0 filters active
Skip to Content
logo
  • Home
  • Quick start
      • Billing
      • Integrations
      • Platform
      • Scanner
      • Ask our pentesters to explain a vulnerability
      • Fix code with gen AI from the IDE
      • See safe dependency versions
      • Import repositories to test
      • Invite team members to sign up
      • Billing for the Advanced plan
      • Continuous Hacking free trial, plans and pricing
      • Continuous Hacking methodology
      • Continuous Hacking PoV
      • CVSSF metric
      • Glossary
      • Main website
      • Platform demo
      • Tutorial videos
      • What is DAST?
      • What is SAST?
      • Assign vulnerability remediation to a team member
      • See details of the reported security vulnerabilities
    • Sign up to Fluid Attacks
      • Break the build
      • Install CI Gate to break the build
      • Verify whether a fix was successful
  • Find and fix
    • Access to your assets
      • Cloud
      • Connector
      • Egress
      • Set up an AWS IAM role
      • Summary of mechanisms used to access assets
      • Types of authentication used
      • Fix code automatically with gen AI
      • Get AI-generated guides for remediation
      • Contribute to enhancing the scanners
      • Fluid Attacks' scanners
      • Know and reproduce the scanner’s OWASP Benchmark results
      • Pentesters' tools
    • Machine
      • Configure and use Sorts on your own
      • Introduction to Fluid Attacks' AI tool
      • Accuracy SLA
      • Availability SLA
      • False negatives
      • False positives
      • Response SLA
      • Scope
      • Service-level agreement summary
        • 2023
        • 2024
        • 2025
        • 2026
      • Documentation sections
      • Roadmap
      • Supported AI functions
      • Supported attack surfaces
      • Supported binaries
      • Supported browsers
      • Supported CI/CD
      • Supported clouds
      • Supported CVEs for reachability analysis
      • Supported evidence formats
      • Supported frameworks
      • Supported IDE functionalities
      • Supported languages
      • Supported languages for vulnerability fixes
      • Supported package managers
      • Supported remediation
      • Supported SCM systems
      • Supported secrets
      • Supported standards
      • Supported ticketing systems
      • CVSS score adjustment
      • Find reachable dependency vulnerabilities
      • Vulnerability signature update
      • What is SCA?
      • APK scanner configuration file
      • DAST scanner configuration file
      • SAST scanner configuration file
      • SCA scanner configuration file
      • Scan with a configuration file
    • Use the Platform
        • Platform sections and header items
        • Sign-up and login authentication
        • Create and delete groups
        • Create another organization
        • Know your Groups section
        • Manage a group's configuration
        • Register payment information
        • See the target of evaluation's status and SBOM
        • Sort groups into portfolios
        • Invite contributing developers
        • Manage members
        • Manage your organization's authors
        • Understand roles
        • Import repositories fast and safely with OAuth
        • Manage environments
        • Manage repositories
        • Manage your credentials
        • Resolve events impeding tests
        • See retrieved repositories not yet added to any group
        • Analyze your supply chain security
        • Assign treatments
        • Correlate your threat model to vulnerabilities
        • Examine the evidence of exploitability
        • Request a vulnerability be dismissed as Zero Risk
        • See vulnerabilities assigned to you
        • See where vulnerabilities are and more details
        • Verify fixes with reattacks
        • Ask the AI Agent
        • Ask via chat
        • Post comments
        • Send Fluid Attacks an email
        • Talk to a Pentester
        • Watch certifiable tutorial videos or get a demo
        • Access recent downloads
        • Check your compliance with standards
        • View analytics common to orgs, groups and portfolios
        • Download a report of detected vulnerabilities
        • View analytics for the group level only
        • View analytics for the portfolio level only
        • Use analytics charts options
        • View and download logs
        • Accept vulnerabilities
        • Manage fix prioritization policies
        • Manage security gates
        • Prevent the deployment of builds with vulnerabilities
        • View details of the security of your builds
        • Enable and disable notifications
        • Explore the user menu
        • Leave group
        • Subscribe to news
      • Manage repositories
      • See vulnerabilities
      • Exclude findings from scan reports
      • Run scans locally
      • Understand the scanner output
      • Use standalone scanners
      • Use the scanners in CI/CD
  • Integrations
      • Local tools
      • Access Talk to a Pentester and help from Jira issues
      • Automate Jira issue creation
      • Create Jira issues for vulnerabilities
      • Go to vulnerability evidence and more from Jira issues
      • Install the Fluid Attacks app for Jira Cloud
      • Link vulnerabilities to Jira issues or unlink them
      • Request reattacks from Jira issues
      • Set up the Jira integration
      • Set up the Azure DevOps integration
