Every security workflow
in one platform
From a single penetration test to a continuous security testing programme, SecPortal adapts to how your team actually works.
No credit card required. Free plan available forever.
Penetration testing
From scoping through to client delivery, manage every penetration test in one place. Log findings with CVSS scores, generate AI reports, and deliver through your branded portal.
Learn moreCybersecurity risk assessment
Run cybersecurity risk assessments and vulnerability assessments end-to-end. Import scanner output, deduplicate and prioritise findings by CVSS severity, track remediation with your clients, and generate compliance-ready reports.
Learn moreRed team reporting platform
The red team reporting platform built for narrative-style operations reporting. Document attack paths with tagging and timelines, coordinate multi-operator engagements, and generate AI-powered narrative reports that tell the full attack story.
Learn moreIncident response
Track incidents from detection through containment, eradication, and recovery. AI-powered triaging categorises and prioritises automatically. Auto-assign to team members with in-app notifications.
Learn moreCompliance audits
Run ISO 27001, SOC 2, and Cyber Essentials assessments with pre-built control templates. Track compliance status, generate AI summaries, and export audit evidence.
Learn moreSocial engineering assessments
Track phishing campaigns, physical access tests, vishing, and pretexting engagements. Document results, generate reports, and deliver findings through your branded portal.
Learn moreSecurity code reviews
Log code-level vulnerabilities with file paths, line numbers, and remediation guidance. Track fixes with developers through the portal and generate technical reports.
Learn moreCyber security assessments
Run comprehensive cyber security assessments and security risk assessments with automated scanning across 16 modules, AI-powered reporting, and professional client delivery, all in one workflow.
Learn moreSecurity testing for web applications
Web application security testing tools with 17 automated modules. Store credentials securely, run comprehensive security tests against authenticated pages, and deliver findings through professional reports.
Learn moreDevSecOps scanning
Connect your Git provider, configure SAST and SCA scanning, and catch security issues before code reaches production.
Learn moreRemediation tracking
Track every vulnerability through the full remediation cycle. Assign owners, set SLAs by severity, collaborate with clients in a branded portal, log retest evidence, and produce a closure record stakeholders can audit.
Learn morePentest project management
Run penetration testing engagements as structured projects. Scope the work, assign your team, track findings live, deliver reports through a branded portal, and bill the engagement from one workspace.
Learn morePurple team operations
Run purple team engagements where the red and the blue side work the same record. Tag every action with MITRE ATT&CK, log detections and gaps in real time, and produce a report that drives detection engineering rather than ending in a PDF.
Learn moreVulnerability disclosure program management
Run a coordinated vulnerability disclosure program (VDP) as an operational workflow rather than an inbox. Capture researcher reports, triage with CVSS, communicate inside a branded portal, track remediation against agreed timelines, and produce a defensible disclosure history aligned to ISO/IEC 29147 and 30111.
Learn moreContinuous penetration testing
Run penetration testing as an always-on programme rather than an annual project. Schedule recurring scans, deliver findings live in a branded client portal, pair retests to original findings, and keep the engagement record open between assessment windows so coverage is continuous and the audit trail is complete.
Learn morePentest retesting
Run retests as a structured part of the engagement. Pair every retest to the original finding, capture fix evidence inside the same record, log regressions when fixes drift, and produce a retest report stakeholders can audit. Stop retesting from spreadsheets.
Learn moreCloud security assessments
Assess cloud security posture with automated scanning for exposed storage buckets, misconfigured services, cloud-hosted web application vulnerabilities, and infrastructure weaknesses. Deliver cloud security services with professional reporting and client portals.
Learn morePentest report delivery
Move pentest report delivery off email attachments and onto a structured workflow. Generate the executive summary, technical report, and remediation roadmap from live findings, deliver through a branded client portal, run a documented debrief, and roll the engagement into retests and remediation tracking on the same record.
Learn moreAPI security testing
Run REST, GraphQL, and OAuth API security testing as a tracked engagement. Store API credentials encrypted, scan authenticated endpoints, log findings against the OWASP API Security Top 10, and deliver retest-ready reports through a branded client portal.
