Platform

Everything you need to run a security practice

From scanning and findings to AI reports and client delivery — SecPortal replaces your spreadsheets, scattered tools, and manual workflows with one platform.

Orchestrate every security engagement from start to finish

Create, scope, and track security assessments, vulnerability management, compliance audits, and incident response operations. Assign team members, set deadlines, and deliver results through your branded client portal.

Vulnerability management software that tracks every finding

Vulnerability management tool with auto-calculated CVSS 3.1 scores, Nessus and Burp Suite imports, 300+ pre-built templates, and real-time remediation tracking. Log, prioritise, and close vulnerabilities from one platform.

AI-powered reports in seconds, not days

Generate board-ready executive summaries, detailed technical reports, prioritised remediation roadmaps, and compliance summaries from your engagement data. Powered by Claude AI with full workspace context.

Your brand. Your portal. Your clients love it.

Every client gets a secure portal on your custom subdomain. They view findings, track remediation progress, download reports, and pay invoices without a single email or phone call.

Invoice and get paid without the admin

Create professional invoices per engagement in GBP, USD, or EUR. Send through your branded portal and let clients pay in one click via Stripe. Track status from draft to paid with automatic reconciliation.

Collaborate across your entire team

Invite team members to your workspace, assign engagements and findings, and stay in sync with real-time notifications. Every action is logged for a complete audit trail.

Compliance tracking without a full GRC platform

Map findings and controls to ISO 27001, SOC 2, Cyber Essentials, and more. Track compliance status with pre-built control templates, generate audit evidence, and export to CSV for external auditors.

Vulnerability scanning tools that map your attack surface

Vulnerability scanner with 16 automated modules for SSL, ports, headers, subdomains, cloud exposure, and CVE correlation. Get instant results from fast checks, then deep analysis from background workers; vulnerability detection tools built into your workflow.

Test web apps behind the login

Run 17 specialised security tests against authenticated pages. Store credentials securely with AES-256-GCM encryption and test for SQLi, XSS, IDOR, CSRF, and 13 more vulnerability classes.

Find vulnerabilities before they ship

Scan your source code for security issues with Semgrep-powered SAST and audit dependencies with SCA. Connect your GitHub, GitLab, or Bitbucket repos in one click.

Map your attack surface before attackers do

Automatically discover subdomains, detect cloud exposure, check for subdomain takeover, and fingerprint technologies across your entire external perimeter.

Verify ownership before any scan runs

Every external, authenticated, and continuous scan in SecPortal targets a verified domain. Three verification methods (DNS TXT, HTML meta tag, and .well-known file) prove the user owns or is authorised to test the target before scanner traffic ever reaches it.

Multi-factor authentication on every workspace

Every SecPortal user can enrol a TOTP authenticator, and every workspace owner can require it for the whole team. The middleware promotes sessions to AAL2 and blocks any other route until the second factor is in place.

Every action recorded across the workspace

A timestamped, attributed activity record of every finding, engagement, scan, document, comment, invoice, and team change. Filter by entity, scope by user, and retain history for the audit window your plan supports.

Encrypted credential storage for authenticated scans

Authenticated scanners need credentials. SecPortal stores them with AES-256-GCM authenticated encryption, scopes them to a verified domain inside a workspace, gates access through RBAC, and records every lifecycle event in the activity log.

Document management for every security engagement

Upload SOWs, raw scanner exports, evidence captures, attestation letters, and post-engagement deliverables onto the engagement record. Storage is workspace-scoped, RBAC-gated, and recorded in the activity log so the chain of custody survives long after the work finishes.

Repository connections for SAST and SCA

Connect GitHub, GitLab, or Bitbucket through OAuth so SecPortal can read the repositories your team chooses for code scanning. Tokens are encrypted at rest, scoped to the workspace, gated by RBAC, and recorded in the activity log on connect, configure, and disconnect.

Notifications and alerts for the people who carry the work

Findings move, engagements change status, documents land, invoices send, comments post. SecPortal fans those events out into per-user notifications scoped by tenant and role, so the people who carry the work see the change without polling the activity log.

Global search across every engagement, finding, and client

Press Cmd+K (or Ctrl+K) inside the dashboard. Type two characters and SecPortal returns clients, engagements, and findings that match across the entire workspace. Results are RBAC-aware, debounced, and deep-link to the source record without leaving the keyboard.

Monitor continuously catch regressions early

Schedule external, authenticated, and code scans on a recurring basis. Track security scores over time, detect regressions, and maintain your security posture automatically.

Bulk finding import bring your scanner data with you

Import vulnerability findings from Nessus, Burp Suite, and CSV files onto an engagement record. Verified parsers, column-mapping autodetection for CSV, plan-aware quotas, RBAC gating, rate limiting, and a logged audit trail. Migration is a capability, not a project.

