Platform

Everything you need to run a security practice

From scanning and findings to AI reports and client delivery — SecPortal replaces your spreadsheets, scattered tools, and manual workflows with one platform.

Orchestrate every security engagement from start to finish

Create, scope, and track security assessments, vulnerability management, compliance audits, and incident response operations. Assign team members, set deadlines, and deliver results through your branded client portal.

Vulnerability management software that tracks every finding

Vulnerability management tool with auto-calculated CVSS 3.1 scores, Nessus and Burp Suite imports, 300+ pre-built templates, and real-time remediation tracking. Log, prioritise, and close vulnerabilities from one platform.

AI-powered reports in seconds, not days

Generate board-ready executive summaries, detailed technical reports, prioritised remediation roadmaps, and compliance summaries from your engagement data. Powered by Claude AI with full workspace context.

Your brand. Your portal. Your clients love it.

Every client gets a secure portal on your custom subdomain. They view findings, track remediation progress, download reports, and pay invoices without a single email or phone call.

Invoice and get paid without the admin

Create professional invoices per engagement in GBP, USD, or EUR. Send through your branded portal and let clients pay in one click via Stripe. Track status from draft to paid with automatic reconciliation.

Collaborate across your entire team

Invite team members to your workspace, assign engagements and findings, and stay in sync with real-time notifications. Every action is logged for a complete audit trail.

Compliance tracking without a full GRC platform

Map findings and controls to ISO 27001, SOC 2, Cyber Essentials, and more. Track compliance status with pre-built control templates, generate audit evidence, and export to CSV for external auditors.

Vulnerability scanning tools that map your attack surface

Vulnerability scanner with 16 automated modules for SSL, ports, headers, subdomains, cloud exposure, and CVE correlation. Get instant results from fast checks, then deep analysis from background workers; vulnerability detection tools built into your workflow.

Test web apps behind the login

Run 17 specialised security tests against authenticated pages. Store credentials securely with AES-256-GCM encryption and test for SQLi, XSS, IDOR, CSRF, and 13 more vulnerability classes.

Find vulnerabilities before they ship

Scan your source code for security issues with Semgrep-powered SAST and audit dependencies with SCA. Connect your GitHub, GitLab, or Bitbucket repos in one click.

Map your attack surface before attackers do

Automatically discover subdomains, detect cloud exposure, check for subdomain takeover, and fingerprint technologies across your entire external perimeter.

Verify ownership before any scan runs

Every external, authenticated, and continuous scan in SecPortal targets a verified domain. Three verification methods (DNS TXT, HTML meta tag, and .well-known file) prove the user owns or is authorised to test the target before scanner traffic ever reaches it.

Multi-factor authentication on every workspace

Every SecPortal user can enrol a TOTP authenticator, and every workspace owner can require it for the whole team. The middleware promotes sessions to AAL2 and blocks any other route until the second factor is in place.

Every action recorded across the workspace

A timestamped, attributed activity record of every finding, engagement, scan, document, comment, invoice, and team change. Filter by entity, scope by user, and retain history for the audit window your plan supports.

Encrypted credential storage for authenticated scans

Authenticated scanners need credentials. SecPortal stores them with AES-256-GCM authenticated encryption, scopes them to a verified domain inside a workspace, gates access through RBAC, and records every lifecycle event in the activity log.

Document management for every security engagement

Upload SOWs, raw scanner exports, evidence captures, attestation letters, and post-engagement deliverables onto the engagement record. Storage is workspace-scoped, RBAC-gated, and recorded in the activity log so the chain of custody survives long after the work finishes.

Repository connections for SAST and SCA

Connect GitHub, GitLab, or Bitbucket through OAuth so SecPortal can read the repositories your team chooses for code scanning. Tokens are encrypted at rest, scoped to the workspace, gated by RBAC, and recorded in the activity log on connect, configure, and disconnect.

Notifications and alerts for the people who carry the work

Findings move, engagements change status, documents land, invoices send, comments post. SecPortal fans those events out into per-user notifications scoped by tenant and role, so the people who carry the work see the change without polling the activity log.

Global search across every engagement, finding, and client

Press Cmd+K (or Ctrl+K) inside the dashboard. Type two characters and SecPortal returns clients, engagements, and findings that match across the entire workspace. Results are RBAC-aware, debounced, and deep-link to the source record without leaving the keyboard.

Monitor continuously catch regressions early

Schedule external, authenticated, and code scans on a recurring basis. Track security scores over time, detect regressions, and maintain your security posture automatically.

Bulk finding import bring your scanner data with you

Import vulnerability findings from Nessus, Burp Suite, and CSV files onto an engagement record. Verified parsers, column-mapping autodetection for CSV, plan-aware quotas, RBAC gating, rate limiting, and a logged audit trail. Migration is a capability, not a project.

Workspace AI assistant that runs platform actions for you

Talk to your workspace in natural language. The assistant reads clients, engagements, and findings as context, proposes structured actions like creating findings or scaffolding engagements, and only writes to the workspace after you approve. Every action lands on the activity log with the actor and the inputs.

Verify fixes and track reopens on the same finding record

Retesting workflows on the FindingStatus lifecycle. Move findings through open, in_progress, resolved, verified, and reopened with separate resolved_at and verified_at timestamps, RBAC-gated transitions, and an activity log audit trail that survives any audit window.

Ready to replace your scattered tools?

Start free and explore every feature. No credit card required.

Get Started Free

No credit card required. Free plan available forever.