Learn morePentest evidence management
Capture, structure, and retain pentest evidence on the same record the finding lives on. Requests, responses, screenshots, payloads, and proof-of-concept notes stay attached to one engagement timeline. Retest evidence pairs to the original finding so closure is defensible, and the full record exports cleanly when an auditor or client asks for it.
Learn morePentest client onboarding
Stand up a new pentest client without losing a week to email threads, separate intake forms, and credential rummaging. Capture intake, scope, rules of engagement, contacts, credentials, and portal access on the same record the engagement runs on. The client is operational before the test starts, not the day after it ends.
Learn moreThreat-led penetration testing
Run TLPT engagements under TIBER-EU, DORA, CBEST, and iCAST without three separate tools and an inbox of attestation drafts. Manage scoping, threat intelligence input, red team execution, blue team observation, replay, and the joint attestation pack on the same engagement record auditors and competent authorities will eventually read.
Learn moreScanner result triage
Turn raw Nessus, Burp Suite, and SAST output into a clean, deduplicated, severity-calibrated finding list without rebuilding the work each engagement. Triage on the engagement record, validate before the report writes itself, and keep the audit trail intact from import through closure.
Learn moreBulk finding import
Import a backlog of vulnerability findings from Nessus, Burp Suite, prior pentest PDFs, or any CSV onto a single engagement record. Map columns once, deduplicate against the existing catalogue, calibrate severity for the environment, and start working from a clean baseline rather than a spreadsheet stitched together by hand.
Learn moreSecurity testing program management
Run a security testing programme as one record rather than a folder of disconnected reports. Track every engagement across the portfolio, every vendor delivering work, and every asset under coverage; surface findings, retests, SLA performance, and aging risk on one dashboard so the next board update writes itself from delivery rather than from a memory of last quarter.
Learn morePentest retainer management
Run pentest retainer agreements as structured records rather than calendar reminders and a separate spreadsheet of hours. Track the contracted block of hours or test count, draw down each engagement against the master agreement, invoice on the agreed cadence, and keep findings, reports, and the remediation history visible across the full retainer term.
Learn morePentest finding handover to SOC and SIEM
Pentest delivery rarely ends at the report. Validated findings need to land in the client security operations stack with traceability: SIEM detections, SOAR runbooks, ticketing systems, and the asset and risk register. Run the handover from the same engagement record that produced the findings, with severity, evidence, and remediation status preserved end-to-end.
Learn morePentest quality assurance
Run pentest QA on the live engagement record rather than on a Word draft passed around in chat. Reviewers comment against findings, severity calls are challenged with the evidence visible, remediation guidance is verified for developer-readiness, and engagement lead sign-off is captured with a timestamp on the engagement before anything reaches the client portal.
Learn moreSecurity advisory request workflow
Security advisory work sits between the formal pentests. A client asks for a threat model review, a vendor questionnaire response, a pre-launch architecture pass, or an opinion on a control gap. Today that work runs through email, a Slack DM, and an hours spreadsheet that nobody reconciles. Run security advisory requests as structured engagements instead: capture the request through a defined intake, scope the hours, link the work to the parent retainer, deliver the writeup through the branded client portal, and invoice against the agreed cadence. The advisory hours stop leaking.
Learn morePentest vendor panel management
Run a panel of approved penetration testing vendors as a structured record rather than a folder of master service agreements and a memory of who did the last test. Capture each vendor with their capability matrix, status, and performance history; match every new engagement to the right vendor by capability and rotation rule; score delivery against the same criteria across the panel; and walk into the next renewal with the panel evidence the buyer board expects.
Learn morePentest status reporting
The space between kickoff and final report is where most pentest engagements lose client trust. Status reporting fills that gap. Capture coverage progress, in-flight findings, blockers, and the remaining test plan on the engagement record, then publish a structured weekly update through the branded client portal so the client never has to ask where the test stands.
