For network security teams
who run the network surface as a structured record

A network security workspace built around the network workstream record

Network security teams own the operational layer that sits between the network architecture diagram, the firewall ruleset, the segmentation matrix, the network access control (NAC) enforcement domain, the ZTNA broker policy set, the VPN tenant, the Network Detection and Response (NDR) sensor coverage, the IDS/IPS signature set, the east-west traffic baseline, the third-party connectivity register, the perimeter exposure record, the network device firmware lifecycle, and the audit evidence pack into ISO 27001 Annex A network security controls, NIST SP 800-53 SC and AC families, NIST CSF 2.0 PR.IR boundary protection, PCI DSS Requirements 1 and 2, SOC 2 CC6, NIS2 Article 21 cyber risk-management measures, CIS Controls v8.1 Controls 12 and 13, HIPAA Security Rule transmission security safeguards, and GDPR Article 32. The work usually carries across a firewall console, a NAC dashboard, a ZTNA broker tenant, an NDR alert queue, an IDS signature management tool, a configuration-management spreadsheet, a ticketing queue, a vendor SOC handoff record, and a steering committee deck that gets rebuilt from scratch every cycle. The cost is not the licensing. It is the reconciliation hours each cycle and the residual network drift between cycles.

SecPortal gives network security teams one workspace for engagement records per network workstream, findings management with CVSS 3.1 scoring and owner-of-record across every source, external scanning across 16 modules that surfaces exposed ports, weak TLS configuration, missing security headers on perimeter applications, DNS misconfiguration, certificate transparency mining for shadow gateways, subdomain enumeration for forgotten management interfaces, and tech-stack fingerprinting of network appliances, authenticated DAST with AES-256-GCM encrypted credential storage against management consoles, VPN portals, ZTNA broker tenants, NDR/IDS dashboards, and NAC controllers, bulk finding import for NDR triage outcomes, IDS results, firewall audit findings, network configuration review results, NAC enforcement gap reports, and third-party connectivity review outcomes, compliance tracking that covers ISO 27001 Annex A network security, NIST SP 800-53 SC and AC, NIST CSF 2.0 PR.IR, PCI DSS 1 and 2, SOC 2 CC6, NIS2 Article 21, CIS Controls 12 and 13, HIPAA, and GDPR in parallel, AI-assisted programme reporting, role-based access control with enforced multi-factor authentication, document management for the network architecture diagram, the firewall change register, the segmentation matrix, and the connectivity register, and an append-only activity log that ties the trail together.

SecPortal is not a firewall management platform, not a NAC controller, not a ZTNA broker, not an NDR sensor, not an IDS/IPS engine, not a SASE or SSE bundle, and not a network configuration management database. It does not push policy to firewalls, does not orchestrate ZTNA broker policy, does not ingest NDR or IDS telemetry in real time, does not deploy network sensors, does not federate VPN configuration, does not run active network scanning that requires inline placement, and does not connect natively to Jira, ServiceNow, Slack, SIEM, or SOAR. Teams running a firewall management platform, a NAC controller, a ZTNA broker, an NDR sensor estate, an IDS engine, or a SASE bundle import the resulting findings into the engagement record for the network workstream so the network-side findings live alongside the wider security backlog and read against the same compliance evidence pack. Teams that operate without one of those tools still benefit from the consolidated record for network-adjacent findings that surface from external scanning, authenticated DAST, NDR triage outcomes, firewall rule audit results, and pentest reports.

Capabilities network security teams use cycle to cycle

How network security teams run the discipline inside SecPortal

A network security programme that holds up under audit fieldwork, NIS2 supervisor review, PCI DSS assessment, cyber insurance underwriting, customer security questionnaires, and incident post-mortem operates on a small set of disciplines. The firewall ruleset, the segmentation matrix, the connectivity register, the ZTNA broker policy snapshot, the NAC enforcement record, the NDR detection content register, and the audit-evidence trail inherit each one rather than carving out a parallel operating model per artefact.

