burp Suite, CSV) | Customer-side bulk import is not the primary path; the Cosmos findings record is populated by Bishop Fox operators | |
| Integrated invoicing and Stripe Connect payments for engagements | ||
| Activity audit trail with CSV export | Audit logs inside the customer-facing Cosmos console | |
| MFA enforcement on every workspace | SSO and IdP-driven controls inside the customer Cosmos tenant | |
| Free plan available | Sales-led commercial engagement pricing; no published free tier | |
| Pricing model | Free, Pro, Team | Sales-led engagement pricing; CAST is priced on the size of the attack surface in scope and the operator-hours profile; application pentest, red team, and cloud security work are priced per engagement under master services agreement |
| Setup time | 2 minutes | Named account onboarding, scoping cycle with Bishop Fox account team, master services agreement and statement of work execution, and operator scheduling before the first engagement window opens |
| Best fit for | Internal security teams, AppSec teams, vulnerability management teams, product security teams, security engineering teams, pentest firms, MSSPs, and consultancies that want scanning, findings, AI reports, branded portal, and the engagement record on one workspace the team operates | Enterprises that want a named offensive security service provider to run continuous attack surface testing, application pentest, red team, or cloud security work under Bishop Fox operators with the deliverable shipped through the Cosmos console, often as a strategic vendor relationship under master services agreement |
SecPortal vs Bishop Fox: operator-led offensive service vs delivery workspace
Bishop Fox is one of the most recognised names in offensive security services, sitting alongside Mandiant, NetSPI, NCC Group, Trustwave SpiderLabs, IOActive, Praetorian, Coalfire, TrustedSec, and Optiv. The firm is organised around three things: a bench of full-time Bishop Fox operators who run the testing, a methodology library that includes Continuous Attack Surface Testing (CAST), application pentest, red team, and cloud security assessment shapes, and the Cosmos platform that hosts customer-facing engagement intake, discovery, finding review, retest, and remediation tracking under the operator brand. The buyer assumption is that the offensive testing capacity, the operators, the methodology, and the deliverable all come from Bishop Fox and that the customer consumes the output through Cosmos. Bishop Fox is a long-running services-led brand that buyers most often evaluate as a strategic vendor on a master services agreement rather than as a self-serve platform.
SecPortal is a different category. SecPortal is a security delivery workspace that carries the engagement, the findings, the scanning, the AI report, the branded client portal, and the invoice all on one tenant your team operates. The buyer is an internal AppSec team, a vulnerability management team, a product security team, a security engineering team, a penetration testing firm, an MSSP, or a consultancy that ships work to clients or business stakeholders. If you are comparing an operator-led offensive service plus its proprietary delivery console to a delivery workspace that scans, reports, and delivers on its own, this page is the side-by-side. The adjacent comparisons buyers in this category often evaluate alongside Bishop Fox are SecPortal vs Cobalt for the Pen Testing as a Service marketplace alternative, SecPortal vs Synack for the vetted-researcher marketplace with the LaunchPoint VPN tunnel, and SecPortal vs HackerOne for the largest crowdsourced security marketplace, all of which buyers evaluating offensive security capacity often compare side by side.
Where Bishop Fox stops for internal delivery and findings work
These are not Bishop Fox-specific criticisms; they are properties of an operator-led offensive security service plus a proprietary delivery console when you compare them to running scoped engagements or an in-house findings programme on a single workspace the team operates.
Built as an operator-led offensive service with Cosmos as the delivery console
Bishop Fox operates as an offensive security services firm organised around three things: a bench of full-time Bishop Fox operators who run the testing, a methodology library that includes Continuous Attack Surface Testing (CAST), application pentest, red team, and cloud security assessment shapes, and the Cosmos platform that hosts customer-facing engagement intake, discovery, finding review, retest, and remediation tracking under the operator brand. The buyer assumption is that the testing capacity, the operators, the methodology, and the deliverable all come from Bishop Fox and that the customer consumes the output through Cosmos. SecPortal is the opposite shape: a workspace that holds the engagement record, the manual and scanner findings, the AI report, the branded portal, and the retest cycle inside one tenant for the team or the firm that runs and delivers the work.
Customer-side scanning is not the workspace mechanic
Bishop Fox runs external attack surface discovery, authenticated application testing, and offensive operations on its own infrastructure under operator control. Customers do not configure a 16-module external scanner, a 17-module authenticated DAST stack, or SAST and SCA against connected repositories as a self-serve workspace mechanic; the discovery and validation work runs as part of the engagement under Bishop Fox testers. SecPortal puts external scanning, authenticated DAST, and code scanning on the same workspace as findings, AI reports, branded delivery, and retest so the team that operates the workspace drives the cadence rather than waiting on an operator schedule.