Learn moreCredential handover for pentests
Authenticated pentests live or die on the credentials. Today they arrive on the morning of kickoff in a chat message that nobody can find a week later, get pasted into a tester password manager that the next person on the project cannot read, and survive long after the engagement closes because nobody owned the rotation. Run credential handover as a workflow on the engagement record instead: a defined intake, scoped test accounts, encrypted at rest with AES-256-GCM, role-based access, and a documented rotation at close. The authenticated scan stops being blocked by a missing password and the audit trail captures who held what access and when.
Learn morePentest finding dispute resolution
Most penetration test reports get at least one finding contested. The client says it is a false positive, the severity is too high, the asset is out of scope, the risk is already accepted, or the remediation requirement is unrealistic. Handled badly, the dispute lands in email, drags for weeks, and ends with the firm quietly rewriting a finding nobody can later defend. Handled well, dispute resolution is a structured workflow on the engagement record: triage, evidence review, adjudication against documented criteria, and a captured outcome that holds up six months later when an auditor reads the file.
Learn morePentest tester rotation and handover
Mid-engagement handovers happen for predictable reasons: a tester rotates off a long retainer, takes leave, swaps to a higher-priority engagement, or steps off the project entirely. Handled badly, the new tester inherits a pile of half-documented findings, gaps in the evidence trail, and a client wondering why the cadence has changed. Handled well, tester rotation is a workflow on the engagement record: structured findings carry their own context, evidence sits next to the finding, role-based access transfers cleanly, and the audit trail shows who did what without anyone reconstructing the engagement from memory.
Learn morePentest report version control
Every pentest report has versions: the internal draft, the reviewed draft, the client-issued report, the retest delta, the attestation companion, and any reissue triggered by scope expansion or a contested finding. Run version control on the engagement record so the right version reaches the right reader, the change history survives the engagement, and audit, retest, and attestation reads of the report all line up against the same source of truth.
Learn moreResume a paused pentest
Pause is one half of a two-part workflow. The stop-test letter halts active testing; the resume notice reopens it on conditions both sides have agreed. Run resume on the engagement record so the resume conditions, the partial-scope inventory, the schedule recovery, and the audit trail all sit alongside the original authorisation rather than as a parallel email thread that nobody can reconstruct three months later.
Learn moreVulnerability SLA management
Findings without deadlines are findings nobody finishes. Run vulnerability SLA management on the engagement record so every finding carries a target close date by severity, every breach triggers a defined escalation, and every quarter produces audit-ready evidence of remediation performance. The SLA stops being a slide in a policy document and starts being a column on the queue.
Learn moreVulnerability acceptance and exception management
Some findings will not be remediated on the standard SLA. The risk is accepted with a compensating control, the fix is deferred to a planned release, or the remediation cost exceeds the residual exposure. Run the acceptance workflow on the engagement record so every accepted exception carries a named owner, a documented rationale, an expiry date, and a review cadence. Accepted risk that drifts into permanent exposure is the failure mode this workflow exists to prevent.
Learn moreVulnerability prioritisation
A backlog longer than the team can address inside the standard remediation window forces prioritisation. The question is how to prioritise defensibly. Run vulnerability prioritisation on the engagement record so every finding carries CVSS, EPSS, CISA KEV exploitation status, asset criticality, exposure, and compensating controls, and the queue orders itself by real residual risk rather than by creation date or by a single severity number.
Learn moreSecurity leadership reporting
Most leadership decks drift from the operational queue between cycles, and the audit committee ends up reading a different record from the operators. Run security leadership reporting on the same engagement record the team works on so the weekly view, the quarterly leadership pack, and the board briefing all regenerate from one source rather than reauthored by hand.
Learn moreSecurity tool consolidation
Most security programmes accumulate a stack of overlapping tools: a vulnerability scanner, a ticket queue, a shared drive of reports, a compliance spreadsheet, a credential vault, and a chat channel where decisions actually get made. Consolidate that stack onto one engagement record so findings, scans, evidence, decisions, owners, and audit trail live in the same place rather than scattered across systems that never reconcile.
