SecPortal vs StackHawk
developer-first CI pipeline DAST vs security testing workspace
StackHawk is a developer-first automated DAST platform that runs HawkScan (its dynamic scanner) inside CI pipelines such as GitHub Actions, GitLab, Jenkins, CircleCI, BitBucket Pipelines, and Azure DevOps. The scan is driven by an OpenAPI, Postman, GraphQL, or HAR specification so each REST, GraphQL, SOAP, or gRPC endpoint enumerated by the spec gets tested on every pipeline run. The buyer is an AppSec leader, a product security leader, or an engineering leader at a team with a real CI pipeline who wants every pull request and every release branch to ship DAST findings back to the developer that opened the change. SecPortal is a different shape: scoped engagements, manual finding entry, AI report generation, branded client portal, native external scanning across 16 modules, authenticated DAST across 17 modules behind stored credentials, and SAST plus dependency analysis through Semgrep on connected GitHub, GitLab, or Bitbucket repositories all live inside one workspace. This page is the side-by-side for buyers comparing a developer-first CI-pipeline-native DAST product to a security testing workspace that scans, records, reports, and delivers findings on its own.
No credit card required. Free plan available forever.
| Feature | SecPortal | StackHawk |
|---|---|---|
| Primary use case | Security testing and remediation workspace with scanning, findings, AI reports, and branded portal on one tenant | Developer-first automated API and web DAST inside CI pipelines, driven by an OpenAPI, Postman, GraphQL, or HAR specification, with results routed back to the developer that opened the pull request |
| Engagement model with scope, ROE, and deliverables | Application identity, pipeline run, and pull-request comment model rather than scoped engagement with a deliverable | |
| Client model with onboarding, contacts, and access control | Internal application owner, engineering team, and CI pipeline operator model | |
| Branded white-label client portal on your subdomain | ||
| Automated API DAST driven by OpenAPI, Postman, GraphQL, or HAR specification | StackHawk HawkScan as the canonical lane, with spec ingest determining the test surface | |
| Spec-driven API endpoint enumeration | OpenAPI, Postman, GraphQL introspection, or HAR spec parses the endpoint list before each run | |
| CI pipeline-native scanner (GitHub Actions, GitLab, Jenkins, CircleCI, BitBucket Pipelines, Azure DevOps) | HawkScan runs as a containerised binary inside the pipeline job and publishes the result back to the StackHawk platform | |
| Local developer scanner CLI | HawkScan runs locally through Docker so developers can reproduce a finding against their branch before merging | |
| Pull-request comment integration | StackHawk publishes scan results into the pull request as a comment with new findings, fixed findings, and unchanged findings broken out | |
| Fail-the-build gating on new findings | Configurable per severity band so the pipeline job exits non-zero when a new finding above threshold is found | |
| DAST scanning against running applications | 17-module authenticated web scanner behind stored credentials on verified domains | HawkScan covers REST, GraphQL, SOAP, gRPC, and traditional web applications under spec-driven enumeration |
| Authenticated DAST | Cookie, bearer, basic, or form-based authentication stored in the encrypted credential vault | Scripted authentication captured through HawkScan plus token providers and external authentication scripts |
| Crawler-driven web DAST without an API spec | Authenticated web crawler on verified domains | Limited; the model is spec-driven first and crawler-driven as a fallback |
| External vulnerability scanning (16 modules: SSL, headers, DNS, ports, subdomains, technology fingerprinting, CVE correlation) | ||
| Subdomain enumeration and external attack surface discovery | ||
| SAST scanning | Semgrep-powered SAST on connected GitHub, GitLab, or Bitbucket repositories | |
| Software composition analysis (SCA) | Dependency analysis through Semgrep on connected repositories | |
| Container image scanning | Container image package SCA via Semgrep on connected repositories | |
| Repository OAuth (GitHub, GitLab, Bitbucket) | CI integration binds to the repository through the pipeline configuration rather than to a repository connector | |
| Manual finding entry with full editor | Limited (records originate from HawkScan output, the pull request comment integration, and the application identity) | |
| AI-powered narrative report generation (executive, technical, remediation) | Console dashboards, scan-result exports, JUnit XML, JSON, and SARIF output rather than engagement-shaped narrative deliverables | |
| 300+ finding templates with remediation guidance | Vendor-mapped vulnerability records and per-rule remediation guidance from the HawkScan rule set | |