      • Set up the GitLab integration
      • Install the VS Code extension
      • View vulnerable lines, use fix options and more
      • VS Code extension error and solution catalog
      • Identify and address vulnerabilities from IntelliJ
      • Install the IntelliJ plugin
      • Identify and address vulnerabilities from Cursor
      • Install the Cursor extension
      • AWS Marketplace integration
    • MCP server
      • Installation
      • Capabilities and use cases
      • Docker installation
      • Excluding files from analysis
      • Integrate with Azure DevOps Peer Reviewer Assistant
      • Integrate with GitLab Peer Reviewer Assistant
      • Troubleshooting
      • Introduction
      • Use the API
      • Learn the basics of the Fluid Attacks API
      • Things to know before using the API
  • Stack
      • Bash
      • Python
      • Terraform
      • TypeScript
      • Ariadne
      • Commitlint
      • Docker
      • ESLint
      • GraphQL
      • Hypercorn
      • Kubernetes
      • Labels
      • Mypy
      • Nix Flakes
      • Platform audit logs
      • Platform authentication
      • Platform authorization
      • Pydantic AI
      • React
      • Ruff
      • Sops
      • Starlette
      • Tree-sitter
      • Visual Studio Code
      • AWS
      • Batch
      • Bedrock
      • BigCodeBench
      • BugSnag
      • Checkly
      • Claude 3.5 Sonnet
      • Cloudflare
      • CloudWatch
      • Cost Management
      • Datadog
      • dbt
      • DynamoDB
      • EBS
      • EC2
      • EKS
      • ELB
      • Engineering metrics
      • ePayco
      • EventBridge
      • GitLab
      • GitLab CI
      • Google Workspace
      • IAM
      • Jamf
      • KMS
      • Lambda
      • LogRocket
      • Okta
      • OpenAI
      • OpenSearch
      • Organizations
      • QuickSight
      • S3
      • SageMaker
      • Snowflake
      • Statuspage
      • Step Functions
      • Stripe
      • Treli
      • Ubiquiti
      • Vanta
      • Voyage AI
      • VPC
      • VPN
      • Zoho One
      • Zoho Sign
  • Compliance
      • Clients
      • Password policies
      • Staff
      • Access revocation
      • Endpoint
      • Authorization for clients
      • Authorization for Fluid Attacks staff
      • Secret rotation
      • Secure employee termination
      • Session management
      • Distributed apps
      • Distributed firewall
      • Everything backed up
      • Multiple zones
      • Recovery objective
      • Device (re)enrolling
      • Direct hiring
      • Encryption at rest
      • Encryption in transit
      • No personal gain
      • Personnel NDA
      • Secure deletion
      • Awareness
      • Certification Hub
      • Certified cloud provider
      • Certified security analysts
      • Comprehensive reporting
      • Developing for integrity
      • Extensive hiring process
      • Monitoring
      • Production data not used for dev or test
      • Secure emails
      • Software Artifacts SLSA levels
      • Static website
      • Training plan
      • Everything as code
      • Extensive logs
      • Data privacy policy
      • Data policies
      • Email obfuscation
      • Employee time tracking software
      • Manual for the National Database Registry (NDR)
      • OTR messaging
      • Polygraph tests
      • Project pseudonymization
      • Retention
      • Secure delivery of sensitive data
      • Transparent use of cookies
      • Unsubscribe email
      • Continuity and recovery
      • Equipment and telecommuting
      • Everything is decentralized
      • Redundant roles
      • Complaint management
      • Data leakage policy
      • Ethics hotline
      • Help channel
      • Incident management
      • Information security responsibility
      • Open source
      • Quality policy
      • Status page
      • Testing our technology
      • Vulnerability releasing
  • Compare
    • 42Crunch
    • 7 Way Security
    • Aikido
    • Anvil Secure
    • Apiiro
    • AppCheck
    • Appdome
    • Appknox
    • Aqua
    • ArmorCode
    • Arnica
    • Astra
    • Base4
    • Bishop Fox
    • Black Duck
    • Black Hills
    • Breachlock
    • Bright Security
    • Burp Suite
    • Checkmarx
    • CloudGuard
    • Cobalt
    • Codacy
    • Conviso
    • Cure53
    • Cycode
    • Cyver
    • Data Theorem
    • DataDog
    • DeepSource
    • DefectDojo
    • Detectify
    • Devel
    • Dryrun Security
    • Dynatrace
    • Edgescan
    • Endor Labs
    • Escape
    • Evolve Security
    • Faraday Security
    • FortiDevSec
    • Fortify
    • GitHub Advanced Security
    • GitLab Ultimate
    • GuardRails
    • HackerOne
    • Hackmetrix
    • Hadrian
    • HCL AppScan
    • Heeler
    • Hopper Security
    • ImmuniWeb
    • Inspectiv
    • Intigriti
    • Intruder
    • Invicti
    • JFrog
    • Jit
    • Kiuwan
    • Legit Security
    • Mandiant
    • Mend
    • Mindgard
    • Moderne
    • NetSPI
    • NowSecure
    • Nucleus Security
    • Oligo Security
    • Orca Security
    • Oversecured
    • OX Security
    • Phoenix Security
    • PlexTrac
    • Praetorian
    • Prancer
    • Prisma Cloud
    • Probely
    • Prowler
    • ReversingLabs
    • RunSybil
    • Safety
    • Securitum
    • Seemplicity
    • Semgrep
    • Snyk
    • Socket
    • SonarQube
    • Sonatype
    • SOOS
    • StackHawk
    • Strike
    • Synacktiv
    • Tenable Nessus
    • ThreatModeler
    • Veracode
    • White Jaguars
    • Wiz
    • Xygeni
    • ZAP
    • ZeroPath
