Vulnerability management software
that tracks every finding

Centralise every vulnerability in a single finding register

Vulnerability management is at the heart of every security engagement. Whether your team uncovers issues through manual security assessments, automated scanning, or compliance audits, each finding needs to be documented with enough detail for clients to understand the risk, prioritise remediation, and verify the fix. SecPortal's findings management module provides a structured, searchable register that captures the full lifecycle of every vulnerability from discovery to closure.

Instead of copying findings between Word documents, spreadsheets, and ticketing systems, security teams log everything directly in SecPortal. Each finding records the title, description, severity, CVSS vector, affected assets, evidence, remediation guidance, and current status. The result is a consistent, professional output that saves hours of formatting and reduces the risk of errors in client deliverables.

Five-tier severity classification

Import findings from your favourite scanners

Manual data entry is a bottleneck that slows delivery and introduces mistakes. SecPortal supports direct import from industry-standard vulnerability scanners so you can populate your finding register in seconds, not hours. Imported findings are automatically mapped to the correct severity level and linked to the active engagement.

Built for security teams, not generic project managers

Every feature in the findings module has been designed around the workflows that security teams actually use. From CVSS 3.1 vector string parsing to pre-built templates drawn from real-world assessments, SecPortal eliminates the boilerplate so your team can focus on analysis and client impact.

For the per-cohort detail of the 300+ pre-built templates referenced above (the pentest cohort, the Cyber Essentials and Cyber Essentials Plus cohort, the ISO 27001 Annex A cohort, the SOC 2 Trust Services Criteria cohort, and the incident response cohort), including the eleven-field schema, the engagement-type-aware picker, the calibrated CVSS vectors on the pentest set, and the controlRef-anchored compliance sets, see the finding template library.

For the parser-by-parser detail of how Nessus, Burp Suite, and CSV exports land on an engagement, including operating limits, RBAC gating, and the audit fields preserved on every imported finding, see bulk finding import.

For the verify and reopen half of the lifecycle (the FindingStatus transitions, separate resolved_at and verified_at timestamps, RBAC-gated transitions, and the retest evidence chain), see retesting workflows.

For the agentic creation path (creating findings, updating findings, scaffolding engagements, and assigning owners through natural language with the same RBAC and audit trail the manual API uses), see the workspace AI assistant.

For the per-finding conversation surface that captures the triage rationale, the translation context, the exception decisions, and the retest agreements on the same record the lifecycle runs against (workspace and client portal share one thread per finding, attributed to an immutable author email, written to the activity log), see finding comments and collaboration.

For the design rationale behind the seven field classes the record carries (identity, description, severity, classification, status, accountability, provenance), the three identifier strategies (per-capture, per-instance, per-issue), the structured state enumeration, the override schema, and the activity-log discipline that supports SOC 2, ISO 27001, PCI DSS, NIST SP 800-53, NIST CSF 2.0, CIS Controls, and DORA citations, see the vulnerability programme data model research.

For the cross-engagement cohort discipline that runs on the workspace findings dashboard (status group plus severity plus category plus title and engagement-title multi-filter on every finding in the workspace, fifty-row pagination, CSV and PDF export up to two thousand rows per request, joined client and engagement metadata on every row), see cross-engagement finding search and cohort assembly. The cohort discipline is how the workspace answers cross-cutting questions (open-critical across every active client, this control-family cohort for the upcoming audit, this release footprint across pre-release pentests and code scans) on the same live record per-finding work runs against.