| CVSS 3.1 vector parsing and auto-scoring | Severity normalised through the StackHawk severity model rather than per-finding CVSS vector entry | |
| Scanner result import (Nessus, Burp Suite, CSV) | Imports limited to the HawkScan output, the spec ingest, and the platform-native data feeds | |
| Encrypted credential vault for authenticated scans (AES-256-GCM) | Token providers and environment variables managed through the CI pipeline secrets store and the StackHawk application configuration | |
| Continuous scheduled scanning cadence (daily, weekly, biweekly, monthly) | Cadence is determined by the CI pipeline trigger (pull request, merge, scheduled job) rather than by an in-product scan schedule per target | |
| Retest workflow paired to original finding | Re-evaluation through the next pipeline run on the same branch or application identity | |
| Exception register with eight-field decision chain | Per-finding accept-and-suppress workflow scoped to the application identity rather than an engagement-shaped per-finding decision chain | |
| SBOM ingest and publishing (CycloneDX, SPDX) | ||
| Compliance framework templates | 21 frameworks including OWASP, OWASP ASVS, OWASP MASVS, OWASP API Security Top 10, ISO 27001, SOC 2, PCI DSS, NIST 800-53, NIST 800-171, FedRAMP, MITRE ATT&CK, DORA, NIS2, CIS Controls, and Essential Eight | Per-finding categorisation against OWASP Top 10, OWASP API Security Top 10, and CWE through the HawkScan rule set; report-side compliance mapping is not the primary lane |
| Integrated invoicing and Stripe Connect payments for engagements | ||
| Activity audit trail with CSV export | Application and scan audit logs inside the StackHawk console | |
| MFA enforcement on every workspace | SSO and IdP-driven controls | |
| Free plan available | StackHawk Developer is free for a single application; the Pro and Enterprise tiers covering more applications, SSO, and advanced features are commercial | |
| Pricing model | Free, Pro, Team | Per-application tier pricing with sales-led negotiation on the Pro and Enterprise tiers and annual commitment |
| Setup time | 2 minutes | Spec generation or capture, application onboarding in the StackHawk console, HawkScan integration into the CI pipeline, authentication scripting, and pipeline configuration tuning |
| Best fit for | AppSec teams, internal security teams, vulnerability management teams, product security teams, pentest firms, MSSPs, and consultancies that scan, report, and deliver findings from one workspace | AppSec leaders, product security leaders, and engineering leaders at teams with a real CI pipeline that want every pull request and every release branch to ship DAST findings back to the developer that opened the change, driven by an OpenAPI, Postman, GraphQL, or HAR specification |
SecPortal vs StackHawk: developer-first CI pipeline DAST vs security testing workspace
StackHawk is a developer-first automated DAST platform that runs HawkScan (its dynamic scanner) inside the CI pipeline. The scan is driven by an OpenAPI, Postman, GraphQL, or HAR specification so each REST, GraphQL, SOAP, or gRPC endpoint enumerated by the spec gets tested on every pipeline run. The pipeline triggers the scan against the deployed application or the ephemeral preview environment, HawkScan publishes the result back to the StackHawk platform and the pull request that opened the change, and the developer that wrote the code receives the signal alongside the rest of the pull-request review. The buyer is an AppSec leader, a product security leader, or an engineering leader at a team with a real CI pipeline (GitHub Actions, GitLab, Jenkins, CircleCI, BitBucket Pipelines, or Azure DevOps) who wants every pull request and every release branch to ship DAST findings back to the developer that opened the change.
SecPortal is a different shape. SecPortal is the security testing and delivery workspace for AppSec teams, internal security teams, vulnerability management teams, product security teams, pentest firms, MSSPs, and consultancies that run scoped engagements and ship findings to application owners, business stakeholders, or external clients. The engagement, the scoping, the SAST and dependency analysis output from connected repositories, the authenticated DAST and external perimeter scans, the manual findings, the AI-generated report, the branded client portal, the retest, and the invoice all sit inside one workspace. If the question is whether to ship pull-request-shaped DAST findings back into the developer loop or to deliver scoped assessments and findings as a recurring deliverable on a scoped engagement record, this page is the side-by-side. The adjacent comparisons buyers in the running-application DAST category often evaluate alongside are SecPortal vs Invicti, SecPortal vs Acunetix, SecPortal vs Burp Suite, SecPortal vs Detectify, and SecPortal vs Intruder.