  • Log in to the platform 
  • Home
  • Quick start
      • Billing
      • Integrations
      • Platform
      • Scanner
      • Ask our pentesters to explain a vulnerability
      • Fix code with gen AI from the IDE
      • See safe dependency versions
      • Import repositories to test
      • Invite team members to sign up
      • Billing for the Advanced plan
      • Continuous Hacking free trial, plans and pricing
      • Continuous Hacking methodology
      • Continuous Hacking PoV
      • CVSSF metric
      • Glossary
      • Main website
      • Platform demo
      • Tutorial videos
      • What is DAST?
      • What is SAST?
      • Assign vulnerability remediation to a team member
      • See details of the reported security vulnerabilities
    • Sign up to Fluid Attacks
      • Break the build
      • Install CI Gate to break the build
      • Verify whether a fix was successful
  • Find and fix
    • Access to your assets
      • Cloud
      • Connector
      • Egress
      • Set up an AWS IAM role
      • Summary of mechanisms used to access assets
      • Types of authentication used
      • Fix code automatically with gen AI
      • Get AI-generated guides for remediation
      • Contribute to enhancing the scanners
      • Fluid Attacks' scanners
      • Know and reproduce the scanner’s OWASP Benchmark results
      • Pentesters' tools
    • Machine
      • Configure and use Sorts on your own
      • Introduction to Fluid Attacks' AI tool
      • Accuracy SLA
      • Availability SLA
      • False negatives
      • False positives
      • Response SLA
      • Scope
      • Service-level agreement summary
        • 2023
        • 2024
        • 2025
        • 2026
      • Documentation sections
      • Roadmap
      • Supported AI functions
      • Supported attack surfaces
      • Supported binaries
      • Supported browsers
      • Supported CI/CD
      • Supported clouds
      • Supported CVEs for reachability analysis
      • Supported evidence formats
      • Supported frameworks
      • Supported IDE functionalities
      • Supported languages
      • Supported languages for vulnerability fixes
      • Supported package managers
      • Supported remediation
      • Supported SCM systems
      • Supported secrets
      • Supported standards
      • Supported ticketing systems
      • CVSS score adjustment
      • Find reachable dependency vulnerabilities
      • Vulnerability signature update
      • What is SCA?
      • APK scanner configuration file
      • DAST scanner configuration file
      • SAST scanner configuration file
      • SCA scanner configuration file
      • Scan with a configuration file
    • Use the Platform
        • Platform sections and header items
        • Sign-up and login authentication
        • Create and delete groups
        • Create another organization
        • Know your Groups section
        • Manage a group's configuration
        • Register payment information
        • See the target of evaluation's status and SBOM
        • Sort groups into portfolios
        • Invite contributing developers
        • Manage members
        • Manage your organization's authors
        • Understand roles
        • Import repositories fast and safely with OAuth
        • Manage environments
        • Manage repositories
        • Manage your credentials
        • Resolve events impeding tests
        • See retrieved repositories not yet added to any group
        • Analyze your supply chain security
        • Assign treatments
        • Correlate your threat model to vulnerabilities
        • Examine the evidence of exploitability
        • Request a vulnerability be dismissed as Zero Risk
        • See vulnerabilities assigned to you
        • See where vulnerabilities are and more details
        • Verify fixes with reattacks
        • Ask the AI Agent
        • Ask via chat
        • Post comments
        • Send Fluid Attacks an email
        • Talk to a Pentester
        • Watch certifiable tutorial videos or get a demo
        • Access recent downloads
        • Check your compliance with standards
        • View analytics common to orgs, groups and portfolios
        • Download a report of detected vulnerabilities
        • View analytics for the group level only
        • View analytics for the portfolio level only
        • Use analytics charts options
        • View and download logs
        • Accept vulnerabilities
        • Manage fix prioritization policies
        • Manage security gates
        • Prevent the deployment of builds with vulnerabilities
        • View details of the security of your builds
        • Enable and disable notifications
        • Explore the user menu
        • Leave group
        • Subscribe to news
      • Manage repositories
      • See vulnerabilities
      • Exclude findings from scan reports
      • Run scans locally
      • Understand the scanner output
      • Use standalone scanners
      • Use the scanners in CI/CD
  • Integrations
      • Local tools
      • Access Talk to a Pentester and help from Jira issues
      • Automate Jira issue creation
      • Create Jira issues for vulnerabilities
      • Go to vulnerability evidence and more from Jira issues
      • Install the Fluid Attacks app for Jira Cloud
      • Link vulnerabilities to Jira issues or unlink them
      • Request reattacks from Jira issues
      • Set up the Jira integration
      • Set up the Azure DevOps integration
      • Set up the GitLab integration
