For identity security teams
who run the identity surface as a structured record

An identity security workspace built around the identity workstream record

Identity security teams own the workflow that sits between the identity policy, the conditional access policy, the privileged access matrix, the non-human identity inventory, the federation trust register, the OAuth grant register, the MFA rollout cycle, the dormant account remediation queue, the joiner-mover-leaver cycle, the identity tabletop record, and the audit evidence pack into ISO 27001, NIST SP 800-53, NIST CSF 2.0, PCI DSS, SOC 2, HIPAA, and GDPR. The work usually carries across an identity provider console, a privileged access platform dashboard, an identity governance tool, a federation trust spreadsheet, a service-account inventory tab on the IAM team wiki, a credential vault audit log, a Confluence page of MFA exceptions, and a steering committee deck that gets rebuilt from scratch every cycle. The cost is not the licensing. It is the reconciliation hours each cycle and the residual identity drift between cycles.

SecPortal gives identity security teams one workspace for engagement records per identity workstream, findings management with CVSS 3.1 scoring and owner-of-record across every source, code scanning via Semgrep against connected GitHub, GitLab, and Bitbucket repositories under OAuth for hard-coded credential, OAuth misconfiguration, JWT validation, and insecure session handling findings, authenticated DAST with AES-256-GCM encrypted credential storage against identity-aware applications, external scanning across the verified perimeter that surfaces leaked credentials and forgotten sign-in endpoints, compliance tracking that covers ISO 27001 Annex A, NIST SP 800-53 IA and AC, NIST CSF 2.0 PR.AA, PCI DSS Requirements 7 and 8, SOC 2 CC6, HIPAA, GDPR, and the other 21 supported frameworks in parallel, AI-assisted programme reporting, role-based access control with enforced multi-factor authentication, document management for identity policies and privileged access matrices, and an append-only activity log that ties the trail together.

SecPortal is not a dedicated Identity Threat Detection and Response platform. It does not connect to identity providers (Microsoft Entra ID, Okta, Ping, JumpCloud, Auth0, on-prem Active Directory), it does not ingest directory service or identity provider telemetry, it does not ship with identity detection content (kerberoasting, golden ticket, OAuth token theft, MFA bombing, federation trust abuse), it does not vault privileged credentials, it does not enforce conditional access, and it does not federate session revocation. Teams running a dedicated ITDR, identity governance and administration, privileged access management, or cloud infrastructure entitlement platform import the resulting findings into the engagement record for the identity workstream so the identity-side findings live alongside the wider security backlog and read against the same compliance evidence pack. Teams that operate without a dedicated ITDR still benefit from the consolidated record for identity-adjacent findings that surface from authenticated DAST, external scanning, code scanning, manual review, and pentest reports.

Capabilities identity security teams use cycle to cycle

How identity security teams run the discipline inside SecPortal

An identity security programme that holds up under audit fieldwork, board questioning, cyber insurance underwriting, customer security questionnaires, and incident post-mortem operates on a small set of disciplines. The identity policy, the conditional access policy, the privileged access matrix, the non-human identity inventory, the federation trust register, the OAuth grant register, the dormant account queue, and the audit-evidence trail inherit each one rather than carving out a parallel operating model per artefact.

From identity policy to audit committee readout, on one engagement record

The identity security programme loop is open the identity workstream engagement, run the identity-adjacent scanner coverage, land the findings, map the controls, record the exceptions, route the cross-team work, regenerate the leadership view, and read the recurring cadence. SecPortal runs a single workflow that the identity engineering team, the identity governance lead, the privileged access administrator, the SOC, the audit committee, and the steering committee can all work against without re-keying state into another tool.