From firewall change to audit committee readout, on one engagement record

The network security programme loop is open the network workstream engagement, run the network-side scanner coverage, land the findings, map the controls, record the exceptions, route the cross-team work, regenerate the leadership view, and read the recurring cadence. SecPortal runs a single workflow that the network engineering team, the network operations lead, the firewall administrator, the NDR/IDS analyst, the audit committee, and the steering committee can all work against without re-keying state into another tool.

1. 1Open an engagement per network workstream. Capture the workstream owner, the scope (firewall ruleset, segmentation zone, NAC enforcement domain, ZTNA application set, VPN tenant, NDR sensor coverage area, IDS signature set, east-west traffic boundary, perimeter domain, third-party connection, device firmware cohort), the applicable framework set (ISO 27001 A.8.20-A.8.23, NIST SP 800-53 SC and AC, NIST CSF 2.0 PR.IR, PCI DSS 1 and 2, SOC 2 CC6, NIS2 Article 21, CIS Controls 12 and 13), the in-scope verified domains, the in-scope authenticated DAST targets, and the named audit observers on the engagement record. Attach the network architecture diagram, the firewall change register, the segmentation matrix, the connectivity register, and the device inventory snapshot as documents.
2. 2Run network-side scanner coverage off the engagement record. External scanning runs across the verified perimeter for the network workstream, covering exposed ports against a defensible baseline, TLS configuration on every reachable endpoint, security headers on perimeter applications, DNS misconfiguration, certificate transparency mining for shadow gateways, subdomain enumeration that surfaces forgotten management interfaces, and tech-stack fingerprinting of network appliances. Authenticated DAST runs against management consoles, VPN portals, ZTNA broker tenants, NDR/IDS dashboards, and NAC controllers with credentials encrypted at rest with AES-256-GCM. Continuous monitoring runs daily, weekly, biweekly, or monthly so the perimeter view stays current between formal cycles.
3. 3Land every network-side finding on the engagement record for the network workstream with auto-calculated CVSS 3.1 vector, severity, evidence, named owner, and remediation status. NDR alerts the team triaged into actionable findings, IDS triage outcomes, firewall rule audit results, network configuration review results from CIS benchmark tooling, NAC enforcement gap reports, third-party connectivity review outcomes, and external pentest report findings import in bulk through CSV with custom column mapping. Findings deduplication, prioritisation, and owner-of-record routing read from one record.
4. 4Map findings, scanner output, and engagement records against ISO 27001 Annex A network security families, NIST SP 800-53 SC and AC control families, NIST CSF 2.0 PR.IR boundary protection and PR.AA access control, PCI DSS Requirements 1 and 2, SOC 2 CC6 Trust Services Criteria, NIS2 Article 21 cyber risk-management measures, CIS Controls v8.1 Controls 12 and 13, HIPAA Security Rule transmission security safeguards, GDPR Article 32, and the other supported frameworks through compliance tracking. The audit-time evidence packs read from the same engagement records the network team operates on rather than from a parallel control matrix maintained by hand.
5. 5Capture risk acceptances, exceptions, and compensating control decisions on residual network-side exposures on the same record as the findings they cover. Legacy firewall rule exceptions, third-party connectivity exceptions, VPN exceptions waiting on ZTNA absorption, network device firmware exceptions, and legacy partner TLS exceptions read as a queue of dated decisions with named approvers and explicit expiry, so the network steering committee reads exceptions that are actually due rather than re-debating the same items.
6. 6Route the work through role-based access control and multi-factor authentication. Network engineering sees the engagements for the workstreams they operate, the network operations lead reads the segmentation matrix and the connectivity register, the firewall administrator reads the firewall ruleset and the change register, the NDR/IDS analyst reads the detection content rollout and the signature review, audit observers read the programme posture across the network estate without seeing the full operational backlog, and the steering committee reads the leadership view that regenerates on demand.
7. 7Regenerate the network leadership view through AI-assisted reporting. Executive summaries, per-workstream status writeups, firewall rule audit narratives, segmentation refresh readouts, ZTNA rollout narratives, NDR detection content rollout summaries, perimeter exposure summaries, and network compliance summaries draft from the live engagement data on demand. The network team edits drafts rather than writes the deck from a blank page each cycle.
8. 8Read the recurring programme cadence from the append-only activity log. Every finding update, scan run, document upload, retest run, exception decision, comment, credential rotation, and team change is recorded with the actor, the timestamp, and the action. CSV export keeps the programme trail reproducible at audit fieldwork, regulator submission, or cyber insurance underwriting time.