      • Install the VS Code extension
      • View vulnerable lines, use fix options and more
      • VS Code extension error and solution catalog
      • Identify and address vulnerabilities from IntelliJ
      • Install the IntelliJ plugin
      • Identify and address vulnerabilities from Cursor
      • Install the Cursor extension
      • AWS Marketplace integration
    • MCP server
      • Installation
      • Capabilities and use cases
      • Docker installation
      • Excluding files from analysis
      • Integrate with Azure DevOps Peer Reviewer Assistant
      • Integrate with GitLab Peer Reviewer Assistant
      • Troubleshooting
      • Introduction
      • Use the API
      • Learn the basics of the Fluid Attacks API
      • Things to know before using the API
  • Stack
      • Bash
      • Python
      • Terraform
      • TypeScript
      • Ariadne
      • Commitlint
      • Docker
      • ESLint
      • GraphQL
      • Hypercorn
      • Kubernetes
      • Labels
      • Mypy
      • Nix Flakes
      • Platform audit logs
      • Platform authentication
      • Platform authorization
      • Pydantic AI
      • React
      • Ruff
      • Sops
      • Starlette
      • Tree-sitter
      • Visual Studio Code
      • AWS
      • Batch
      • Bedrock
      • BigCodeBench
      • BugSnag
      • Checkly
      • Claude 3.5 Sonnet
      • Cloudflare
      • CloudWatch
      • Cost Management
      • Datadog
      • dbt
      • DynamoDB
      • EBS
      • EC2
      • EKS
      • ELB
      • Engineering metrics
      • ePayco
      • EventBridge
      • GitLab
      • GitLab CI
      • Google Workspace
      • IAM
      • Jamf
      • KMS
      • Lambda
      • LogRocket
      • Okta
      • OpenAI
      • OpenSearch
      • Organizations
      • QuickSight
      • S3
      • SageMaker
      • Snowflake
      • Statuspage
      • Step Functions
      • Stripe
      • Treli
      • Ubiquiti
      • Vanta
      • Voyage AI
      • VPC
      • VPN
      • Zoho One
      • Zoho Sign
  • Compliance
      • Clients
      • Password policies
      • Staff
      • Access revocation
      • Endpoint
      • Authorization for clients
      • Authorization for Fluid Attacks staff
      • Secret rotation
      • Secure employee termination
      • Session management
      • Distributed apps
      • Distributed firewall
      • Everything backed up
      • Multiple zones
      • Recovery objective
      • Device (re)enrolling
      • Direct hiring
      • Encryption at rest
      • Encryption in transit
      • No personal gain
      • Personnel NDA
      • Secure deletion
      • Awareness
      • Certification Hub
      • Certified cloud provider
      • Certified security analysts
      • Comprehensive reporting
      • Developing for integrity
      • Extensive hiring process
      • Monitoring
      • Production data not used for dev or test
      • Secure emails
      • Software Artifacts SLSA levels
      • Static website
      • Training plan
      • Everything as code
      • Extensive logs
      • Data privacy policy
      • Data policies
      • Email obfuscation
      • Employee time tracking software
      • Manual for the National Database Registry (NDR)
      • OTR messaging
      • Polygraph tests
      • Project pseudonymization
      • Retention
      • Secure delivery of sensitive data
      • Transparent use of cookies
      • Unsubscribe email
      • Continuity and recovery
      • Equipment and telecommuting
      • Everything is decentralized
      • Redundant roles
      • Complaint management
      • Data leakage policy
      • Ethics hotline
      • Help channel
      • Incident management
      • Information security responsibility
      • Open source
      • Quality policy
      • Status page
      • Testing our technology
      • Vulnerability releasing
  • Compare
    • 42Crunch
    • 7 Way Security
    • Aikido
    • Anvil Secure
    • Apiiro
    • AppCheck
    • Appdome
    • Appknox
    • Aqua
    • ArmorCode
    • Arnica
    • Astra
    • Base4
    • Bishop Fox
    • Black Duck
    • Black Hills
    • Breachlock
    • Bright Security
    • Burp Suite
    • Checkmarx
    • CloudGuard
    • Cobalt
    • Codacy
    • Conviso
    • Cure53
    • Cycode
    • Cyver
    • Data Theorem
    • DataDog
    • DeepSource
    • DefectDojo
    • Detectify
    • Devel
    • Dryrun Security
    • Dynatrace
    • Edgescan
    • Endor Labs
    • Escape
    • Evolve Security
    • Faraday Security
    • FortiDevSec
    • Fortify
    • GitHub Advanced Security
    • GitLab Ultimate
    • GuardRails
    • HackerOne
    • Hackmetrix
    • Hadrian
    • HCL AppScan
    • Heeler
    • Hopper Security
    • ImmuniWeb
    • Inspectiv
    • Intigriti
    • Intruder
    • Invicti
    • JFrog
    • Jit
    • Kiuwan
    • Legit Security
    • Mandiant
    • Mend
    • Mindgard
    • Moderne
    • NetSPI
    • NowSecure
    • Nucleus Security
    • Oligo Security
    • Orca Security
    • Oversecured
    • OX Security
    • Phoenix Security
    • PlexTrac
    • Praetorian
    • Prancer
    • Prisma Cloud
    • Probely
    • Prowler
    • ReversingLabs
    • RunSybil
    • Safety
    • Securitum
    • Seemplicity
    • Semgrep
    • Snyk
    • Socket
    • SonarQube
    • Sonatype
    • SOOS
    • StackHawk
    • Strike
    • Synacktiv
    • Tenable Nessus
    • ThreatModeler
    • Veracode
    • White Jaguars
    • Wiz
    • Xygeni
    • ZAP
    • ZeroPath
  • Log in to the platform 