Learn morePatch management coordination
A vulnerability is found by the security team and fixed by the IT or infrastructure team, and the audit reads whichever side recorded it least clearly. Run patch management coordination on the engagement record so patch windows, validation, and post-patch evidence pair to the original finding rather than disappearing into a change ticket the security team cannot read. The patch becomes a closure event on the finding rather than a parallel workstream that has to be reconciled at the end of the quarter.
Learn moreAsset decommissioning and finding retirement
Cloud accounts close, repos archive, domains expire, workloads migrate, services reach end-of-life, and acquisitions consolidate backlogs. Findings on retired assets either inflate critical counts forever or disappear without an audit trail. Run asset decommissioning and finding retirement on the engagement record so every retire event carries a cause, an approver, asset state evidence, and where applicable a successor reference.
Learn moreVulnerability backlog management
Every vulnerability programme accumulates a backlog. The question is whether the backlog is observable, bounded, and on a path to drain, or whether it quietly grows quarter on quarter until risk debt becomes the de facto operating posture. Run vulnerability backlog management on the engagement record so ingest, capacity, aging, and carry-over are visible on the live queue rather than reconstructed once a quarter when leadership asks why nothing is closing.
Learn moreScanner to ticket handoff governance
Most enterprise vulnerability programmes move findings out of the scanner and into a downstream engineering ticket. The handoff is where the audit trail, the severity decision, the evidence, and the closure record drift apart from the security record. Run scanner to ticket handoff governance on the engagement record so the security finding stays canonical, the ticket is a downstream view, and the closure event reconciles back to the original finding without anyone reconstructing it from email threads.
Learn moreControl gap remediation
Most enterprise programmes carry a control gap register that lives in a spreadsheet, drifts between assessments, and only fully reconciles the week before audit. Run control gap remediation as a workflow on the engagement record so each gap has a named owner, a closure plan, evidence requirements, and an audit trail that reproduces from one record rather than from a multi-system reconciliation sprint.
Learn moreSDLC vulnerability handoff
Most product security programmes lose vulnerabilities at the seams between SDLC phases. Threat-modelling notes do not reach the developer. SAST findings do not reach the AppSec triage queue. DAST findings do not reach the platform owner. Pre-production findings do not survive into the operational record. Run SDLC vulnerability handoff governance on the engagement record so each stage gate transfers a versioned set of findings with named owners, evidence, severity calibration, and a reconciliation event that proves the handoff happened rather than dissolving in a hallway conversation.
Learn moreCross-framework control mapping
Most enterprise programmes operate against more than one framework. Without a maintained crosswalk, the same operating control is documented separately for ISO 27001, SOC 2, PCI DSS, NIST, and every sector overlay, and the team scales with the number of frameworks rather than with the underlying programme. Run cross-framework control mapping as a workflow on the engagement record so each internal control carries its citations to every framework it satisfies, every operating evidence artefact is cited from many framework views, version transitions consume as deltas, and sector overlays inherit the baseline.
Learn moreAudit evidence retention and disposal
Evidence retention is the part of compliance operations that fails quietly. Artefacts pile up in a shared drive long past their retention floor, expired evidence is kept indefinitely as legal exposure, fresh evidence is destroyed before its retention window closes, and legal holds either over-retain or get forgotten when the matter resolves. Run audit evidence retention and disposal as a lifecycle workflow on the engagement record so each artefact carries a retention class, a disposition date, a legal-hold flag, and a closure path that the activity log captures with timestamp and user attribution.
Learn moreAsset ownership mapping for findings
Most enterprise vulnerability programmes route findings on the assumption that ownership is already resolved. In practice, asset ownership is the layer that quietly breaks first: a host moves between business units, a repository changes squads, a shared dependency triggers a finding two teams point at. Run asset ownership mapping on the engagement record so the canonical asset identifier, the named owner, the backup, and the escalation chain are queryable from the same record the findings live on.
Learn moreM&A security due diligence
Mergers and acquisitions security due diligence has three operating phases: pre-close target assessment, day-one risk containment, and post-close integration. Every phase has different stakeholders, different access constraints, different deliverables, and different audit expectations. Run all three on the same engagement record so the deal team, the acquirer security team, and the integration owners read from one source rather than three parallel reports that drift the moment the transaction closes.