Engagements are scoped to Bishop Fox operators on Bishop Fox time
Outside the operator-led engagement model, there is no first-class concept inside Cosmos of an in-house pentest, an AppSec code review, a VDP intake, a third-party report ingestion, or an internal vulnerability management programme that an internal team or a consultancy runs on its own with its own bench. The engagement starts when the Bishop Fox account team scopes it, lands when operators are scheduled, and closes when Bishop Fox ships the deliverable. SecPortal carries scoped engagements end to end on customer time: scope, ROE, scanner runs, manual findings, retests, AI reports, branded portal handoff, and invoice all live on the workspace the team operates.
AI-drafted executive, technical, and remediation deliverables are not the platform output
Cosmos hosts engagement intake, discovery, finding records, retest tracking, and remediation views authored by Bishop Fox operators. The deliverable is operator-authored, not drafted from a live findings record by a model on the customer side. SecPortal uses Claude to draft executive summaries, technical writeups, and remediation roadmaps from the live findings record on the workspace, with the named owner reviewing before release. The deliverable goes out without separate operator writeup time.
No branded white-label client portal on a customer subdomain
Cosmos lives at a Bishop Fox-controlled domain under the Bishop Fox brand. There is no white-label client workspace a consultancy, an MSSP, or an internal security team can hand to an external client, a stakeholder business unit, or an auditor on its own tenant subdomain, where the recipient logs in under the customer brand to review findings, track remediation, download reports, and communicate with the team. SecPortal serves a branded client portal on the tenant subdomain so every finding, retest, remediation thread, and report download lives under your name.
Sales-led engagement pricing tied to operator hours, scope, and master services agreement
Bishop Fox engagements are sales-led and priced by engagement shape (CAST attack surface size and operator-hours profile; application pentest scope and depth; red team scope, duration, and rules of engagement; cloud security assessment scope), under master services agreement, with a scoping cycle, statement of work execution, and operator scheduling before the first engagement window opens. There is no published self-service free plan that an internal security team or a consultancy can stand up on day one without a procurement cycle. SecPortal pricing is published on the website with a free plan, monthly Pro and Team tiers, and no annual contract floor for the Pro and Team tiers.
How operator-led services, marketplaces, and delivery workspaces stack
Operator-led offensive security services, crowdsourced platforms, and delivery workspaces solve different problems. The honest framing below shows how each category stacks and when buyers run more than one.
Operator-led offensive services run the work for the customer and ship the deliverable under the operator brand
Bishop Fox and the adjacent operator-led offensive security firms (Mandiant, NetSPI, NCC Group, Trustwave SpiderLabs, IOActive, Praetorian, Coalfire, TrustedSec, Optiv) start from the assumption that the customer wants a named offensive security service provider to bring the testing capacity, the operators, the methodology, and the deliverable. The vendor differentiates through its operator bench, its testing methodology, its delivery platform, and its strategic account coverage. Bishop Fox specifically differentiates through Continuous Attack Surface Testing as a continuously running operator-led discovery and validation programme, through Cosmos as the customer-facing console where the operator output lands, and through application pentest, red team, and cloud security assessment shapes that run under the same operator brand.
PTaaS marketplaces and crowdsourced platforms broker external researcher capacity above an internal stack
PTaaS marketplaces (Cobalt, Synack, Bugcrowd, HackerOne, Intigriti, YesWeHack) start from a different assumption: the customer already has an internal vulnerability management workflow and the marginal value comes from adding curated external researcher capacity through a platform-mediated marketplace. The marketplace brokers researcher discovery, programme launch, submission intake, triage signal, payout settlement, and disclosure timing. The work lands in a programme console rather than a scoped engagement under an operator brand. This is a third category that is structurally distinct from both Bishop Fox-style operator services and from a customer-operated delivery workspace.
A delivery workspace owns the finding record from scan to closure inside one tenant the team operates
SecPortal does not assume that an operator-led service or a researcher marketplace is the right shape for the work the operator does day to day. The workspace runs its own external, authenticated, and code scanning, holds the finding record, supports manual entry from a tester or reviewer, calibrates severity through CVSS 3.1 with environmental adjustment, pairs every retest to the original finding, and ships the deliverable through a branded portal on a tenant subdomain. The same record holds for a scoped pentest, a continuous vulnerability assessment, an AppSec code review, an attack surface programme run in-house, a VDP intake, a third-party pentest report ingestion, or a cloud security assessment.