On This Page

  • Client roles
  • Organization Manager role
  • Group Manager role
  • User role
  • Vulnerability Manager role
  • Client roles permissions
  • Group-level permissions
  • Organization-level permissions
  • Roles permissions summary table
  • Within groups
  • At the organization level
  • Fluid Attacks staff roles
  • Hacker
  • Reattacker
  • Customer Manager
  • Resourcer
  • Reviewer
  • Architect
  • Closer
  • Admin
  • Fluid Attacks staff roles summary table
Find and fixUse the PlatformManage members and rolesUnderstand roles

Understand roles

Members on the Fluid Attacks platform have distinct roles with associated permissions. You can view your role within the organization or group you are navigating in the user menu , which is in the upper-right corner of your screen.

This page explains the different roles that are available on the platform, along with the permissions they grant.

Client roles

Organization Manager role

Tip

Members assigned the Organization Manager role are automatically granted the Group Manager role within all groups belonging to the organization.

Designed for technical leaders within their organization, this role provides access to basic privileges on the platform and enables them to handle credentials, billing, members, mailmaps, and policies settings.

Group Manager role

Designed for technical leaders within their group, this role allows them to perform all actions available in the group on the platform. It is designed for product leaders, granting relevant capabilities like generating reports , defining treatments for vulnerabilities (e.g., accepting vulnerabilities permanently , approving vulnerability deletion requests  by their company), and managing group members .

User role

This is the role most members are given. It is typically assigned to the developers responsible for remediating vulnerabilities. Members with this role can access vulnerability information  required for remediation and request reattacks  when they believe they have successfully fixed the code.

Vulnerability Manager role

Intended for technical leaders, this role provides access to features like generating reports, viewing group members, and assigning fix work .

Client roles permissions

Below are the descriptions of the permissions available to clients on Fluid Attacks’ platform. These permissions are categorized into two levels: the group  and organization  levels.