Where the developer-first CI pipeline DAST model stops for delivery work
These are not StackHawk-specific criticisms; they are properties of a spec-driven CI-pipeline-native DAST product when the buyer compares it to running scoped engagements on a delivery workspace.
Built as a developer-first DAST scanner that runs inside the CI pipeline, not a security testing workspace
StackHawk runs HawkScan (its dynamic scanner) inside the CI pipeline job. The pipeline reads an OpenAPI, Postman, GraphQL, or HAR specification, parses the endpoint list, runs the scanner against the deployed application or the ephemeral preview environment, and publishes results back to the StackHawk platform and the pull request that triggered the run. The buyer is an AppSec leader, a product security leader, or an engineering leader at a team with a real CI pipeline who wants every pull request and every release branch to ship DAST findings back to the developer that opened the change. SecPortal is a different shape: scoped engagements, manual finding entry, AI report generation, branded client portal, native external scanning, authenticated DAST, and SAST plus dependency analysis on connected repositories all live inside one workspace.
No engagement, scope, or scoped deliverable model
StackHawk is organised around the application identity, the pipeline run, the spec-driven scan, the pull-request comment, and the per-finding accept-and-suppress workflow. There is no concept of a scoped engagement that opens with a kickoff, runs against a defined target list, ships a final report under a client or stakeholder name, schedules a retest, and closes on a delivery date. If the work being shipped is a penetration test, a third-party security review, an external attack surface programme, an AppSec assessment for an application owner, an internal vulnerability assessment for a business unit, or a client-billable security engagement with a defined scope and a deliverable, StackHawk does not carry that record. SecPortal does, on the same workspace as the scanner stack, the AI report generator, and the branded client portal.
No branded client portal for technical findings delivery
StackHawk output (per-finding records on the StackHawk console, JUnit XML and SARIF output from HawkScan, pull-request comments back into the pipeline, and JSON or CSV exports) is reviewed inside the StackHawk console or routed back into developer tooling through the CI integration. Sharing the results with an application owner, a business stakeholder, or an external client typically means a StackHawk report export, a CSV pull, or a downstream ticket. SecPortal ships a white-label client portal on your tenant subdomain so every finding, retest, remediation thread, and report download lives under your team or consultancy brand rather than a vendor console.
No external perimeter scanning, no SAST, no SCA inside the same workspace
StackHawk covers the running-application surface with depth: REST, GraphQL, SOAP, and gRPC API endpoints driven by an OpenAPI, Postman, GraphQL, or HAR specification, plus traditional crawler-driven web application DAST against a deployed target. It does not run external perimeter scanning across DNS, ports, SSL, headers, subdomains, and technology fingerprinting against the public attack surface, and it does not run SAST or dependency analysis on the source side. Engagements that combine API DAST with source-side coverage and external perimeter coverage need a separate SAST and SCA stack and a separate external scanner. SecPortal runs SAST and dependency analysis through Semgrep, external scanning across 16 modules covering SSL, headers, DNS, ports, subdomains, technology fingerprinting, and CVE correlation, and authenticated DAST behind cookie, bearer, basic, or form authentication on the same engagement record.
No manual finding entry for non-scanner output
StackHawk is a scanner-driven product. Findings appear in the workspace because HawkScan fired against the deployed application, the spec was parsed and an endpoint was tested, or the crawler walked the application surface. A pentest, a manual code review, a manual API review against a private endpoint, a threat-modelling output, or a third-party security review also produces findings the scanner cannot reach: business logic flaws, chained exploits, IDOR proofs that need session state the scanner does not understand, authentication bypasses through application-specific state, design-level weaknesses, and supply-chain-tampering walkthroughs the scanner does not see. SecPortal ships a full manual finding editor with the 300+ finding template library, CVSS 3.1 vector parsing and auto-scoring, and structured evidence so non-scanner findings live on the same record as scanner output.
