For security data engineering teams
who own the contract between the operational workspace and the warehouse

A typed source record, a cadenced export contract, and an activity grain the warehouse loader can rely on

Security data engineering teams own the contract between the operational security workspace and the enterprise data warehouse, data lake, and BI environment. The leadership dashboard, the board cyber risk briefing, the multi-cycle SLA attainment chart, the framework coverage attestation, the ownership rework analytic, the lifecycle latency decomposition, and the cyber risk quantification loss curve all read against the same underlying record but at different cadences and different join shapes. Most security programmes solve this by pulling a CSV once a quarter, emailing it to an analyst, and rebuilding the dashboard from scratch every cycle. The chart drifts from the operational view, the analyst rebuilds the calculation, and the leadership read disagrees with the working dashboard.

SecPortal gives security data engineering teams a typed finding record with CVSS 3.1 vector and severity band and status state, an append-only activity log with actor and timestamp on every workspace event, structured exception records with the eight-field decision chain, retest records paired to the original finding, scan execution records with a structured diff endpoint, AI report tables that download as CSV and Excel from the report view, bulk finding import for reverse-ingest of Nessus and Burp Suite and generic CSV, plan-driven CSV export of findings and activity and exception register, role-based access control with named service accounts, multi-factor authentication, and a verified domain registry the warehouse asset dimension reads against. The export pipeline becomes a documented data product the security data engineer can ship, version, classify, and operate rather than a quarterly CSV pull the analyst rebuilds by hand.

Pipeline capabilities security data engineering teams use day to day

Engineering disciplines that keep the warehouse pipeline maintainable

A warehouse pipeline that survives the next surveillance cycle operates on a small set of engineering disciplines. SecPortal makes each one a record-level practice rather than a tribal-knowledge convention the analyst rebuilds each quarter.

From export class to warehouse fact table, on one engagement record

The security data engineering loop runs as charter, build, contract, model, deliver, operate, classify, and hand off. SecPortal runs that loop against the typed record so the export job specification, the schema contract test, and the post-incident note all share the same workspace the live operations runs on.

1. 1Open an engagement record for each warehouse export workstream (the weekly open finding snapshot, the daily activity log slice, the weekly exception register export, the monthly dimension refresh, the per-cycle AI report table pull, the warehouse-pipeline incident workstream). Attach the schema contracts, the cadence specifications, the data-classification rules, the on-call rotation, the warehouse loader specification, and the post-incident notes as documents on the engagement record. The pipeline programme reads from one workspace rather than from a Confluence space that ages out before the next surveillance cycle.
2. 2Stand up the export jobs against the existing SecPortal surfaces. The findings view, the activity log feed, the AI report tables, the engagement and client list views, the verified-domain registry, and the exception register read from the API and the in-app export controls under a named service account. The loader on the warehouse side ingests CSV and Excel files into the staging schema before promoting to the published fact and dimension layer.
3. 3Define the schema contract per export class. Document the column set, the data type per column, the redaction rule per column, the cadence, the named owner, and the warehouse loader compatibility check. The schema contract queue holds each export class awaiting a column-change review, the documented contract version, and the scheduled deployment window so column drift fails the contract test rather than silently corrupts the warehouse view.
4. 4Build the warehouse fact and dimension layer against the schema contract. The finding fact joins to the activity log event fact for lifecycle latency, joins to the engagement dimension for cohort definitions, joins to the asset dimension for blast-radius slices, joins to the client dimension for tenant analytics, and joins to the framework crosswalk for compliance attainment reads. The fact table reads against a typed schema rather than against a regex over free-text columns.
5. 5Stand up the BI layer for the audience reads. The CISO and security operations leadership read the warehouse-side leadership dashboard; vulnerability management leadership reads the throughput chart; GRC leadership reads the exception backlog and framework attainment tile; internal audit and external assurance read the multi-cycle assertion tables and pull scoped access on the operational workspace for any sampled finding. The dashboard queries reconcile with the operator queries because they share the same source.
6. 6Operate the pipeline incident queue. When an export run fails, the named on-call data engineer reads the failure (column drift, dimension key gap, service account failure, redaction rule miss), captures the diagnosis on the engagement record, ships the recovery, and updates the schema contract. The post-incident note rides on the activity log so the next reviewer can read the chain without an excavation through chat history.
7. 7Run the data-classification review on a recurring cadence. The classification of finding description text, asset hostname, activity log actor metadata, exception register rationale, and AI report narrative columns gets re-reviewed on the same cycle the security programme reviews access. The decision and the named approver land on the activity log so the next access review or audit can read the chain rather than rebuild it.
8. 8Hand the warehouse-side analytical surface to security analytics and detection engineering. The lifecycle latency, the override frequency, the severity recalibration drift, the SLA attainment, and the cyber risk quantification loss curve all compute from the same finding fact and activity log event fact the security data engineering function loads. The operational workspace remains the source of truth, the warehouse remains the analytical surface, and the security data engineering function owns the contract between them.

Where the security data engineering view connects to the rest of the workspace

Most security data engineering teams adopt SecPortal in three phases: bring the operational finding record, the activity log feed, and the AI report tables onto one documented export surface so the warehouse loader reads a stable schema rather than a rotating spreadsheet; layer in the exception register export, the scan diff feed, and the dimension refreshes so the warehouse fact and dimension layer holds up under the multi-cycle leadership read; then operationalise role-based access, named service accounts, multi-factor authentication, and the data classification cadence so the pipeline meets the access review and audit posture the rest of the organisation operates against. The relevant feature, workflow, and research pages explain each phase in detail.