1. 1Open an engagement per identity security workstream. Capture the workstream owner, the scope (identity provider, directory service, privileged access platform, federation trust, non-human identity domain, OAuth grant set), the applicable framework set (ISO 27001 A.5.15-A.5.18 and A.8.5, NIST SP 800-53 IA, NIST CSF 2.0 PR.AA, PCI DSS 7 and 8, SOC 2 CC6, HIPAA, GDPR), the in-scope repositories, the in-scope authenticated DAST targets, and the named audit observers on the engagement record. Attach the identity policy, the conditional access policy, the privileged access matrix, the non-human identity inventory, and the federation trust register as documents.
2. 2Run identity-adjacent scanner coverage off the engagement record. Authenticated DAST runs against pages behind the login screen with encrypted credentials, surfacing broken authentication, broken access control, weak session handling, OAuth misconfiguration, and JWT validation issues. External scanning runs across the verified perimeter for the application, covering leaked credentials, subdomain enumeration, certificate transparency, TLS configuration on sign-in endpoints, and security headers on login pages. Code scanning runs Semgrep-based SAST and dependency analysis against connected GitHub, GitLab, or Bitbucket repositories, with hard-coded credential, OAuth misconfiguration, JWT validation, and insecure session handling rule findings landing on the engagement record.
3. 3Land every identity-side finding on the engagement record for the identity workstream with auto-calculated CVSS 3.1 vector, severity, evidence, named owner, and remediation status. Dedicated ITDR, identity governance, and PAM platform exports import in bulk through CSV with custom column mapping. DLP and identity-side detection alert escalations log manually. Identity tabletop outcomes, privileged access review outcomes, and third-party pentest findings consolidate on the same queue. Findings deduplication, prioritisation, and the owner-of-record routing read from one record.
4. 4Map findings, scanner output, and engagement records against ISO 27001 Annex A access control families, NIST SP 800-53 IA and AC control families, NIST CSF 2.0 PR.AA, PCI DSS Requirements 7 and 8, SOC 2 CC6 Trust Services Criteria, HIPAA Security Rule access management safeguards, GDPR Article 32, and the other supported frameworks through compliance tracking. The audit-time evidence packs read from the same engagement records the identity team operates on rather than from a parallel control matrix maintained by hand.
5. 5Capture risk acceptances, exceptions, and compensating control decisions on long-lived service accounts, federation trust exceptions, OAuth grant exceptions, dormant account exceptions, and conditional access exemption decisions on the same record as the findings they cover. The exception register reads as a queue of dated decisions with named owners and explicit expiry, so the identity steering committee reads exceptions that are actually due rather than re-debating the same items.
6. 6Route the work through role-based access control and multi-factor authentication. Identity engineering sees the engagements for the workstreams they operate, the identity governance lead reads the policy-relevant engagements, the privileged access administrator reads the privileged access matrix and the service-account rotation cadence, the SOC observer reads the identity tabletop and ITDR rollout cycle, audit observers read the programme posture across the identity estate without seeing the full operational backlog, and the steering committee reads the leadership view that regenerates on demand.
7. 7Regenerate the identity leadership view through AI-assisted reporting. Executive summaries, per-workstream status writeups, MFA rollout narratives, conditional access tightening readouts, privileged access review summaries, non-human identity inventory readouts, federation trust review summaries, ITDR detection content rollout summaries, and identity compliance summaries draft from the live engagement data on demand. The identity team edits drafts rather than writes the deck from a blank page each cycle.
8. 8Read the recurring programme cadence from the append-only activity log. Every finding update, scan run, document upload, retest run, exception decision, comment, credential rotation, and team change is recorded with the actor, the timestamp, and the action. CSV export keeps the programme trail reproducible at regulator review time.

Where the identity security view connects to the rest of the workspace

Most identity security functions adopt SecPortal in three phases: bring every identity workstream onto an engagement record so the identity policy, the privileged access matrix, the non-human identity inventory, and the findings live on one record; layer in code scanning, authenticated DAST, and external scanning so identity-adjacent coverage runs off the live record rather than a quarterly reconciliation spreadsheet; and route the audit, steering committee, and underwriter cadence through compliance tracking, role-based access control, multi-factor authentication, and AI-assisted reporting so the identity governance lead, the privileged access administrator, the SOC, and the audit committee all read from the same source the identity team runs on. The relevant capability, workflow, framework, and blog pages explain each phase in detail.