Per-application tier pricing tied to the application count in the workspace
StackHawk pricing is structured around the application count in the workspace. The Developer tier is free for a single application. The Pro and Enterprise tiers cover more applications, SSO, advanced authentication, advanced reporting, and the broader API support, and are sales-led with an annual commitment. There is no monthly self-serve commercial tier that covers a large application portfolio without a sales call, and the cost scales with the application count rather than with the engagement count or the team count. SecPortal pricing is transparent on the website with a free plan, monthly Pro and Team tiers, and no per-application licensing model. A workspace can run many engagements against many applications without re-pricing each addition.
What SecPortal adds to the picture
Engagement-shaped workflow
Every scan, manual finding, retest, AI report, and invoice sits inside an engagement that has a client, business unit, or stakeholder, a scope, a status, and a delivery date. The model matches the way internal AppSec teams run scoped application reviews for an application owner, the way internal security teams run scoped assessments for business units, the way consultancies deliver scoped engagements to clients, and the way pentest firms ship findings under a deliverable contract.
AI report generation from the live findings record
Generate executive summaries, full technical reports, remediation roadmaps, and compliance summaries from the engagement findings with a single click. The AI uses the workspace context: engagement scope, findings, severities, CVSS vectors, evidence, and exception decisions. The report becomes a draft the team edits rather than a console export augmented after the scan.
White-label client portal on a tenant subdomain
Every workspace gets a branded client portal on its own tenant subdomain. Application owners, business stakeholders, or external clients log in to review findings, track remediation, download reports, and communicate with the team under your brand rather than under a vendor console. Sharing findings does not mean exporting a SARIF or JSON file from the StackHawk console.
Source-side scanning paired with running-app and perimeter scanning on one workspace
SAST and dependency analysis through Semgrep run against repositories connected via GitHub, GitLab, or Bitbucket OAuth. External perimeter scanning runs across 16 modules covering SSL, headers, DNS, ports, subdomains, technology fingerprinting, and CVE correlation. Authenticated DAST runs behind stored credentials through cookie, bearer, basic, or form-based authentication. One workspace covers the source, the running application, and the perimeter rather than three consoles, three credential vaults, and three buyer relationships.
300+ finding templates with calibrated severity
A finding template library covers the recurring vulnerability classes a SAST, DAST, SCA, or manual reviewer produces: injection, access control, cryptography, configuration, authentication, and business logic. Templates carry CVSS 3.1 vectors and remediation guidance so the analyst edits the proof rather than rewriting the description. Severity comes from CVSS vector parsing, not from a fixed vendor severity table.
Continuous monitoring inside the engagement record
Continuous monitoring schedules (daily, weekly, biweekly, monthly) run scans against verified domains and authenticated targets on the same record as the manual findings, the AI report, and the retest. Continuous coverage sits inside the engagement workflow rather than being driven by the cadence of the CI pipeline trigger.
Who each platform is the right fit for
StackHawk and SecPortal solve adjacent problems for different buyer shapes. The honest framing is that the right tool depends on whether the primary motion is shipping pull-request-shaped DAST findings back into the developer loop or shipping engagement deliverables that combine source, authenticated DAST, external coverage, and manual findings on a scoped engagement record.
StackHawk fits AppSec and product security teams that ship DAST findings inside the CI pipeline back to the developer that opened the pull request
If you are an AppSec leader, a product security leader, or an engineering leader at a team with a real CI pipeline (GitHub Actions, GitLab, Jenkins, CircleCI, BitBucket Pipelines, or Azure DevOps), maintain an OpenAPI, Postman, GraphQL, or HAR specification for each application, run HawkScan against deployed or ephemeral preview environments on every pull request, and want the scan result to appear as a pull-request comment with new, fixed, and unchanged findings broken out so the developer that opened the change can act on it before merge, StackHawk is built for that shape of work. The buyer assumption is one application identity, one spec, one CI pipeline, and one feedback loop into the pull request.