The right answer often involves both, with each platform doing the job it was built for
A large enterprise that wants a named offensive security service provider with an operator-led Continuous Attack Surface Testing programme or a Bishop Fox-led red team engagement keeps Bishop Fox (or Mandiant, NetSPI, NCC Group) for the operator bench, the methodology, and the strategic vendor relationship, and uses SecPortal as the internal findings workspace where accepted Bishop Fox deliverables become first-class records alongside scanner findings, manual pentest findings, AppSec review findings, third-party pentest reports, and retest evidence. The two are adjacent rather than substitutes when the question is operator-led service capacity versus internal findings discipline.
Who each platform is the right fit for
Bishop Fox and SecPortal solve different problems for different buyers. The right answer depends on whether you need a named offensive security service provider with operator capacity or whether you need an internal workspace that holds scanning, findings, reports, and delivery on the team you already have.
Bishop Fox fits buyers who want a named operator-led offensive security service provider
If you are a large enterprise, a regulated financial services organisation, a healthcare organisation, or a public sector buyer that wants a named offensive security service provider to bring the testers, the methodology, the continuous attack surface coverage, the application pentest, the red team capability, and the cloud security assessment work under a strategic vendor relationship with master services agreement coverage, and the bottleneck is operator capacity, methodology depth, and strategic vendor governance rather than internal findings workflow, Bishop Fox was built for that operator-led shape. The buyer is the security programme owner who wants external offensive expertise on a continuous and engagement basis.
SecPortal fits teams that need an internal findings, scanning, and delivery workspace on one tenant
If you are an internal security team, an AppSec team, a vulnerability management team, a product security team, a security engineering team, a penetration testing firm, an MSSP, or a consultancy that needs the scanner, the finding record, the AI report, the branded portal, and the engagement deliverable on one workspace your team operates, SecPortal carries that lifecycle without an operator-led service contract. Findings can come from SecPortal native scanning, from manual entry, from imported Nessus or Burp output, or from accepted Bishop Fox, Mandiant, NetSPI, NCC Group, or boutique consultancy deliverables ingested as third-party pentest reports onto the internal record.
SecPortal also fits firms that deliver findings under their own brand and want to keep the client relationship
If you are a penetration testing firm, an MSSP, a vCISO, or a consultancy that ships work to external clients and every finding, retest, remediation thread, and report download has to live under your firm brand rather than under a service provider console, SecPortal is the workspace that holds that record. The branded client portal on the tenant subdomain is where the deliverable lands; the engagement record, the AI report, and the activity audit trail give the auditor and the stakeholder a defensible chain of custody under your name.
Transparent pricing, no procurement cycle
SecPortal pricing is published on the website and self-service from sign-up. There is no master services agreement to negotiate, no per-operator-hour floor, no annual contract minimum, and no enterprise sales call required before you can run a real engagement on the workspace.
SecPortal Free
Free forever
1 user, 3 clients, 2 engagements per client, 3 AI credits, 6 core scan modules.
SecPortal Pro
From $149/month
All scan modules, 100 clients, 25 AI credits/month, branded client portal, invoicing, compliance tracking.
SecPortal Team
From $299/month
Up to 5 users, 75 AI credits/month, team management, activity audit trail with CSV export, MFA enforcement.
Why teams pick SecPortal over Bishop Fox for the internal findings record
- Run scoped pentests, AppSec reviews, attack surface assessments, and cloud security work with a kickoff, deliverables, retests, and a final invoice on one record instead of routing every engagement through an operator-led service contract under master services agreement
- Scan internally with 16 external modules, 17 authenticated modules, and SAST plus SCA code scanning rather than waiting on a Bishop Fox operator schedule for every signal
- Generate executive, technical, and remediation deliverables with Claude from the live findings record so the report ships without separate writeup time
- Deliver findings through a branded client portal on your tenant subdomain instead of through a vendor delivery console under the operator brand
- Pair every retest to the original finding so the closure record holds up under audit and inside the internal vulnerability lifecycle
- Document CVSS 3.1, EPSS, KEV, asset tier, and exposure on the engagement record so prioritisation is defensible to a board, an auditor, or an application owner
- Run the exception register with a named approver, scope, rationale, hard expiry, compensating control, refresh trigger, effective period, and framework reference for every accepted risk
- Map findings across 21 framework templates including OWASP, ISO 27001, SOC 2, PCI DSS, NIST 800-53, NIST 800-171, FedRAMP, MITRE ATT&CK, DORA, NIS2, CIS Controls, and Essential Eight
- Store privileged scan credentials encrypted at rest with AES-256-GCM and rotate them through the in-product credential vault scoped to a verified domain
- Invoice clients or business units directly from the engagement record through Stripe Connect with the same branded portal handling self-service payment
- Run alongside a Bishop Fox Continuous Attack Surface Testing engagement or instead of it; ingest Bishop Fox deliverables as third-party pentest reports onto the internal finding record
Honest scope notes for the comparison
A delivery workspace is structurally different from an operator-led offensive security service. SecPortal does not run a Bishop Fox-equivalent operator bench, does not staff Continuous Attack Surface Testing through full-time testers, does not run adversary emulation red team engagements with social engineering or physical scope under SecPortal operators, and does not provide a managed methodology library the way an offensive services firm does. SecPortal also does not push findings to Jira, ServiceNow, Slack, SIEM, SOAR, or GRC platforms through native integrations; does not run automated approval routing for risk acceptance; and does not advertise enterprise SSO, SCIM, or SAML provisioning out of the box. The honest framing is that SecPortal is the workspace your team operates and Bishop Fox is the service your firm engages, and the two can sit side by side when an enterprise wants both a named offensive security service provider and an internal findings workspace under its own brand.
