Intro

Core concepts

The platform is multi-tenant by design. Every read and write path is scoped, authorized, and auditable. Understanding a handful of core concepts makes everything else — scoring, reporting, lifecycle management, integrations — click into place.

How the platform works — in brief

  1. Findings come in. Vulnerability data arrives via scanner ingestion, manual assessment uploads, or connected integrations. Each finding is linked to an asset, classified by severity, and placed into your tenant workspace.
  2. The platform scores and surfaces risk. The scoring engine calculates a posture score from the open finding population. The dashboard surfaces this as a band (Severe through Strong), a risk heat indicator, and trend history so you can see whether posture is improving or degrading.
  3. Your team works the lifecycle. Findings move through a defined lifecycle: Open → Client Fixed → CyberSec Verified → Risk Accepted or False Positive. Each transition is recorded with who acted and when.
  4. Governance is captured automatically. Every significant action — status changes, report generation, API key operations, integration events — is written to an append-only audit trail. When you generate a report or board pack, it is frozen as an immutable snapshot.

Tenant isolation

Your workspace data is isolated from all other tenants. API and server logic enforce tenant authorization on every request — data cannot accidentally cross workspace boundaries. This is not a policy layer applied on top of a shared database: it is enforced at the query level. No configuration is required to benefit from it.

Zero-trust access

Every request is evaluated against authenticated identity context, tenant membership, and operation-level authorization. There is no concept of an implicitly trusted network or session — privilege is checked, not assumed. Privileged actions are explicitly gated and recorded in the audit trail. API keys carry scoped permissions and cannot exceed the rights of the user they are tied to.

Snapshot integrity

Reports and board packs are immutable snapshots once generated. The record shared with your board reflects exactly what the platform assessed at that moment — it cannot be changed retroactively as underlying data evolves. This is not a convenience feature: it is the foundation of reliable governance evidence and regulatory defensibility.

Auditability

Sensitive actions and workflow transitions are recorded as append-only audit events. The audit trail cannot be edited, deleted, or reordered. This gives you a verifiable, chronological record of who did what across your workspace — useful for internal governance reviews, compliance audits, and incident investigations alike.

Think of it less like a log file and more like a ledger: a permanent, ordered record of consequential events in your cyber risk programme.

Was this page helpful?

Trust and legal

Trust and legal baselinePrivacy notice (POPIA)PAIA manualCookie and tracking noticeWebsite termsSecurity testing authorizationPlatform termsResponsible disclosure