SecPortal fits AppSec, internal security, vulnerability management, and consultancy teams that ship findings as a scoped deliverable
If you are an AppSec team running scoped reviews against named applications, an internal security team running scoped assessment cycles for business units, a vulnerability management team that consolidates external and authenticated scan output alongside SAST and SCA findings, a product security team running engagement reviews, a penetration testing firm, an MSSP, or a security consultancy delivering AppSec or pentest engagements to clients, SecPortal is the delivery workspace. Engagement, findings, source-side scanning, perimeter scanning, authenticated DAST, AI reports, branded portal, and invoicing all live on one tenant.
When the answer is both
A team that runs StackHawk as the pipeline-side DAST loop that catches API regressions every pull request and also delivers scoped assessments to application owners, business stakeholders, or external customers can use StackHawk for the in-pipeline shift-left feedback loop and SecPortal for the scoped engagement record, the external attack surface work, the source-side SAST and SCA coverage, the manual pentest findings, and the AI-generated narrative report. The two are adjacent. The question is whether the primary motion this quarter is shipping pull-request-shaped DAST findings back into the developer loop or shipping engagement deliverables that combine source, authenticated DAST, external coverage, and manual findings on one workspace.
How the StackHawk pipeline DAST loop compares to the SecPortal engagement record
StackHawk and SecPortal both produce evidence an auditor, a buyer, or an application owner reads, but the asset of record is different. The StackHawk pipeline run is the canonical view of the spec-driven DAST signal published back into the pull request that opened the change. The SecPortal engagement record is the canonical view of the scoped security work that produced a deliverable. The contrast matters when the audit-side reader asks for the underlying technical security testing evidence behind a control or a deliverable, not just the pipeline-side DAST signal.
StackHawk is the asset of record for the pipeline-shaped DAST feedback loop
The StackHawk value proposition is that the application identity, the spec, the CI pipeline run, the pull-request comment, and the per-finding accept-and-suppress workflow live on one platform. Every scan is triggered by a pipeline event, every finding is published back into the pull request that opened the change, and the developer that wrote the code receives the signal in the same surface they review code in. The asset is the pipeline run keyed to a pull request; the audience is the developer who wrote the change, the AppSec engineer who tuned the scan, and the engineering lead who maintains the pipeline.
SecPortal engagement record holds the scoped-assessment evidence from kickoff to closure
SecPortal does not run inside the CI pipeline as a pull-request scanner and does not parse an OpenAPI specification to drive endpoint enumeration. SecPortal does run authenticated DAST against verified domains, external scanning across 16 modules, and SAST plus dependency analysis through Semgrep against connected repositories so findings from those lanes land on the same engagement record alongside manual pentest findings and imported third-party scan output. The asset is the engagement, scan, finding, exception decision, retest, and closure record; the audience is the application owner, the engineering team, the security operator, the external client, the business unit stakeholder, and the auditor reading remediation history.
Where SecPortal sits next to a StackHawk deployment
SecPortal is not a replacement for the in-pipeline DAST loop that StackHawk runs against every pull request. SecPortal sits next to a StackHawk deployment as the security testing and delivery workspace where scoped pentest findings, manual reviewer findings, external perimeter scan output, authenticated DAST output against verified domains, SAST and dependency analysis output, AI-generated reports, the exception register, and the branded client portal all live on one tenant. If StackHawk is the right answer for the pull-request-shaped DAST feedback loop, the security testing workspace is still the right answer for the engagement, finding, and delivery work that sits beside it.
Spec-driven API DAST versus authenticated session DAST: two operating models
StackHawk markets spec-driven API enumeration as the canonical lane, with the OpenAPI, Postman, GraphQL, or HAR specification as the source of truth for the test surface. SecPortal organises authenticated web DAST around stored credentials on a verified domain, with the session as the source of truth for the test surface. The two models read different surfaces and produce different evidence shapes.
StackHawk drives API DAST through the OpenAPI, Postman, GraphQL, or HAR specification
HawkScan reads the spec, enumerates every endpoint the spec declares, tests each endpoint against the HawkScan rule set, and reports per-endpoint findings back into the pull request. The model is spec-first: if the spec lists 247 endpoints, the scan reaches 247 endpoints. If a real endpoint is not in the spec, the scan does not see it. The discipline that follows is keeping the spec in sync with the running application so the test surface and the deployed surface match. The asset is the spec; the audience is the developer who wrote the endpoint and the AppSec engineer who reads the StackHawk console.