Where the network security view connects to the rest of the workspace

Most network security functions adopt SecPortal in three phases: bring every network workstream onto an engagement record so the firewall ruleset, the segmentation matrix, the connectivity register, the ZTNA policy snapshot, and the live findings live on one record; layer in external scanning, authenticated DAST against management surfaces, and bulk finding import for NDR/IDS/firewall-audit outputs so network coverage runs off the live record rather than from a quarterly perimeter review; and route the audit, steering committee, regulator, and underwriter cadence through compliance tracking, role-based access control, multi-factor authentication, and AI-assisted reporting so the operations lead, the firewall administrator, the NDR analyst, and the audit committee all read from the same source the network team runs on. The relevant capability, workflow, framework, and blog pages explain each phase in detail.

• The engagement record model that anchors every network workstream is covered on the engagement management feature page, the per-workstream findings repository on the findings management feature page, and the network architecture diagram, firewall change register, segmentation matrix, and connectivity register attachment surface on the document management feature page.
• The external scanning layer that surfaces exposed ports, weak TLS, DNS misconfiguration, security header gaps, certificate transparency findings, subdomain enumeration, and tech-stack fingerprinting on the external scanning feature page, the authenticated DAST layer against management consoles, VPN portals, and ZTNA broker tenants on the authenticated scanning feature page, and the AES-256-GCM encrypted credential vault that authenticated DAST reads from on the encrypted credential storage feature page.
• The bulk finding import layer that consolidates NDR triage outcomes, IDS results, firewall audit findings, network configuration review results, NAC enforcement gap reports, and third-party pentest findings on the bulk finding import feature page, the eight-field exception decision chain for residual network exposure decisions on the finding overrides feature page, and the multi-framework control mapping a single engagement record rides on the compliance tracking feature page.
• The Zero Trust Network Access category explainer on the ZTNA explainer, the Network Detection and Response explainer on the NDR explainer, and the Zero Trust Architecture implementation guide on the Zero Trust architecture implementation guide.
• The network penetration testing checklist on the network penetration testing checklist, the External Attack Surface Management explainer on the EASM explainer, and the Cyber Asset Attack Surface Management explainer on the CAASM explainer.
• The ISO 27001 framework anchor with Annex A network security coverage on the ISO 27001 framework page, the NIST SP 800-53 framework anchor with SC and AC control family coverage on the NIST 800-53 framework page, and the NIST CSF 2.0 framework anchor with PR.IR and PR.AA function coverage on the NIST CSF 2.0 framework page.
• The PCI DSS framework anchor for Requirements 1 and 2 on the PCI DSS framework page, the SOC 2 framework anchor for CC6 Trust Services Criteria on the SOC 2 framework page, and the NIS2 framework anchor for Article 21 cyber risk-management measures on the NIS2 framework page.
• The CIS Controls v8.1 framework anchor for Controls 12 and 13 on network infrastructure and monitoring on the CIS Controls framework page, the CISA Zero Trust Maturity Model framework anchor on the CISA Zero Trust Maturity Model framework page, and the NIST SP 800-207 Zero Trust Architecture standard on the NIST SP 800-207 framework page.
• The exposed ports and weak TLS surface that external scanning reports against on the TLS and SSL misconfiguration vulnerability page, the DNS misconfiguration surface on the DNS misconfiguration vulnerability page, and the subdomain takeover risk surface on the subdomain takeover vulnerability page.
• The exposed RDP boundary surface on the exposed RDP vulnerability page, the exposed SMB boundary surface on the exposed SMB vulnerability page, and the SSH configuration baseline surface on the SSH misconfiguration vulnerability page.
• The external security assessment workflow that the network perimeter review reads off on the external security assessment use case, the scanner result triage discipline that network-side scanner output flows through on the scanner result triage use case, and the vulnerability prioritisation discipline that ranks the consolidated network backlog on the vulnerability prioritisation use case.
• The vulnerability acceptance and exception management workflow for residual network exposure on the vulnerability acceptance and exception management use case, the TLS certificate expiry and lifecycle tracking workflow on the TLS certificate lifecycle tracking use case, and the continuous threat exposure management cycle workflow on the CTEM cycle use case.

