Frequently asked questions about the platform | Fluid Attacks Help

Platform FAQ

This section answers frequently asked questions about Fluid Attacks' platform.


What is a group?

Each group corresponds to individual projects our clients create to manage their vulnerabilities separately. Inside a group on the platform, there are several sections that can be accessed according to the role and plan you are subscribed to. For more information on groups and sections, please see our Documentation.

Why do we advise you to create several groups?

It is recommended to create several separate groups, each dedicated to one project; you can have better visibility of vulnerabilities for their management, generate focused reports and certificates independently, have an organized view of the analytics, and have a better track of the details of each project you work on.


What are vulnerabilities?

Vulnerabilities are the noncompliance with cybersecurity requirements, which are rules based on the several international standards we check in our comprehensive tests.

What is the difference between Age and Last report in the Vulnerabilities table?

Age refers to how many days the vulnerability has been open, whereas last report is the total number of days passed since the vulnerability was last reported.

How do I suggest that a vulnerability is a false positive?

Choose Request zero risk as its treatment.

How can I see only the findings of the dynamic application security testing (DAST)?

Find the search bar in the Vulnerabilities table. By entering "HTTP" as a keyword, you will see the great majority of vulnerabilities as “dynamic” (found through DAST)

How can I see vulnerabilities specific to a particular Git root?

In the search bar that you can find in the Vulnerabilities table, enter the nickname of the repository you are interested in, and the table will show you only the vulnerabilities reported in that repository.


How many pieces of evidence (images and videos) do I have access to?

There is a limit of six files (images or videos). However, these are constantly updated according to the reattacks or new vulnerabilities that may be reported.


What is a nickname?

A nickname is how the team can identify a root or set of credentials, making it easier to search for or identify them.

Where can I find my repository's nickname?

In the Git root table in the Scope section.


How many hours do I have to wait for a response to a reattack request?

Up to 16 hours, according to our service-level agreement.

How to request a reattack?

reattack can be requested from the Locations and To-do list section. You must select the vulnerability to attack followed by clicking the Reattack button. Then, the selected vulnerability will show the status Requested in the Reattack column for up to 16 hours. Remember to check the Consulting section for any new comments regarding the reattack.

How do I know that a requested reattack is in progress?

You can check the reattack status in the column called Reattack in the Locations section. You can also check in the Consulting whether there are comments on the request.

I am unable to request a re-attack, why?

The most common reason for this is that your repository is out of sync. Please check the Scope section to verify that there are no errors cloning the related roots' repositories.

If there are no cloning errors and you are trying to request a reattack for reports from our AppSec tool, it could be that you have not added any new changes, and the last commit analyzed by the tool is the latest commit from your root.

That means, if the reattack were to be executed, the results would be exactly the same, so you need to add new changes to your repository or again, make sure there are no cloning issues.

If these errors do not apply to your case, and you are still not able to request the reattack, please contact us at

Security testing certificates

How do I generate a service certificate?

In the Vulnerabilities section, click on the Generate report button and select the Certificate option. However, this option will not be available if you have not filled out the Business Registration Number and Business Name fields in the Information section. Remember that the roles that can download certifications are User Manager and Vulnerability Manager.


How do I generate the vulnerability report?

In the Vulnerability section, click the Generate report button and select which type of report you want to download, either technical or executive. Remember that you must register your mobile number beforehand to enable two-factor authentication to download the report. Remember that the roles that can download reports are User Manager and Vulnerability Manager.

What is the difference between executive and technical reports?

The executive report is a summary report in PDF format, generally intended for personnel in management roles. This report contains concise and clear information on the vulnerabilities reported in the group. On the other hand, the technical report is an XLSX file where you have all the vulnerabilities reported in the group with their technical details.


What is the difference between members and authors?

Members refer to all users who can access your group to visualize information or manage vulnerabilities, scope and tags, among other things. Authors are all the developers or professionals who contribute to the repositories under evaluation.


What is the difference between our three consulting alternatives?

Consulting is one of the communication channels with users. You can find it in Locations, Groups and Events. Use the one in Locations when you have questions regarding a specific vulnerability. Use the one in Events to ask about the status or details of situations that are preventing security testing from resuming. And use the one in the main screen of a group to ask general questions about that group.


Why is a vulnerability still Vulnerable when it has been accepted permanently?

When a vulnerability is permanently accepted, the organization assumes the risk, not remediating it, so it will continue to be regarded as vulnerable.

What happens when a temporary acceptance treatment expires?

The treatment for that specific security issue reverts to Untreated, and the remediation of such issue is assigned to the user who had requested the temporary acceptance.


If I apply policies to a group, will these apply to all roots of this?

Yes, it will apply to all repositories added in that group.

What is the difference between policy at the ORG and the group level?

Organization policies are those that you set globally and that will be inherited by all groups pertaining to that organization. For your management purposes, you may prefer to set specific group policies.


Must I only install Docker to run the DevSecOps agent from my local machine?

Yes, it is only necessary to use Docker if you manage the DevSecOps agent from your local machine. To see the Docker and agent installation steps visit our Documentation.

Does Fluid Attacks’ DevSecOps agent run locally or on the development infrastructure?

You can run it both ways.

How many arguments can I pass to run Fluid Attacks’ DevSecOps agent?

You can pass multiple arguments. To see the different options, check out our Documentation.

How often is it advisable to do docker pull to update the image?

It is up to the user to do it weekly or monthly.

In what mode can Fluid Attacks’ agent be run so it doesn't break the build?

In lax mode, opposite to strict mode.

Must all team members use the same token to run the DevSecOps agent in a group?

Yes, all team members who want to run the agent in the same group require the same token. To acquire the token, you must go to the DevSecOps Agent section in Scope.

Platform problems

If you have any problems logging in to the platform, we recommend the following:

  • Log out of the platform, delete browser cache and cookies, log back in, and enter the group(s) with the inconvenience.

  • Try to access the platform from incognito mode or another browser and check if the problem also occurs.

  • Once the screenshot is displayed, you can also run one of the following JS commands from the browser's development console (usually accessed by pressing F12 in Windows and Linux environments): sessionStorage.clear() or localStorage.clear() and then refresh the web page.