For security data analysts
who own the dataset behind the metric, the dashboard, and the audit answer

A typed dataset, a structured diff, and an activity trail an analyst can actually query

Security data analysts inside vulnerability management, AppSec, SecOps, and GRC functions own the dataset, the schema, the cohort logic, the longitudinal read, and the export discipline that produce the metrics the CISO reports, the dashboards the steering committee reads, the audit-evidence packs the surveillance auditor pulls, and the trend lines the operating committee debates. The work runs against findings consolidation, CVSS distribution, SLA aging cohorts, scan-over-scan deltas, exception register cohorts, and per-source archetype slices, and the analyst typically reconstructs each cohort from a scanner CSV, a ticketing export, a spreadsheet, a shared drive, and a meeting minute. Every cycle the same reconciliation happens, the same data-quality gap persists, and the same leadership number disagrees with the same operator number.

SecPortal gives security data analysts one workspace for a typed findings record with CVSS 3.1 vector and severity band and status state, an append-only activity log with actor and timestamp on every state change, a structured scan diff endpoint that returns new, fixed, and unchanged findings between any two executions, structured exception records with linked finding and expiry, retest records paired to the original finding, cross-source consolidation with merge identity, cross-framework compliance mapping, AI assisted reporting against the live dataset, role-based access control, and plan-driven CSV export of findings, activity, and exception records. The analyst queries one record per question rather than reconciling five exports per metric, the leadership number reconciles with the operator number, and the longitudinal read survives staff rotation because the schema carries the discipline.

Dataset capabilities security data analysts use day to day

Analytical disciplines that hold up between cycles

A cohort definition that survives the next cycle operates on a small set of habits. SecPortal makes each one a record-level query rather than an analyst tribal-knowledge convention.

From cohort question to per-audience pack on one engagement record

The analyst loop runs as pull, calibrate, validate, deliver, and audit. SecPortal runs that loop against the typed record so the cohort answer, the deck the leadership reads, and the CSV pack the auditor pulls all share one source.

1. 1Open an engagement per analytical workstream (the cycle metric pack, the audit-committee longitudinal read, the steering committee cohort review, the insurance renewal data request, the parent-company GRC roll-up, the regulator data response, the data-quality completeness sweep). Attach the cohort definitions, the query templates, the metric calibration notes, the per-audience export specification, and the analytical glossary as documents on the engagement record. The analytical programme reads from one workspace rather than from a folder of personal notebooks.
2. 2Pull the cohort from the typed findings record. Severity band, status state, owner-of-record, engagement type, source archetype, asset reference, CVSS vector, framework mapping, and override link are all structured fields on the record. The cohort query returns the row count, the per-band counts, the per-source counts, the per-engagement counts, and the per-framework counts in one shape rather than five reconciled exports.
3. 3Read the scan-over-scan delta from the diff endpoint rather than from a hand-built export. The diff returns new findings, fixed findings, unchanged findings, the module coverage delta, and the override-annotated change set between any two scan executions on the same target. The week-over-week new finding count, the fixed finding count, and the module coverage drift all read from one query.
4. 4Read the longitudinal cycle-over-cycle shape from the activity log. Every state change, every retest run, every exception decision, every evidence upload, and every override change carries the actor, the entity, the timestamp, and the action. The audit-committee timeline, the SLA aging cohort, the exception expiry queue, and the data-quality completeness sweep read from the same timestamped record.
5. 5Run the data-quality completeness pass as part of the cohort query. Findings missing the CVSS vector, findings missing the CWE, findings missing the named owner, findings missing the asset reference, findings missing the framework mapping, findings stuck in in_progress without an evidence attachment, and findings without a retest after the engineering claim of fix all surface as structured queries with explicit completeness flags rather than as silent exclusions.
6. 6Generate the per-audience CSV pack from the stable record schema. The auditor pack, the cyber insurance carrier pack, the parent-company GRC pack, the sector regulator pack, the steering committee data pack, and the operating committee data pack all derive from the findings table, the activity table, the exception register, and the engagement record. The per-audience pack is a column projection rather than a fresh transformation pipeline.
7. 7Hand the analytical narrative to AI-assisted reporting on the same engagement record the cohort query reads from. Executive summaries, programme-status writeups, remediation roadmaps, and compliance summaries draft from the live data, so the leadership deck and the operator queue read the same numbers and the analyst spends the cycle on calibration rather than copy-paste.
8. 8Route analytical access through role-based access control and multi-factor authentication. Security data analysts can be scoped to the engagements they need, the audit observers read the leadership view without seeing the full operational backlog, and the steering committee participants read the regenerated deck rather than the raw record. The access model is enforced on the workspace rather than asserted in a kickoff slide.