Related reading
If you are evaluating how to run an in-house offensive security programme, how to bring Bishop Fox or another services-led firm output into an internal record, or how to compare adjacent platforms that come up in the same evaluation cycle, the pages below cover the workflows, capabilities, and comparisons buyers in this category most often encounter.
- Third-party pentest report intake for the workflow that receives accepted Bishop Fox, Mandiant, NetSPI, or NCC Group deliverables onto the internal findings record without losing chain of custody.
- Continuous penetration testing for the always-on programme that runs scheduled scans, manual review windows, and live findings on the workspace rather than waiting on an operator-led cycle.
- Continuous Threat Exposure Management (CTEM) cycle for the five-phase scoping, discovery, prioritisation, validation, and mobilisation workflow that holds the customer-side discipline next to an operator-led continuous testing engagement.
- Remediation tracking from open finding to verified close on the engagement record and in the branded client portal.
- Vulnerability acceptance and exception management for the eight-field decision chain that documents every accepted risk against an operator-led finding or an internal scanner finding under the same workspace discipline.
- Security leadership reporting for the cadence that turns engagement output, scanner findings, and exception register state into a defensible board-level narrative.
- Findings management with CVSS 3.1 vector parsing, severity calibration, owner-of-record, and a 300+ finding template library.
- External scanning with 16 modules covering SSL, headers, ports, subdomains, technology fingerprinting, and CVE correlation for the perimeter signal a services-led model runs under operator control.
- Authenticated scanning with 17 modules and an encrypted credential vault scoped to a verified domain so customer-side authenticated testing runs on a schedule the team controls.
- Code scanning (SAST and SCA via Semgrep) for static and dependency analysis on connected repositories alongside the rest of the engagement record.
- AI reports for executive, technical, and remediation deliverables drafted by Claude from the live findings record and reviewed by the named owner.
- Branded client portal on your tenant subdomain so every finding, retest, and report download lives under your firm or your team brand rather than a vendor console.
- Retesting workflows paired to the original finding so the closure record holds up under audit and inside the internal vulnerability lifecycle.
- SecPortal vs Cobalt for the Pen Testing as a Service marketplace alternative buyers comparing Bishop Fox PTaaS-style options often evaluate.
- SecPortal vs Synack for the vetted-researcher marketplace with the Synack Red Team, LaunchPoint VPN tunnel, and FedRAMP-authorised testing surface that buyers often evaluate alongside Bishop Fox in regulated and federal environments.
- SecPortal vs HackerOne for the largest crowdsourced security marketplace that comes up when buyers weigh operator-led capacity against curated public-researcher capacity.
- SecPortal vs Bugcrowd for the managed-triage bug bounty alternative that often sits in the same enterprise offensive evaluation alongside Bishop Fox.
- SecPortal for internal security teams for the enterprise security operations audience overview.
- SecPortal for product security teams for the cross-cutting application and product security operating model overview.
- SecPortal for pentest firms for the consultancy delivery audience overview that pairs an internal workspace with operator-led service capacity from firms such as Bishop Fox.
When the work is the workspace your team operates rather than an operator-led offensive service plus its proprietary delivery console
Run scoped pentest, AppSec, vulnerability management, attack surface, and cloud security work, generate AI reports, and ship findings through a branded portal on one workspace. Built-in external scanning plus authenticated DAST plus SAST plus SCA live on the same engagement record alongside manual finding entry, the exception register, the retest workflow, and the activity audit trail. Pair alongside a Bishop Fox Continuous Attack Surface Testing engagement when operator-led continuous offensive testing sits next to a customer-operated delivery workspace for application owners, business stakeholders, or external clients. Start free.
No credit card required. Free plan available forever.