Learn moreVendor security questionnaire response workflow
When a customer or prospect sends a security questionnaire (CAIQ, SIG Lite, SIG Core, ISO 27001 supplier review, SOC 2 review, NIST 800-171 supplier check, or a bespoke procurement form), the response is a deal blocker that lands on the security team. Run vendor questionnaire response as a structured campaign on the engagement record so the same evidence library, control mapping, finding history, and named-owner routing answer every questionnaire without rewriting the same answers from scratch.
Learn moreAsset criticality scoring
Vulnerability prioritisation depends on a multiplier the queue cannot derive from scanner output alone: how important the underlying asset is to the business. Run asset criticality scoring on the engagement record so every asset carries a tier, a written rationale across data, impact, exposure, controls, recovery, and dependents, and a tier-to-SLA mapping that lets every finding inherit the right deadline at creation.
Learn moreSecret scanning remediation workflow
A leaked secret is not a code-quality finding. It is a live credential an attacker can use until the rotation completes, the old value is revoked, and the verification proves the leak is closed. Run secret scanning remediation as a governed workflow on the engagement record so every detection routes to a named owner, the rotation and revocation are deliberate state events, and the audit trail proves which secrets were exposed, when, for how long, and how the closure was verified.
Learn morePSIRT product security incident response
A product security incident response team (PSIRT) handles every vulnerability that lands against the products the company ships. Reports arrive through the disclosure inbox, the bug bounty platform, the internal scanner queue, the customer escalation channel, the supplier security advisory feed, and the third-party pentest. The PSIRT triages each report, drives the fix, requests a CVE, drafts the security advisory, and notifies the downstream consumers through the agreed channel. Most teams run that lifecycle through email threads, a shared inbox, a confluence page, and a release tracker. SecPortal models the PSIRT case as a structured engagement on the workspace so intake, triage, fix tracking, advisory drafting, audit trail, and downstream publication share one source of truth.
Learn moreDependency vulnerability triage
A new SCA scan can ship 40 critical CVEs in a single dependency tree. Most of them are not reachable from the application, several are already patched in a transitive update, a few are exploitable in the deployed environment, and one is the actual fire. Programmes that treat every dependency CVE as critical burn the engineering team and ignore the real risk. Run dependency vulnerability triage as a governed workflow on the engagement record so each finding is classified by reachability and exposure, the routing decision lands on a named owner, the closure is verified by a re-scan, and the audit trail proves which CVEs were prioritised, why, and how the closure happened.
Learn moreZero-day and emergency vulnerability response
A new critical CVE drops on a Friday afternoon. CISA adds a third-party library to the KEV catalog. A vendor publishes an emergency advisory with active exploitation in the wild. Internal security teams scramble to answer four questions in parallel: which assets are exposed, who owns the fix, what does proof of remediation look like, and how do we evidence the response to leadership and to the next audit. Most teams answer those questions through a hastily-created Slack channel, a shared spreadsheet, an email thread to engineering, and a war-room meeting that nobody minutes. Run zero-day and emergency vulnerability response as a structured engagement on the workspace instead, so the exposure assessment, the prioritised remediation, the verification, and the audit evidence land on one record from CVE drop to verified closure.
Learn moreCyber insurance security evidence
Cyber insurance underwriters and brokers no longer treat the security questionnaire as a checkbox exercise. Application questionnaires, mid-term renewal questionnaires, and post-incident claim assessments all expect proof that the security programme operates the controls the policy is priced against. Most teams answer those questionnaires from memory, then assemble screenshots, scanner exports, and policy PDFs at renewal week. Run cyber insurance security evidence as a structured workflow on the live engagement record so underwriting evidence, renewal evidence, mid-term attestations, and claim evidence all derive from the same source the operators run on.
