Platform sections and header items

Here is an overview of all the sections of the Fluid Attacks platform. For ease of presentation, they are divided into two main groups: organization-level sections  and group-level sections .

Organization-level sections

Once you log in to the platform, you are at this level, which collects and presents information related to all the groups or projects your company has with Fluid Attacks.

You can change between the sections at this level from everywhere in the platform by using the collapsible menu. Here is how the menu looks like to Organization Managers  (access to sections and functions in the platform is managed through roles ):

Groups

Your company may have several applications or software products and want to keep track of their security assessments and risk exposure separately. This is why you can create  a group  in the platform for each of them. In the Groups section , you find the list of your groups and several bits of information about each of them, as well as the total amounts of covered and missed contributing authors  and repositories across the organization’s groups.

Analytics

In the Analytics section at the organization level , you can view various charts, tables and figures with valuable information on security testing results, vulnerability management strategies, and progress in reducing risk exposure in your organization (i.e., including data from all its groups), among other things. Here are some examples of the information available:

• Exposure management over time 
• Exposure benchmark 
• Remediation rate benchmark 
• Accepted vulnerabilities by CVSS severity 
• Vulnerabilities treatment 
• Reporting technique 

Portfolios

Portfolios are sets of groups that you can create to establish and observe comparisons  of some of the data displayed in their respective Analytics sections. In the Portfolios section , you will find the list of portfolios created by your organization.

Members

The Members section at the organization level  is where you can view or manage the members of the organization. These are platform users who, according to their role, may have permission to visualize organization-level sections or access the organization’s groups and perform more management functions.

Policies

Fluid Attacks allows you to view or establish policies around accepting security vulnerabilities, preventing deployment into production when vulnerabilities are present, and prioritizing vulnerabilities for remediation. Those defined in the Policies section  are inherited by all the groups in your organization, although group-specific policies  may be established in the Scope section.

Authors

Since contributing developers may create commits using different email addresses, it is useful to consolidate contributor information. The Authors section  allows you to view single contributors and all their associated user names and email addresses.

Billing

In the Billing section , you find the number of monthly active authors in each group (which helps calculate the cost of Continuous Hacking ) and the saved payment methods.

Out of Scope

Fluid Attacks recommends you use Open Authorization (OAuth) to import the repositories to be tested . This entails connecting Fluid Attacks’ platform to your account on a code repository hosting provider (such as GitLab) to retrieve the repositories there without sharing credentials with Fluid Attacks. The Out of Scope section  shows the repositories that were not selected to be imported in the mentioned process and included in one of the groups. Therefore, those repositories are not yet within the scope of Fluid Attacks’ security testing. In this section, you may add them to groups.

Credentials

In the Credentials section , if you have a Organization Manager role , you can authorize Fluid Attacks to retrieve your repositories on Azure, Bitbucket, GitHub or GitLab through OAuth. Such authorization is saved in the platform as credentials that can in future be associated to more assets they give access to so that they can be tested. However, actual credentials, such as username and password pairs, can also be added on this section. Fluid Attacks uses OAuth and credentials safely to have access to the target of evaluation (ToE) .

Compliance

The Compliance section  shows details of your organization’s compliance with several international standards  which are the basis for the security requirements that Fluid Attacks tests in your systems. Among the useful information provided here are how well your organization is doing with particular standards in comparison to other organizations and how many days it will take your organization to achieve compliance with all standards.

Logs

The Logs section  shows the HTTP, network, and session logs related to access to your organization’s assets when it has enabled zero trust network access (ZTNA).

Integrations

Fluid Attacks’ platform can connect with IDE plugins and bug-tracking systems  used by your team. In the Integrations section, you can find links to Fluid Attacks’ documentation about the possible integrations (e.g., IntelliJ IDEA  and VS Code  plugins) and manage some of them (i.e., Azure DevOps , GitLab , and Jira Cloud ). Moreover, this section also has links to documentation on using the API  and creating webhooks .

Help

Fluid Attacks has options that you can use when you need help regarding its AppSec solution , Continuous Hacking, or guidance in understanding vulnerabilities or using our platform. To access these options on the platform, click on Help, located at the bottom of the collapsible menu . This makes a bar appear on the right side of the screen.

These are the help options offered by Fluid Attacks within the menu:

1. Talk to a Pentester : Use this Advanced-plan-exclusive feature to have a videoconference with one of Fluid Attacks’ pentesters about complex reported vulnerabilities. (You can view and use this option only while you are inside a group that is subscribed to the Advanced plan.)
2. Live chat : Use this option to send Fluid Attacks questions about any feature of the platform and its use that you have not found the answer to in the Help Center.
3. Learn how to use : Click on this option to find a link to the Fluid Attacks’ certification  tailored to your role that you can achieve in about one hour (see topics in Tutorial videos ) or to schedule a live demo .
4. Help Center : This should be your go-to option for any doubt you have. If Fluid Attacks’ documentation does not help you, you can consider the other help options.
5. Contact support : You can click on this option to send an email to Fluid Attacks.