• The full outbound export and warehouse ingest workflow including six export classes, eight failure modes, eight pipeline queues, and the per-audience read pattern lives on the vulnerability finding data export and warehouse ingest workflow. The inbound reverse-ingest path for Nessus, Burp Suite, and generic CSV rides the bulk finding import workflow.
• The typed finding record with CVSS 3.1 vector and the open or in_progress or resolved or verified or reopened state lives on the findings management feature page, the append-only event grain on the activity log feature page, and the structured override register on the finding overrides feature page.
• The structured CSV and Excel export from the AI report tables lives on the AI reports feature page, the structured intake for Nessus and Burp Suite and CSV on the bulk finding import feature page, and the scan execution diff endpoint on the scan comparison and diff feature page.
• The named service account and the role-bound permission model live on the role-based access control feature page, the session AAL promotion on the multi-factor authentication feature page, and the verified-asset registry the warehouse asset dimension reads against on the domain verification feature page.
• The cross-engagement cohort patterns the warehouse query pairs against the live record for spot-checks live on the cross-engagement finding search use case, the data quality and completeness sweep that surfaces missing CVSS vectors and missing owners and missing framework mappings on the security finding data quality and completeness workflow, and the leadership cadence the warehouse pack reads against on the security leadership reporting use case.
• The deeper analytical reads the warehouse fact tables ground out against sit on the finding record completeness economics research, the vulnerability remediation throughput research, and the vulnerability ingest versus remediation capacity research.
• The scanner-side data discipline behind the per-finding fields the warehouse fact table joins against lives on the scanner finding cross-engagement search and recall guide, the per-target collapse on the scanner output deduplication guide, and the change-event source-data on the scanner output diff and change-event generation guide.

Where the security data engineering function hands off to the rest of the security team

The security data engineering function sits at the contract between the operational workspace and the analytical surface. The cohort query against the warehouse sits with the security analyst, the detection content lifecycle sits with detection engineering, the vulnerability backlog sits with vulnerability management, the leadership readout sits with the CISO, the audit-evidence pack sits with GRC and compliance, and the developer platform side of the pipeline sits with platform engineering. SecPortal lets every role read from the same record while running their own workflow against their own surface.

• The analyst-side cohort query that the security data engineer ships the dataset to sits on the SecPortal for security data analysts page. The analyst reads the typed schema, the dedup identity, the SLA aging cohort, and the longitudinal queue shape; the engineer ships the contract that makes the read repeatable.
• The detection-engineering side that joins the technique-finding cohort to the rule lifecycle and the false-positive register sits on the SecPortal for detection engineering teams page. The rule, the replay, and the post-deployment outcome land on the same engagement record the warehouse loader reads against for the coverage-and-tuning analytics.
• The vulnerability backlog, the SLA enforcement, and the prioritisation function the warehouse throughput dashboard reads against live with the SecPortal for vulnerability management teams page. The backlog moves on the operational workspace and the warehouse fact table follows.
• The CISO and security operations leadership view that consumes the warehouse-side board briefing and the cyber risk quantification loss curve sits on the SecPortal for CISOs and security leaders page and the operating-cadence companion on the SecPortal for security operations leaders page.
• The GRC and audit-evidence side that consumes the per-framework slice and the exception backlog tile off the warehouse sits on the SecPortal for GRC and compliance teams page. The per-framework cohort, the exception register, and the activity log timeline all satisfy multiple audit packs from one record and one warehouse fact join.
• The platform-engineering side of the security toolchain (the Git-provider OAuth flow, the credential vault rotation, the scheduled scan cadence, the verified-domain registry the warehouse asset dimension reads against) sits on the SecPortal for platform engineering teams page. The platform team operates the source surfaces; the data engineering team operates the export contract.

Honest scope on what SecPortal does not ship for the warehouse pipeline

Security data engineering teams evaluating SecPortal need an explicit read of what the platform ships and what the platform leaves to the customer-side warehouse stack. SecPortal is the operational record for findings, engagements, scans, exceptions, retests, reports, and the activity log. The warehouse is the analytical surface. The export contract between them runs on documented CSV and Excel pulls the security data engineering function loads on its own pipeline.

SecPortal is built for security data engineering teams that want a documented export contract against a typed operational record rather than a quarterly CSV pull the analyst rebuilds by hand: a typed finding record with CVSS 3.1 vector and severity band and status state, an append-only activity log with actor and entity grain, structured exception records with the eight-field decision chain, a scan diff endpoint that streams new and fixed and unchanged findings between executions, AI report tables that download as CSV and Excel, bulk finding import for reverse-ingest of Nessus and Burp Suite and CSV, plan-bound retention of 30, 90, or 365 days on the activity log, role-based access control with named service accounts, multi-factor authentication, and a verified domain registry the warehouse asset dimension reads against. The warehouse fact table reconciles with the operational workspace because they share one schema, the boardroom dashboard reads off the same record the operators run on, and the security data engineer ships, versions, classifies, and operates a pipeline that holds up under the next surveillance cycle.