SecPortal authenticated DAST runs behind stored credentials on verified domains
The authenticated web scanner runs 17 modules behind credentials stored in the encrypted credential vault (AES-256-GCM) and scoped to a verified domain. Authentication is configured per target through cookie, bearer, basic, or form authentication. The scanner crawls the application surface that the authenticated session exposes rather than reading from an OpenAPI specification. The model is closer to a session-scoped web DAST sweep than to a spec-driven API enumeration. The asset is the engagement record; the audience is the application owner, the security operator, and the auditor reading the closure record.
Where each model fits the AppSec programme
The StackHawk model fits applications that maintain a high-quality OpenAPI, Postman, GraphQL, or HAR specification as part of the development process, want every CI pipeline run to confirm that the deployed surface matches the spec and the rule set, and want the regression signal back into the pull request before merge. The SecPortal authenticated DAST model fits scoped engagements where the tester logs in with stored credentials, the scanner sweeps the authenticated session, the result lands on the engagement record next to the manual pentest findings and the external scan output, and the deliverable is shipped to an application owner, a business stakeholder, or an external client on a defined date.
How StackHawk sits relative to Invicti, Acunetix, Burp Suite, and ZAP
Buyers comparing running-application DAST platforms typically shortlist StackHawk alongside Invicti, Acunetix, Burp Suite, and ZAP and weigh CI pipeline integration, proof-based exploit verification, crawler depth against the OWASP Top 10, manual interactive testing fit, and open-source roots against the team shape and the buyer signal. The contrast below explains how StackHawk sits relative to those adjacent platforms.
StackHawk versus Invicti and Acunetix
StackHawk, Invicti, and Acunetix all run DAST against deployed applications but differ on shape. Invicti is the most enterprise-console-shaped, with proof-based scanning that confirms exploitability before publishing a finding and the strongest enterprise reporting catalogue. Acunetix is the most crawler-and-vulnerability-class-catalogue-shaped, with the longest history of web application scanner research and deep coverage of the OWASP Top 10 vulnerability classes. StackHawk is the most CI-pipeline-and-developer-shaped, with spec-driven API enumeration and pull-request integration as the primary lane. Buyers comparing the three usually weigh in-pipeline developer feedback against enterprise console reporting and against crawler depth.
StackHawk versus Burp Suite and ZAP
StackHawk and Burp Suite sit at opposite ends of the DAST spectrum. Burp Suite is the most interactive-manual-testing-shaped, designed for a security tester to drive every request, replay it through Repeater, tamper it through Intruder, and build a manual proof for every finding. StackHawk is automated and unattended: the spec drives the run, the pipeline triggers it, and the developer reads the result back in the pull request. ZAP (the OWASP Zed Attack Proxy) is the open-source ancestor of both lanes and the engine HawkScan extends. Teams that need manual testing alongside automated regression typically run Burp Suite manually and StackHawk automatically; SecPortal carries the manual pentest finding output that comes back from Burp Suite as a manually entered finding on the engagement record.
Where SecPortal sits relative to all of them
SecPortal is not a CI-pipeline-native DAST scanner, is not a spec-driven API enumerator, does not run as a pull-request comment integration, and does not pretend to replace one. SecPortal sits next to DAST scanners as the security testing and delivery workspace where scoped pentest findings, manual reviewer findings, external perimeter scan output, authenticated DAST output, SAST and SCA output from connected repositories, AI-generated reports, the exception register, and the branded client portal all live on one tenant. If StackHawk (or Invicti, Acunetix, or Burp Suite) is the right answer for the running-application security signal, the security testing workspace is still the right answer for the engagement, finding, and delivery work that sits beside it.
How SecPortal authenticated DAST compares to StackHawk in-pipeline DAST
StackHawk covers the running-application surface with depth on the spec-driven API lane: HawkScan reads the OpenAPI, Postman, GraphQL, or HAR spec, enumerates the endpoint list, tests each endpoint against the HawkScan rule set, runs inside the CI pipeline, and publishes the result back into the pull request. SecPortal covers the running-application surface as one of three lanes that converge on a single engagement record, rather than as the centrepiece of a pipeline-driven product.