Group-level sections

Click on the name of a group in the Groups section to enter its dedicated space. You can change between sections using the tabs under the group’s name. Here is what the group-level sections menu looks like to Group Managers  (access to group sections and functions in the platform is managed through roles ).

Vulnerabilities (by weakness)

The Vulnerabilities section  on the platform is where you can access detailed information on all the confirmed security vulnerabilities found in your own code, including the recommendations for remediating them. They are conveniently categorized by weakness, according to Fluid Attacks’ conceptualization.

When you click on the weakness name, you are presented with sections dedicated to vulnerabilities under it. The main features of these sections are summarized below on this page.

Vulnerabilities

In the Vulnerabilities section , you see the list of the vulnerabilities named after file paths and specific inputs/lines of code/ports where Fluid Attacks found them. Useful functions in this section include the options to define the treatment  for vulnerabilities (e.g., assign fix work to yourself or someone in your team) and request a reattack  (i.e., a retest to verify whether the vulnerability was successfully remediated).

To learn more about a vulnerability or use generative artificial intelligence (gen AI) to get a custom guide to remediate the vulnerability (when applicable), click on its entry in the Vulnerability column. This causes a pop-up window to appear. The following screenshot is of this window for an instance of a reported remote code execution vulnerability.

Each tab in the pop-up window provides you with useful information:

1. Details : Description and current treatment, among other information
2. Severity : Breakdown of the assigned severity score using the Common Vulnerability Scoring System  (CVSS) v4.0
3. Code : The actual line(s) of code presenting the vulnerability and lines that surround it/them
4. Treatments : The current treatment and assigned tags with the option to change them
5. How to fix : The AI-generated custom guide to remediate the vulnerability
6. Tracking : The treatment and reattack history

Description

In the Description section  you can learn the definition of the type of vulnerability along with the security requirements that may have been violated, the impacts expected of vulnerability exploitation, the characteristics of the threat actor that may exploit it, and recommended actions to fix the code.

Evidence

The Evidence section  provides supporting evidence of the existence and exploitability of the specific type of vulnerability reported. The evidence can come in the form of images or videos.

Tracking

The detailed treatment history of the type of vulnerability is provided in the Tracking section , along with information on the number of vulnerabilities reported and remediated.

Records

In the Records section  you find a table with sensitive information obtained by Fluid Attacks’ team of pentesters after exploiting the vulnerability in your system. The data may be financial information (e.g., account numbers), personal information (e.g., phone numbers), and technical information (e.g., access tokens).

Comments

Comments  is a forum-like section to communicate with Fluid Attacks about the reported vulnerabilities or to find out the outcome of reattacks.

Analytics (group-level)

Within the group-level Analytics section , you discover graphs and figures on the status and characteristics of reported vulnerabilities and your remediation practices related to that specific group. Among the group-specific analytics are those related to the status and executions of Fluid Attacks’ CI agent.

DevSecOps

Fluid Attacks offers its CI Gate  that you can install in your CI pipelines to break the build  when attempting to deploy software versions with vulnerabilities into production. Breaking the build, when enabled, follows the policies set by your organization. The DevSecOps section  shows the details and results of recent CI Gate executions.

You can select an execution to see the vulnerabilities detected in it or see the agent log. This is shown in a pop-up window with tabs corresponding to the two mentioned options.

Design Map

The Design Map  section shows the correlations between your threat model and vulnerabilities Fluid Attacks has detected in your system. After uploading your threat model files, you can see your detailed threat descriptions matched with Fluid Attacks’ vulnerability categories and their details, such as severity. This enables strategic prioritization of remediation efforts based on your specific security concerns.

Events

Fluid Attacks calls an “event” a situation that prevents testing of a part of the target of evaluation  (ToE) or its entirety. Further, Fluid Attacks categorizes events into several types, for example, “credentials issues,” when the information given for authentication is invalid. In the Events section , you can view the events that Fluid Attacks reports to you for your prompt action. Each reported event has sections dedicated to it, as shown in the following screenshot. The main features of these sections are summarized below on this page.

1. Description : What the situation is, what part of the ToE it refers to, and whether it prevents reattacks 
2. Evidence : Images or videos that provide proof of the event
3. Comments : Forum-like space to discuss the event

Members (group-level)

In the Members section at the group level , according to your role on the platform, you can either only view or fully manage who has access to the group and what permissions they have to use platform functions.