Group-level permissions

Agent

  • Generate/update agent token: Generate  and update  the token to use for DevSecOps agent , an application that inspects builds for noncompliance with organization policies and prevents deployment if it finds any. Available at Scope > DevSecOps agent > Manage token > Generate/Reset.
  • View agent token and its expiration date: View  the current DevSecOps agent token and when it expires. Available at Scope > DevSecOps agent > Manage token > Reveal token.
  • View agent executions: Access to reports of executions  of the DevSecOps agent in your CI/CD. Available at DevSecOps.

Design Map

  • Add/remove threat model files: Upload  or delete  threat model files that are correlated with the vulnerabilities reported by Fluid Attacks. Available at Design Map > Files.

Events

  • Request verification on events: Request verification  that events have been resolved. Available at Events > Request verification.
  • Export file in Events: Download event data  as a CSV file. Available at Events > Export.

Files

  • Add/download file: Upload or download any files  you find helpful or necessary for performing security tests on the group. Available at Scope > Files > Add.
  • Delete file: Eliminate files  that are considered unnecessary in the analysis of the group. Available at Scope > Files.

Group

  • Delete group: Delete  an unnecessary group. Available at Scope > Delete this group.
  • Update group information: Update group information . Available at Scope > Information.
  • Unsubscribe from group: Leave group . Available at Scope > Unsubscribe.
  • Use Help options: Access help options . Available at Help.

Members

  • Add member: Invite members  to access the group and have some or all vulnerability management functions. Available at Members > Invite a member.
  • Delete member: Remove members  from the group. Available at Members > Remove.
  • Update member: Update member  permissions and information (role or responsibility). Available at Members > Edit.
  • View members: View the table of members  in the group. Available at Members.
  • Invite contributor: Send invitations to contributor developers  to register on the platform. Available at Authors.

Notifications

  • Receive notifications: Get notifications related to your group.
  • Add/edit/remove hook: Add, edit, and remove webhooks , which notify of events happening in groups. Available at Integrations > Webhooks > Edit/Connect.

Portfolio

  • Create portfolio: Add tags by which to sort groups within an organization . This is useful to get analytics involving specific groups. Available at Scope > Portfolio > Add.
  • Remove portfolio: Delete  a group from a specific portfolio. Available at Scope > Portfolio > Remove.

Reports

  • Generate certificate: Generate a certificate of security testing  with Fluid Attacks. Available at Vulnerabilities > Generate report > Certificate.
  • Generate report: Generate vulnerability reports  varying in detail for a specific group.

**Repositories or roots **

  • Activate/deactivate repository: Deactivate and activate assets  to test. Available at Scope > Git Repositories/IP Roots/URL Roots.
  • Move repository: Move an asset  with all its associated data to another group. Available at Scope > Git Repositories.
  • Sync to Git repository: Clone the Git repository  again after changes have been made; this way, Fluid Attacks can test the up-to-date version. Available at Scope.
  • Add Git repository/IP root: Add Git  repositories and IP  addresses to the scope of security testing. Available at Scope > Git Repositories/IP Roots > Add new root.
  • Edit Git/IP/URL root: Modify URLs and branches . Available at Scope.
  • Add URL root/environment: Add URLs  or environments  to the scope of security testing. Available at Scope.
  • Edit IP/URL root: Update root details . Available at Scope.
  • Add exclusions: Exclude files or folders  from security assessments. Available at Scope.
  • Add secrets: Add secrets  (usernames, passwords, email addresses, tokens, etc.) that give Fluid Attacks access to repositories to test. Available at Scope.
  • View secrets: View secrets  associated with a specific root. Available at Scope.
  • Delete secrets: Remove unnecessary secrets . Available at Scope.
  • Manage environment secrets: Add environment secrets  and view, edit or remove environment secrets added by oneself. Available at Scope.
  • Edit Git environment: Edit environments  associated with source code repositories. Available at Scope.
  • Delete Git environment: Delete environments  associated with source code repositories. Available at Scope.
  • Move Git environment: Move environments  associated with source code repositories. Available at Scope.

Vulnerabilities

  • Vulnerability assignment: Assign vulnerability remediation responsibilities  to team members. Available at Vulnerabilities > [Type] > Locations > Edit.
  • Request Zero risk: Request deletion of a vulnerability , as it poses no threat according to the organization. Available at Vulnerabilities > [Type] > Locations > Edit.
  • Request reattacks: Request retests  by Fluid Attacks’ tool to verify the effectiveness of remediation efforts. In the Advanced plan, reattacks may involve both Fluid Attacks’ tool and pentesters.
  • Approve treatment: Accept and reject  requests to change the treatments of vulnerabilities. Available at Vulnerabilities > [Type] > Locations > Treatment acceptance.
  • Update treatment: Change the treatments  of vulnerabilities. Available at Vulnerabilities > [Type] > Locations > Edit.
  • Add/remove tag: Add and remove tags  for vulnerabilities. Available at Vulnerabilities > [Type] > Locations > Edit.
  • Comments: In the Advanced  plan, communicate questions, requests, and suggestions regarding a specific vulnerability  or event . In the Essential plan, view comments about reattack outcomes. Available at Vulnerabilities/Events > Comments.