Where the analyst view connects to the rest of the workspace

Most security data analyst teams adopt SecPortal in three phases: bring scanner output, pentest findings, and manual entries onto one typed record so the cohort query is a record query rather than a regex pass over filenames; layer in the activity-log and the scan diff endpoint so the longitudinal read survives staff rotation and tool migration; then operationalise the exception register and the data-quality completeness sweep so the audit-committee timeline reads from the same record the live operations runs on. The relevant feature, workflow, and research pages explain each phase in detail.

• The typed findings record, the CVSS 3.1 vector, and the open or in_progress or resolved or verified or reopened state workflow live on the findings management feature page, the append-only audit record on the activity log feature page, and the structured override register on the finding overrides feature page.
• The scan execution record and the structured new, fixed, and unchanged delta between any two executions on the same target live on the scan-to-scan diff feature page, the recurring scan cadence on the continuous monitoring feature page, and the workspace search across findings, engagements, clients, and scans on the global search feature page.
• The cross-framework compliance mapping that turns one record into multiple audit packs lives on the compliance tracking feature page, the structured intake mechanics for Nessus, Burp Suite, and custom CSV on the bulk finding import feature page, and the AI-assisted drafting that regenerates leadership reports from the live dataset on the AI reports feature page.
• The cohort-level workflow patterns the analyst leans on sit on the cross-engagement finding search use case, the data-quality completeness discipline on the security finding data quality and completeness workflow, and the merge-and-supersede shape behind the deduplicated count on the vulnerability finding merge and supersede workflow.
• The throughput, ingest-versus-capacity, and lifecycle reads that anchor the analyst longitudinal cohorts sit on the vulnerability remediation throughput research, the vulnerability ingest versus remediation capacity research, the mean time to detect versus remediate research, and the per-cycle severity-mix shape on the severity mix shift economics research.
• The scanner-side data discipline the cohort query depends on sits on the scanner finding cross-engagement search and recall guide, the structured per-target collapse on the scanner output deduplication guide, and the change-event source-data on the scanner output diff and change-event generation guide.

Where the analyst function hands off to the rest of the security team

The security data analyst sits inside a wider SecOps shape. The per-finding triage queue sits with the analyst tier, the rule-and-content lifecycle sits with the detection engineering tier, the programme plan sits with the security program manager, the vulnerability backlog sits with the vulnerability management programme, and the leadership readout sits with the CISO. SecPortal lets all five roles read from the same engagement record while running the cohort query, the rule replay, the programme milestone, the SLA enforcement, and the leadership deck against their own surface.

• The per-finding triage queue that consumes the analyst cohort decisions sits on the SecPortal for SOC analysts page. The analyst signs off on the close decision and the data analyst reads the closed cohort against the SLA aging surface.
• The detection-engineering tier that writes the rule against the technique the analyst cohort surfaces as a missed-coverage gap sits on the SecPortal for detection engineering teams page. The rule, the replay, and the post-deployment outcome all land on the same engagement record the data analyst queries the coverage cohort from.
• The programme plan, the RAID log, and the cross-team RACI live with the SecPortal for security program managers page. The analyst cohort feeds the programme metric, and the programme metric feeds the steering committee narrative.
• The vulnerability backlog, the SLA enforcement, and the prioritisation function live with the SecPortal for vulnerability management teams page. The analyst SLA aging cohort and the deduplicated count read from the same record the vuln-mgmt programme operates on.
• The CISO and security leadership view that consumes the analyst metric pack sits on the SecPortal for CISOs and security leaders page. The board cohort, the audit committee timeline, and the operating committee trend line all read from the same record the analyst pulls the cohort query against.
• The GRC and audit-evidence side that consumes the per-framework slice sits on the SecPortal for GRC and compliance teams page. The per-framework cohort, the exception register, and the activity-log timeline all satisfy multiple audit packs from one record.

SecPortal is built for security data analysts who want one platform for the full pull-calibrate-validate-deliver-audit loop: a typed finding record with CVSS 3.1 vector and severity band and status state, an append-only activity log with actor and timestamp, a structured scan diff endpoint returning new and fixed and unchanged findings between any two executions, structured exception records with linked finding and expiry, retest records paired to the original finding, cross-source consolidation with merge identity, cross-framework compliance mapping, AI-assisted reporting against the live dataset, role-based access control, multi-factor authentication, and plan-driven CSV export of findings, activity, and exception records. The leadership number reconciles with the operator number, the cohort definition survives staff rotation, and the analyst spends the cycle on calibration rather than copy-paste.

If your function sits closer to the export pipeline that ships the typed record into the enterprise data warehouse and the BI layer than to the cohort query inside the workspace, the sister page SecPortal for security data engineering teams covers the documented export contract, the schema contract per export class, the warehouse asset dimension source, the named-service-account discipline, and the data classification cadence the warehouse loader runs against on the same operational record the analyst queries cohorts from.