Authors (group-level)

By “authors” Fluid Attacks refers to the developers contributing to the code repository each month. The Authors section  gives you a list of such users and informs you whether they have registered to Fluid Attacks’ platform. If you have the Group Manager  role, you can invite authors not yet on the platform to register.

Inventory

Inventory’s Packages section  helps you keep track of the third-party dependencies in your software. Thanks to it, you can find out which dependencies have reachable vulnerabilities  and where you are using them, enabling you to analyze your usage of them and make informed decisions.

Inventory also has a Surface section  gives information about the Target of Evaluation (ToE)  specified in the Scope section in regards to the present lines, inputs, packages and ports, and used languages, each category having its own section.

Scope

In the Scope section you mainly define Fluid Attacks’ Target of Evaluation (ToE). The following information is entered in this section to facilitate, or in some cases enable, security testing with Fluid Attacks’ Continuous Hacking:

• Git Repositories: Git repositories where you version the application’s source code
• Environments: URLs where applications are deployed
• IP Roots : Web applications reachable through specified IP addresses (only in groups subscribed to black-box testing )
• URL Roots : Dynamic environments already deployed on a web server (provided only in groups subscribed to black-box testing )
• Files: Mobile applications, or any documents (i.e., software documentation) that could help understand or use the system under evaluation
• Portfolio Tags: Keywords to build portfolios , thus getting information and analytics for groups that share the tag
• Information: General information about your company, useful, for example, for generating complete security testing certificates 
• Group Settings : Specific configuration options for the group, i.e., group context , group disambiguation, DevSecOps agent token management , function for the user to unsubscribe from the group , and function to delete the group 

Platform header items

The top part of Fluid Attacks’ platform, like the collapsible menu, is always visible as you navigate the application. Its functions include providing you access to your tasks and user information  and settings .

Organization menu

This drop-down menu allows you to change between your organizations on Fluid Attacks’ platform, in case you have more than one.

Group search box

You can use the search box in the platform’s header to type a group name within the organization and be directed to it upon tapping the Enter / Return key.

AI Agent

Chat with the AI Agent  to get information quickly about your organization or group, or vulnerability management advice, leveraging Fluid Attacks’ generative AI.

To do

This item in the platform header takes you, upon click, to the To do section , which has a table showing general information about the vulnerabilities which you are responsible to remediate.

Downloads

Upon clicking this item, you can find reports recently requested ready for downloading . Each item is kept available in your download history for seven days.

News

Clicking on this item opens a pop-up window that shows the headlines of Fluid Attacks’ posts on new functions of the platform, enhancements to Fluid Attacks’ scanners, and more. These preview texts link to the corresponding complete posts at Fluid Attacks’ News page . The pop-up window also presents you with the options to subscribe to Fluid Attacks’ News  and request a new feature.

User menu

The option furthest to the right on the platform header is your user menu , which you can open by clicking on your name. Apart from your role, email, and phone number, the menu shows your individual user options. Below is how it looks like to Group Managers.

View as client

This option allows you to view the platform as a client would.

Feature preview

This option allows you to use platform features that are not yet generally available.

API token

This option allows you to manage the API token used for retrieving or modifying data and triggering actions to build custom integrations.

Notifications

Clicking on this option directs you to the Notifications section , which displays and allows you to manage your preferences on the emails that you receive from Fluid Attacks informing you of activity such as newly reported vulnerabilities, reported events that impede testing, and more.

Trusted devices

The platform login  process allows you to opt for trusting the device you are using so that you are not asked for a one-time password while using that device in the following 180 days. By clicking on the Trusted devices  option in your user menu, you are directed to the section where you can see a list of the devices and information such as the date of the most recent login.

Mobile

Having your phone registered to the platform is very useful, as it enables the delivery of verification codes to your phone, thus allowing an option of two-factor authentication , the generation of reports  and more.

Ethics Hotline

It is important for Fluid Attacks to allow reporting (anonymous or otherwise) of matters that concern ethics. Clicking on the Ethics Hotline option of the user menu, you are directed to an equally safe web application where you can report complaints on your behalf or other’s. However, you can also use this option to send suggestions, questions or even thank-you messages.

Delete account

This option within the user menu allows you to safely delete your account, meaning that your information is completely erased with no option of anyone retrieving it.

Log out

This option within the user menu is pretty self-explanatory. Click it and, after confirmation, you are logged out of the platform.

Platform version

At the bottom of the user menu, you can see the commit hash ID (a commit’s unique identifier) that corresponds to the Fluid Attacks platform’s latest update. You can click on the commit hash to see it on GitLab. By clicking it on GitLab, you can learn the specific lines of code that were changed, the developer who made the change, what was removed and added, and in what file.