• The engagement record model that anchors every identity workstream is covered on the engagement management feature page, the per-workstream findings repository on the findings management feature page, and the identity policy, privileged access matrix, and federation trust register attachment surface on the document management feature page.
• The Semgrep-based SAST and dependency analysis layer against connected repositories on the code scanning feature page, the authenticated DAST layer against pages behind the login screen on the authenticated scanning feature page, and the AES-256-GCM encrypted credential vault that authenticated DAST reads from on the encrypted credential storage feature page.
• The external attack surface scanning layer that surfaces leaked credentials, forgotten sign-in endpoints, and TLS configuration issues on the external scanning feature page, the multi-framework control mapping a single engagement record rides on the compliance tracking feature page, and the enforced multi-factor authentication on every workspace account on the multi-factor authentication feature page.
• The Identity Threat Detection and Response category explainer on the ITDR explainer, the non-human identity security guide on the non-human identity security guide, and the Zero Trust architecture implementation guide on the Zero Trust architecture implementation guide.
• The ISO 27001 framework anchor with Annex A access control coverage on the ISO 27001 framework page, the NIST SP 800-53 control families that cover the IA and AC families on the NIST 800-53 framework page, and the NIST CSF 2.0 functions that cover the PR.AA identity, authentication, and authorisation category on the NIST CSF 2.0 framework page.
• The PCI DSS framework anchor for Requirements 7 and 8 on the PCI DSS framework page, the SOC 2 framework anchor for CC6 Trust Services Criteria on the SOC 2 framework page, and the HIPAA Security Rule framework anchor for the access management safeguards on the HIPAA framework page.
• The broken authentication vulnerability explainer on the broken authentication vulnerability page, the authentication bypass vulnerability explainer on the authentication bypass vulnerability page, and the broken access control vulnerability explainer on the broken access control vulnerability page.
• The hard-coded secrets vulnerability explainer on the hard-coded secrets vulnerability page, the default credentials vulnerability explainer on the default credentials vulnerability page, and the JWT vulnerabilities explainer on the JWT vulnerabilities page.
• The OAuth misconfiguration vulnerability explainer on the OAuth misconfiguration vulnerability page, the session fixation vulnerability explainer on the session fixation vulnerability page, and the weak password policy vulnerability explainer on the weak password policy vulnerability page.
• The secret scanning remediation workflow on the secret scanning remediation workflow use case, the credential handover workflow for engagements on the credential handover workflow use case, and the vulnerability acceptance and exception management workflow for residual identity exposure on the vulnerability acceptance and exception management use case.

Where the identity security team role sits next to adjacent personas

Identity security teams run the identity-side discipline that sits between the executive sponsor (the CISO), the cross-team programme coordinator (the security program manager), the cloud-side operator function (the cloud security team), the data-side operator function (the data security team), the GRC and compliance evidence owner, the SOC that consumes identity detection content, the AppSec discipline that owns identity-aware application authentication, and the internal security function that runs the consolidated programme. The identity security team owns the identity operational layer rather than any one of those adjacent shapes.

If your function is the SOC analyst function that consumes identity detection content and operates the identity-side incident response, the SecPortal for SOC analysts page covers the detection-consumer side of the discipline that pairs to the identity engineering shape.

If your function is the AppSec discipline that owns identity-aware application authentication and authorisation testing, the SecPortal for AppSec teams page covers the application security shape that reads identity-aware findings off the same record the identity team operates on.

If your function is the GRC and compliance evidence owner that assembles audit packs from identity controls into ISO 27001 Annex A, NIST 800-53 IA, NIST CSF 2.0 PR.AA, PCI DSS 7 and 8, SOC 2 CC6, and HIPAA, the SecPortal for GRC and compliance teams page covers the evidence-side discipline that reads from the same record the identity team operates on.

If your function is the cross-source vulnerability management backlog owner that consolidates the identity-adjacent findings into the wider security backlog, the SecPortal for vulnerability management teams page covers the unified queue discipline that the identity-adjacent findings land on.

If your function is the data-side operator that runs the data-protection discipline across DSPM, CSPM, and DLP outputs adjacent to the identity surface, the SecPortal for data security teams page covers the data-side operating model that pairs to the identity discipline on sensitive-data access governance.

If your function is the internal security team that runs the consolidated security programme across identity, AppSec, vulnerability management, and incident response, the SecPortal for internal security teams page covers the consolidated workspace view the identity programme rolls into.

If your function is programme-level executive sponsorship and board-level reporting rather than the identity discipline specifically, the SecPortal for CISOs and security leaders page covers the leadership-tier reporting workflow the identity posture rolls up into.

SecPortal is built for identity security teams who want one workspace for the baseline-cover-track-map-evidence-report loop on the identity surface: engagement records per identity workstream, code scanning across connected repositories for hard-coded credentials and OAuth or JWT misconfiguration findings, authenticated DAST against identity-aware applications, external scanning that surfaces leaked credentials and forgotten sign-in endpoints, findings management with owner-of-record across every source, multi-framework compliance tracking that covers ISO 27001 Annex A access controls, NIST SP 800-53 IA and AC families, NIST CSF 2.0 PR.AA, PCI DSS 7 and 8, SOC 2 CC6, HIPAA Security Rule, and GDPR Article 32 in parallel, AI-assisted programme reporting, role-based access control with enforced multi-factor authentication, document management for identity policies and privileged access matrices, encrypted credential storage for the scanner-side credential lifecycle, and an append-only activity log on top. The identity governance lead reads the policy-relevant engagements, the privileged access administrator reads the privileged access matrix and rotation cadence, the SOC observer reads the identity tabletop and ITDR rollout, the audit committee reads the programme posture, and the identity team gets back the hours that used to disappear into reconciliation between privileged access dashboards, identity provider reports, federation trust spreadsheets, and steering committee decks.