Learn moreNew application security onboarding
New applications enter the estate constantly: a new product line, a spin-out service, a new vendor-acquired component, a SaaS tenant launched off the platform, or a repo a team forked into a new service. Most security programmes meet these applications later than they should, after a scanner, an audit, or a customer questionnaire surfaces the gap. Run new application security onboarding as a structured workflow on the engagement record so every new service enters the programme with a documented baseline (threat model, code scan, baseline DAST, owner mapping, evidence trail) rather than appearing in the backlog months after launch with findings already aged.
Learn moreBreach notification and regulator readiness
Most security organisations operate breach notification as a series of last-minute decisions across email, chat, and a legal-team Word document. The clocks (GDPR 72 hours, NIS2 24 and 72 hours, SEC four business days, HIPAA 60 days, DORA initial and intermediate windows, state law variations, PCI DSS account data compromise rules) keep running while the disclosure committee reconstructs what was known, when it was known, and who decided what. Run breach notification and regulator readiness as a structured workflow on one engagement record so every notification clock, materiality determination, evidence artefact, and disclosure decision lands on the same trail the regulator, the auditor, and the audit committee can read against later.
Learn moreThreat intelligence driven vulnerability prioritisation
Most vulnerability programmes consume threat intelligence by reading the CISA KEV catalog every morning and forwarding interesting CERT advisories into Slack. The intel arrives, but the prioritisation queue does not change. Run threat intelligence driven vulnerability prioritisation as a structured workflow on the engagement record so every CTI signal (KEV listing, EPSS percentile shift, CERT or vendor advisory, ISAC bulletin, internal red team finding, sector-specific exploit chatter) is ingested as an explicit input, fitness-assessed against the in-scope estate, converted into a recorded prioritisation action with a named decider, routed to the named owner, and fed back into the next ingest cycle on the same trail the auditor and the audit committee read.
Learn moreCustomer security evidence room workflow
B2B SaaS security teams field a recurring exercise: a customer security reviewer asks for the SOC 2 report, a prospect runs a TPRM review, a renewal cycle reopens the questionnaire backlog, a regulator-driven assessment rides through a customer relationship, and the internal team rebuilds the same evidence packaging from scratch each time. Run the customer security evidence room as a structured workflow on a customer engagement record so every release is a recorded action, every artefact carries an effective date, every NDA gates the release rather than the conversation, and every access scope has a named revocation owner.
Learn moreInternal developer platform security guardrails
Internal developer platforms succeed when the secure choice is the default and the insecure choice requires an explicit, audit-trailed override. Run paved-road security guardrails on a single engagement record so registration, scanner coverage, build provenance, deployment gates, severity recalibration, and exception expiry are queryable rather than scattered across pipelines, scanner tools, ticket systems, and chat threads.
Learn moreContinuous Threat Exposure Management
A CTEM cycle is the programme layer that bounds continuous exposure work into a defined scope, deduplicated Discovery, defensible Prioritisation, first-class Validation, and Mobilisation closure that hands residual work into the next cycle. Run the cycle on the engagement record so scope, discovery coverage, prioritisation rationale, validation evidence, and closure summary derive from the same source the team operates against, rather than from a folder of attachments and three parallel scanner extracts.
Learn moreSecurity finding evidence package
Most security findings reach developers as a one-line description, a CVSS number, and a screenshot. Developers spend the next two days reproducing the issue, asking the security team to clarify scope, and guessing what acceptable fix evidence looks like. Run security finding evidence packaging on the engagement record so each finding ships to engineering with the reproduction steps, the request and response, the affected asset and code path, the calibrated severity, the fix expectations, the retest criteria, and the audit trail attached as one structured record. The remediation conversation starts on the evidence rather than on the rediscovery.
Learn moreThird-party penetration test report intake
Most internal security teams treat the third-party pentest report as a deliverable to file and a list of action items to forward. Run pentest report intake on the engagement record so each finding becomes a structured remediation work-item with calibrated severity, dedup against the existing scanner catalogue, named owner from the asset ownership map, SLA clock on assignment, retest evidence bound to the original finding, and a one-record audit chain. The PDF survives as audit evidence; the queue runs against findings.
Learn moreReady to run your workflow on SecPortal?
Start free. Set up your workspace in under two minutes.
No credit card required. Free plan available forever.