Organization-level permissions

Analytics

  • Download org analytics: Download the charts and figures  of the Analytics sections. Available at Analytics > Download Analytics and **Portfolios > Analytics > Download Analytics**.
  • Vulnerability report in Analytics: Download a CSV file of details of all the vulnerabilities reported to the organization . Available at Analytics > Vulnerabilities.

Compliance

  • Compliance report: Download a report of compliance  with several international standards. Available at **Compliance > Standards > Generate report**.

Credentials

  • Add credentials: Add credentials  so Fluid Attacks has access to assets for testing. Available at Credentials > Add credential.
  • Delete credentials: Remove credentials , resulting in Fluid Attacks losing access to them. Available at Credentials > Remove.
  • Update credentials: Update credentials  to maintain Fluid Attacks’ access to assets. Available at Credentials > Edit.
  • OAuth connection: Authorize Fluid Attacks to import source code repositories  from GitLab, GitHub, Bitbucket, and Azure accounts via Open Authorization, which eliminates the need to provide the credentials for these accounts. Available at Credentials > Add credential.

Members

  • Add members: Add members  with access to the organization’s Analytics and Policies sections. Available at Members > Invite a member.
  • View member: View members  in the organization. **Available at **Members****.
  • Update member: Update roles  of members. Available at Members > Edit.
  • Delete member: Delete members  at the organization level. Available at Members > Remove.

Policies

  • Update organization/group policies: Manage policies  at the organization and group levels. **Available at **Policies****.
  • Submit vulnerability for temporary acceptance in Policies: Submit  requests to accept vulnerabilities temporarily. Available at Policies > Acceptance > Temporary acceptance.
  • Submit vulnerability for permanent acceptance in Policies: Submit  requests to accept vulnerabilities permanently. Available at Policies > Acceptance > Permanent acceptance.
  • Approve and reject vulnerability for temporary acceptance in Policies: Approve and reject  requests to accept vulnerabilities temporarily. Available at Policies > Acceptance > Temporary acceptance.
  • Approve and reject vulnerability for permanent acceptance in policies: Approve and reject  requests to accept vulnerabilities permanently. Available at Policies > Acceptance > Permanent acceptance.

Project

  • Add repositories in Outside: Add repositories identified through OAuth  access that are not yet part of any group. Available at Outside > Add new roots.
  • Add group: Create groups  dedicated to managing the vulnerabilities of systems separately. Available at Groups > New group.
  • Add organization: Create another organization  on the platform. Available in the organization menu .

Roles permissions summary table

The following tables specify the permissions that apply to each role on the platform.

Within groups

Feature groupFeatureUserVulnerability ManagerGroup Manager
AgentGenerate/update agent token✔✔✔
AgentView agent token✔✔✔
AgentView agent token expiration date✔✔✔
AgentView agent executions✔✔✔
Design MapAdd/remove threat model files✔✔✔
EventsRequest verification on events✔✔✔
EventsExport file in Events✔✔✔
FilesAdd file✔✔✔
FilesDownload file✔✔✔
FilesDelete file✔✔✔
GroupDelete group⛔⛔✔
GroupUpdate group information⛔⛔✔
GroupUnsubscribe from the group✔✔✔
GroupUse Help options (Talk to a Pentester, chat, email)✔✔✔
MembersAdd/update/delete members⛔⛔✔
MembersView members⛔✔✔
MembersInvite contributors⛔⛔✔
NotificationsReceive notifications✔✔✔
NotificationsAdd/edit/remove hook⛔⛔✔
PortfolioCreate portfolio✔✔✔
PortfolioRemove portfolio✔✔✔
ReportsGenerate certificate⛔⛔✔
ReportsGenerate report⛔✔✔
Repositories or rootsActivate/deactivate repository/root⛔⛔✔
Repositories or rootsMove repository/root⛔⛔✔
Repositories or rootsSync to Git repository✔✔✔
Repositories or rootsAdd Git repository✔✔✔
Repositories or rootsEdit Git repository⛔⛔✔
Repositories or rootsAdd/edit IP root✔✔✔
Repositories or rootsAdd/edit URL root✔✔✔
Repositories or rootsAdd exclusions⛔⛔✔
Repositories or rootsAdd/view/delete root secrets✔✔✔
Repositories or rootsAdd/view Git environment✔✔✔
Repositories or rootsEdit Git environment✔✔✔
Repositories or rootsDelete Git environment⛔⛔✔
Repositories or rootsMove Git environment⛔⛔✔
Repositories or rootsManage environment secrets✔✔✔
VulnerabilitiesVulnerability assignment⛔✔✔
VulnerabilitiesRequest Zero risk✔✔✔
VulnerabilitiesRequest reattack✔✔✔
VulnerabilitiesApprove treatment⛔✔✔
VulnerabilitiesUpdate treatment✔✔✔
VulnerabilitiesAdd/remove tag✔✔✔
VulnerabilitiesComments section✔✔✔