Workspace AI assistant that runs platform actions for you

Talk to your workspace in natural language. The assistant reads clients, engagements, and findings as context, proposes structured actions like creating findings or scaffolding engagements, and only writes to the workspace after you approve. Every action lands on the activity log with the actor and the inputs.

Verify fixes and track reopens on the same finding record

Retesting workflows on the FindingStatus lifecycle. Move findings through open, in_progress, resolved, verified, and reopened with separate resolved_at and verified_at timestamps, RBAC-gated transitions, and an activity log audit trail that survives any audit window.

Finding comments and collaboration on the same record as the work

Per-finding comments scoped to the tenant, attributed to an immutable author email, written to the activity log, and visible to both workspace members and client portal users. Triage, escalation, exception rationale, and retest context land on the finding rather than in email.

Engagement messaging on the same record as the engagement

Per-engagement chat scoped to the tenant, attributed to an immutable author email, written to the activity log, and visible to both workspace members and client portal users. Scope, schedule, escalation, and handover land on the engagement rather than in email.

Finding overrides that survive every scan cycle

Suppress confirmed false positives, accept residual risk, and override scanner severity with a structured record. Three override types, scoped to a workspace and a scan target, with a reason field, creator attribution, and an upsert key that keeps the decision on the next scan rather than re-applying it by hand.

Scan-to-scan diff see what changed between any two executions

Compare two scan executions against the same target on one platform record. The diff endpoint returns new, fixed, and unchanged findings, identifies which scanner modules ran in one execution but not the other, and annotates every recurring finding with its current override status. RBAC-gated, workspace-scoped, and aware of the override register so suppression decisions travel across cycles.

Finding template library pre-written vulnerabilities ready to log

A built-in catalogue of pre-written finding templates covering common web, infrastructure, AppSec, and configuration vulnerabilities for pentests, plus dedicated template sets for Cyber Essentials, Cyber Essentials Plus, ISO 27001 Annex A, SOC 2 Trust Services Criteria, and incident response engagements. Every template carries a title, description, remediation guidance, and where applicable a CVSS 3.1 vector and a control reference so the operator drops a high-quality finding onto the engagement in seconds rather than typing it from scratch.

Role-based access control with least privilege by default

Four workspace roles, thirty named permissions, and a single requirePermission gate on every privileged action. Members operate on findings and scans, admins manage the team, owners change billing and roles, viewers read only. Every transition lands on the activity log with the actor and the inputs.

Scheduled scans on a real, audit-grade cadence

Set external, authenticated, and code scans to run daily, weekly, biweekly, or monthly. The platform records every schedule with a target, a frequency band, a deterministic next run time, and a plan-aware quota check, then writes the resulting scan to the workspace activity log so the cadence is auditable from the moment it starts.

Tenant subdomain isolation enforced in middleware

Every workspace runs on its own subdomain of the portal root. The middleware extracts the tenant from the host header, confirms the workspace exists with the service-role client, blocks the workspace dashboard from the tenant surface, and rewrites portal traffic to the workspace-scoped path. Reserved names are refused at the routing layer, role-aware redirects keep consultants and clients on the right surface, and per-tenant MFA enforcement runs before any portal page renders.

Scan authorization guards enforced before any scan runs

Every scan request passes a compound pre-flight guard: blocklist, monthly quota, verified domain, verification expiry, subdomain plan flag, signed attestation, plan cooldown, and (for authenticated scans) credential binding to a verified domain. Each refusal returns a typed code and a human-readable reason that the API surfaces as a 403, the activity log records, and internal audit can read in the same shape as a successful scan.

Plan-based limits and quotas enforced in code, not in policy

Three plan tiers (Starter, Pro, Team), seven numeric limit fields, seventeen feature flags, and a uniform can-this-action helper in front of every quota-sensitive write. Workspaces stay inside the tier they paid for because the gate runs at the API rather than relying on a salesperson to remember the contract.

API rate limiting on every privileged surface enforced in code, returning a uniform 429

Per-endpoint rate limits sit in front of authentication, scans, code scans, AI chat, contact submission, bulk import, document upload, domain verification, credential storage, repository connection, finding writes, client creation, invoice creation, and the public scanner tools. The limiter is Redis-backed in production with a per-instance in-memory fallback, and every limited surface returns a uniform 429 (with a Retry-After header on the authentication and AI surfaces) so the client always knows when the gate refused the request.

Ready to replace your scattered tools?

Start free and explore every feature. No credit card required.

Get Started Free

No credit card required. Free plan available forever.