Where the network security team role sits next to adjacent personas

Network security teams run the network-side discipline that sits between the executive sponsor (the CISO), the architecture function (the security architect), the identity-side operator (the identity security team), the cloud-side operator (the cloud security team), the detection-side operator (the detection engineering team), the alert-triage operator (the SOC analyst), the GRC and compliance evidence owner, and the internal security function that runs the consolidated programme. The network security team owns the network operational layer rather than any one of those adjacent shapes.

If your function is the architecture review function that decides the network design pattern, the segmentation model, and the ZTNA target state before the network team operates the rollout, the SecPortal for security architects page covers the design-side discipline that pairs to the network operating shape.

If your function is the identity discipline that owns conditional access, federation trust, privileged access, and the identity-aware part of the ZTNA policy decision, the SecPortal for identity security teams page covers the identity-side discipline that pairs to the network access broker decision.

If your function is the cloud-side operator that runs cloud network configuration, VPC peering, security group baselines, and cloud-native firewall posture rather than the on-prem and hybrid network surface, the SecPortal for cloud security teams page covers the cloud-side network operating model that pairs to the on-prem and hybrid network operating model the network security team owns.

If your function is the detection-side operator that builds and tunes the NDR, IDS, and SIEM detection content the network team produces network-side telemetry into, the SecPortal for detection engineering teams page covers the detection content discipline that consumes network-side observability.

If your function is the alert-triage operator that handles network-side alerts off the NDR, IDS, and SIEM detection content, the SecPortal for SOC analysts page covers the triage-side discipline that consumes network alerts the network team produces.

If your function is the cross-source vulnerability management backlog owner that consolidates network-adjacent findings into the wider security backlog, the SecPortal for vulnerability management teams page covers the unified queue discipline the network-adjacent findings land on.

If your function is the GRC and compliance evidence owner that assembles audit packs from network controls into ISO 27001 Annex A, NIST 800-53 SC and AC, NIST CSF 2.0 PR.IR, PCI DSS 1 and 2, SOC 2 CC6, NIS2 Article 21, and CIS Controls 12 and 13, the SecPortal for GRC and compliance teams page covers the evidence-side discipline that reads from the same record the network team operates on.

If your function is programme-level executive sponsorship and board-level reporting rather than the network discipline specifically, the SecPortal for CISOs and security leaders page covers the leadership-tier reporting workflow the network posture rolls up into.

SecPortal is built for network security teams who want one workspace for the baseline-cover-track-map-evidence-report loop on the network surface: engagement records per network workstream, external scanning across 16 modules for perimeter exposure, authenticated DAST against management consoles and ZTNA broker tenants, bulk finding import for NDR, IDS, firewall audit, and pentest report exports, findings management with owner-of-record across every source, the eight-field exception decision chain for residual network exposure, multi-framework compliance tracking that covers ISO 27001 Annex A network security, NIST SP 800-53 SC and AC, NIST CSF 2.0 PR.IR, PCI DSS 1 and 2, SOC 2 CC6, NIS2 Article 21, CIS Controls 12 and 13, HIPAA, and GDPR in parallel, AI-assisted programme reporting, role-based access control with enforced multi-factor authentication, document management for the firewall change register, the segmentation matrix, and the connectivity register, encrypted credential storage for the scanner-side credential lifecycle, and an append-only activity log on top. The network operations lead reads the segmentation matrix and the connectivity register, the firewall administrator reads the firewall ruleset and the change register, the NDR/IDS analyst reads the detection content rollout, the audit committee reads the programme posture, and the network team gets back the hours that used to disappear into reconciliation between four consoles and a steering committee deck.