The authenticated scanning feature runs 17 modules behind stored credentials through cookie, bearer, basic, or form authentication on verified domains. The external scanning feature runs 16 modules across SSL, headers, DNS, ports, subdomains, technology fingerprinting, and CVE correlation so the perimeter is scanned alongside the authenticated application surface. The code scanning feature runs SAST and dependency analysis through Semgrep on repositories connected via GitHub, GitLab, or Bitbucket OAuth so source-side findings land on the same engagement record. The continuous monitoring feature runs daily, weekly, biweekly, or monthly scans on a schedule and writes the results back to the same engagement record rather than depending on a CI pipeline trigger to drive cadence.
How credentials, repository access, and import paths are handled
Authenticated scanning needs credentials that live somewhere durable. SecPortal stores them in an encrypted credential vault with AES-256-GCM, scoped to a verified domain. Every external scan is gated on domain verification through DNS TXT or meta tag so authorisation is provable before any module fires. Source-side scanning needs read access to a repository. SecPortal connects to GitHub, GitLab, or Bitbucket through OAuth so scope is bound to the connected organisation and the repositories the team selects, rather than through a shared service account or a long-lived deploy key. Teams that operate StackHawk for the in-pipeline DAST loop can still consolidate scanner output onto the engagement record through the importing third-party scanner results guide for the verified Nessus, Burp Suite, and CSV import paths.
From scan to deliverable
The output of an API DAST, web DAST, SAST, or SCA run is the beginning of a deliverable, not the end. SecPortal turns scan results into draft findings, the analyst triages and validates them, the findings management layer holds the consolidated record with CVSS vectors, evidence, and remediation, and the AI reports feature generates the executive and technical narrative the recipient receives. The branded client portal is where the deliverable lands; the scanner result triage workflow covers how raw scanner output becomes a calibrated finding before it is promoted onto the canonical record.
For AppSec teams running API security testing on the engagement record, the API security testing workflow covers how REST, GraphQL, and SOAP coverage lands on the engagement record next to the SAST, SCA, and external scan output. For internal security teams that already run StackHawk in the CI pipeline and want to operationalise the output into engagement records and remediation tracking, the scanner-to-ticket handoff governance workflow and the remediation tracking workflow cover how pipeline-side findings move from detection to closure with named owners, SLA tiers, and an audit trail. For teams running scoped engagements against named applications, the security onboarding for new applications workflow covers how a new application enters the security programme with named scope, named owner, and named cadence. The compliance crosswalk for AppSec evidence is covered in the control mapping workflow so the same engagement evidence answers OWASP ASVS V14, OWASP API Security Top 10, ISO 27001 A.8.28, SOC 2 CC8.1, PCI DSS Requirement 6, NIST SSDF PW.4, and NIST 800-53 SA-11 simultaneously.
Transparent pricing, no procurement cycle
SecPortal pricing is published on the website and self-service from sign-up. There is no per-application licensing model, no annual contract floor on the Pro or Team tiers, and no sales call required before you can run a real engagement.
SecPortal Free
Free forever
1 user, 3 clients, 2 engagements per client, 3 AI credits, 6 core scan modules.
SecPortal Pro
From $149/month
All scan modules, 100 clients, 25 AI credits/month, branded client portal, invoicing, compliance tracking.
SecPortal Team
From $299/month
Up to 5 users, 75 AI credits/month, team management, activity audit trail with CSV export, MFA enforcement.