At the organization level

Feature groupFeatureUserOrganization Manager
AnalyticsDownload org analytics✔✔
AnalyticsVulnerability report in Analytics⛔✔
ComplianceCompliance report✔✔
CredentialsView credentials✔✔
CredentialsAdd/update/delete credentials⛔✔
CredentialsOAuth connection⛔✔
MembersAdd/view/update/delete members⛔✔
PoliciesUpdate org/group policies⛔✔
PoliciesSubmit vuln for temporary acceptance in Policies✔✔
PoliciesSubmit vuln for permanent acceptance in Policies✔✔
PoliciesApprove and reject vuln for temporary acceptance in Policies⛔✔
PoliciesApprove and reject vuln for permanent acceptance in Policies⛔✔
ProjectAdd repositories in Outside⛔✔
ProjectAdd group⛔✔
ProjectAdd organization✔✔

Fluid Attacks staff roles

There are roles on the platform available only for Fluid Attacks staff to ensure they access only the information and functions pertinent to their assignments.

Hacker

Hackers are the security analysts who identify, exploit, and report vulnerabilities in organizations’ systems.

Reattacker

Reattackers are members that verify the effectiveness of fixes implemented by organizations.

Customer Manager

Customer Managers provide support to organizations’ tasks, such as adding assets, deleting groups, requesting the deletion of vulnerabilities, and managing members.

Resourcer

Resourcers help maintain the assets provided by organizations, such as environment credentials and mailmap authors, up-to-date.

Reviewer

Reviewers mainly evaluate drafts for approval or disapproval and analyze vulnerability deletion requests.

Architect

Architects ensure that secure code review and penetration testing as a service deliverables are of high quality. Among their functions are deleting false positives or errors, including or deleting evidence, and providing help to the organizations over the help channels.

Closer

Closers are responsible for verifying whether a reattack to a vulnerability has been requested and setting the vulnerability status to Safe after a positive reattack outcome.

Admin

The Admin is the member who has the most privileges, lacking only the permission to change treatments.

Fluid Attacks staff roles summary table

The following table specifies the permissions that apply to each Fluid Attacks staff role on the platform.

FeatureHackerReattackerResourcerReviewerArchitectCustomer ManagerAdmin
Add draft✔✔⛔⛔✔⛔✔
Add event✔✔✔⛔✔✔✔
Add root⛔⛔⛔⛔⛔✔✔
Approve draft⛔⛔⛔✔⛔⛔✔
Change treatment✔⛔⛔⛔✔⛔⛔
Confirm/reject Zero risk⛔⛔⛔✔✔⛔✔
Deactivate/activate root⛔⛔⛔⛔⛔⛔✔
Delete group⛔⛔⛔⛔⛔✔✔
Edit root⛔⛔⛔⛔✔⛔✔
Edit environment⛔⛔✔⛔⛔✔✔
Generate a report✔⛔⛔⛔✔✔✔
Manage evidence✔⛔⛔⛔✔⛔✔
Remove vulnerability✔⛔⛔⛔✔⛔✔
Request reattack✔✔✔✔✔✔✔
Request Zero risk⛔⛔⛔⛔⛔✔✔
Solve event✔✔✔⛔✔✔✔
Verify reattack✔✔⛔⛔✔⛔✔
Manage mailmap⛔⛔✔⛔⛔✔✔
Upgrade/Downgrade group services⛔⛔⛔⛔⛔✔✔
Tip

Free trial Search for vulnerabilities in your apps for free with Fluid Attacks’ automated security testing! Start your 21-day free trial  and discover the benefits of the Continuous Hacking  Essential plan . If you prefer the Advanced plan, which includes the expertise of Fluid Attacks’ hacking team, fill out this contact form .

Last updated on February 13, 2026
Manage your organization's authorsImport repositories fast and safely with OAuth
Fluid Attacks 2026. All rights reserved.