Why AppSec, internal security, and consultancy teams pick SecPortal alongside or instead of StackHawk
- Run scoped AppSec, pentest, and vulnerability management engagements with a kickoff, deliverables, retests, and a final invoice on one record rather than a CI-pipeline DAST console and a separate engagement tracker
- Scan the perimeter with 16 external modules, run authenticated DAST with 17 web modules, and run SAST plus dependency analysis on connected repositories from inside the same workspace
- Generate executive, technical, and remediation deliverables with Claude from the live findings record rather than annotating a StackHawk SARIF or JSON export after the scan
- Enter manual findings from a tester, reviewer, or third-party report (business logic flaws, IDOR walkthroughs, chained exploits, design-level weaknesses) into the same record the scanners feed
- Deliver findings through a branded client portal on a tenant subdomain instead of console exports or pull-request comments routed out of the StackHawk console
- Pair every retest to the original finding so the closure record holds up under audit rather than relying on the next pipeline run on the same branch to confirm the fix
- Document CVSS 3.1 vector, asset, evidence, owner, severity, and remediation status on the engagement record so prioritisation is defensible to a board, an auditor, or an application owner
- Capture the exception register on the same record as the finding with linked finding, severity, compensating controls, residual likelihood, residual impact, business rationale, expiry, and review cadence
- Map findings across 21 framework templates including OWASP, OWASP ASVS, OWASP MASVS, OWASP API Security Top 10, ISO 27001, SOC 2, PCI DSS, NIST 800-53, NIST 800-171, FedRAMP, MITRE ATT&CK, DORA, NIS2, CIS Controls, and Essential Eight
- Store privileged scan credentials encrypted at rest with AES-256-GCM and rotate them through the in-product credential vault
- Invoice clients or business units directly from the engagement record through Stripe Connect
- Start on the free plan and upgrade without a sales call, a per-application licensing negotiation, or an annual commitment floor for the published tiers
Honest scope: what SecPortal does not aim to be
SecPortal is not a CI-pipeline-native DAST scanner, does not ship a HawkScan equivalent containerised binary that runs inside a GitHub Actions, GitLab, Jenkins, CircleCI, BitBucket Pipelines, or Azure DevOps pipeline job, does not read an OpenAPI, Postman, GraphQL, or HAR specification to drive API endpoint enumeration, does not publish scan results back into the pull request as a comment integration, does not fail the build on new findings above a severity threshold, does not run a local developer CLI scanner that the developer invokes against their branch before merging, and does not ship packaged Jira, ServiceNow, Slack, SIEM, SOAR, or CMDB connectors. The honest framing is that SecPortal is a security testing and delivery workspace that complements a StackHawk pipeline DAST deployment rather than a CI-pipeline-native DAST scanner that replaces one.
Related reading
If you are evaluating how to run scoped AppSec, pentest, and vulnerability management engagements alongside or instead of a developer-first CI pipeline DAST product, the pages below cover the workflows, adjacent comparisons, and audience views that come up most often.
- SecPortal vs Invicti for the enterprise DAST console comparison with proof-based scanning.
- SecPortal vs Acunetix for the crawler-and-vulnerability-class-catalogue DAST comparison.
- SecPortal vs Burp Suite for the interactive manual security testing comparison.
- SecPortal vs Detectify for the automated web scanning service with researcher-fuelled signatures comparison.
- SecPortal vs Intruder for the managed external scanning service comparison.
- SecPortal vs Snyk for the developer-first SCA and SAST comparison with reachability prioritisation.
- SecPortal vs Semgrep for the open-source SAST engine comparison (Semgrep powers SecPortal SAST).
- SecPortal vs GitHub Advanced Security for the GitHub-native code security and secret scanning comparison.
- SecPortal for AppSec teams for the audience page covering authenticated DAST, SAST, SCA, manual pentest entry, and AI-generated reporting on one workspace.
- SecPortal for product security teams for the product security view of running scoped reviews against named applications with SAST, SCA, DAST, and external coverage on the same engagement record.
- SecPortal for DevSecOps teams for the DevSecOps view of paired source-side and running-application coverage on one engagement record.
- API security testing workflow for the workflow that turns REST, GraphQL, and SOAP API coverage into engagement-shaped findings.
- DevSecOps scanning workflow for the operating model that pairs SAST, SCA, DAST, and external coverage inside one engagement record.
- API security testing checklist for the practical operating checklist for running API security tests against authenticated and unauthenticated endpoints.
- Dynamic application security testing explained for the deep technical breakdown of DAST as a category, its scanner types, and where each fits the AppSec programme.
- OWASP API Security Top 10 for the framework API security testing most often maps findings against.
When the work is scoped engagement delivery, not pull-request-shaped DAST inside the pipeline
Run scoped AppSec, pentest, and vulnerability management engagements, generate AI reports, and ship findings through a branded portal on one workspace. SAST plus dependency analysis plus DAST plus external scanning live on the same engagement record. Run alongside or instead of a StackHawk pipeline DAST deployment. Start free.
No credit card required. Free plan available forever.