Platform sections and header items

Here is an overview of all the sections of the Fluid Attacks platform. For ease of exposition, they are divided into two main groups: organization-level sections and group-level sections.

Organization-level sections

Once you log in to the platform, you are at this level, which collects and presents information related to all the groups or projects your company has with Fluid Attacks.

You can change between the sections at this level from everywhere in the platform by using the collapsible menu. Here is how the menu looks like to User Managers (access to sections and functions in the platform is managed through roles):

Use the collapsible menu on the Fluid Attacks platform

Groups

Your company may have several applications or software products and want to keep track of their security assessments and risk exposure separately. This is why you can create a group in the platform for each of them. In the Groups section, you find the list of your groups and several bits of information about each of them, as well as the total amounts of covered and missed contributing authors and repositories across the organization's groups.

Analytics

In the Analytics section at the organization level, you can view various charts, tables and figures with valuable information on security testing results, vulnerability management strategies, and progress in reducing risk exposure in your organization (i.e., including data from all its groups), among other things. Here are some examples of the information available:

Portfolios

Portfolios are sets of groups that you can create to establish and observe comparisons of some of the data displayed in their respective Analytics sections. In the Portfolios section, you will find the list of portfolios created by your organization.

Members

Role required: Vulnerability Manager or User manager.

The Members section at the organization level is where you can view or manage the members of the organization. These are platform users who, according to their role, may have permission to visualize organization-level sections or access the organization's groups and perform more management functions.

Policies

Fluid Attacks allows you to view or establish policies around accepting security vulnerabilities, preventing deployment into production when vulnerabilities are present, and prioritizing vulnerabilities for remediation. Those defined in the Policies section are inherited by all the groups in your organization, although group-specific policies may be established in the Scope section.

Mailmap

Role required: User Manager

Since contributing developers may create commits using different email addresses, it is useful to consolidate contributor information. The Mailmap section allows you to view single contributors and all their associated user names and email addresses.

Billing

Role required: User Manager

In the Billing section, you find the number of monthly active authors in each group (which helps calculate the cost of Continuous Hacking) and the saved payment methods.

Outside

Fluid Attacks recommends you use Open Authorization (OAuth) to import the repositories to be tested. This entails connecting Fluid Attacks' platform to your account on a code repository hosting provider (such as GitLab) to retrieve the repositories there without sharing credentials with Fluid Attacks. The Outside section shows the repositories that were not selected to be imported in the mentioned process and included in one of the groups. Therefore, those repositories are not yet within the scope of Fluid Attacks' security testing. In this section, you may add them to groups.

Credentials

In the Credentials section, if you have a User Manager role, you can authorize Fluid Attacks to retrieve your repositories on Azure, Bitbucket, GitHub or GitLab through OAuth. Such authorization is saved in the platform as credentials that can in future be associated to more assets they give access to so that they can be tested. However, actual credentials, such as username and password pairs, can also be added on this section. Fluid Attacks uses OAuth and credentials safely to have access to the target of evaluation (ToE).

Compliance

The Compliance section shows details of your organization's compliance with several international standards which are the basis for the security requirements that Fluid Attacks tests in your systems. Among the useful information provided here are how well your organization is doing with particular standards in comparison to other organizations and how many days it will take your organization to achieve compliance with all standards.

Logs

Role required: User

The Logs section shows the HTTP, network, and session logs related to access to your organization's assets when it has enabled zero trust network access (ZTNA).

Integrations

Fluid Attacks' platform can connect with IDE plugins and bug-tracking systems used by your team. In the Integrations section, you can find links to Fluid Attacks' documentation about the possible integrations and manage some of them. Moreover, this section also has links to documentation on using the API and creating webhooks.

Group-level sections

Click on the name of a group in the Groups section to enter its dedicated space. You can change between sections using the tabs under the group's name. Here is what the group-level sections menu looks like to User Managers (access to group sections and functions in the platform is managed through roles).

Navigate the sections of a group on the Fluid Attacks platform

Vulnerabilities

The Vulnerabilities section on the platform is where you can access detailed information on all the confirmed security vulnerabilities found in your group, including the recommendations for remediating them.

When you click on a reported type of vulnerability, you are presented with sections dedicated to it. The main features of these sections are summarized below on this page.

Navigate the sections of a type of vulnerability on the Fluid Attacks platform

Locations

In the Locations section, you see the list of specific locations (i.e., file paths and specific inputs/lines of code/ports) where Fluid Attacks found the type of vulnerability you are exploring. Useful functions in this section include the options to define the treatment for the vulnerability (e.g., assign fix work to yourself or someone in your team) and request a reattack (i.e., a retest to verify whether the vulnerability was successfully remediated).

To learn more about a vulnerability or use generative artificial intelligence (gen AI) to get a custom guide to remediate the vulnerability (when applicable), click on its entry in the Location column. This causes a pop-up window to appear. The following screenshot is of this window for an instance of a reported remote code execution vulnerability.

Learn details of a vulnerability on the Fluid Attacks platform

Each tab in the pop-up window provides you with useful information:

Details: Description and current treatment, among other information
Severity: Breakdown of the assigned severity score using the Common Vulnerability Scoring System (CVSS) v3.1 and v4.0
Code: The actual line(s) of code presenting the vulnerability and lines that surround it/them
Treatments: The current treatment and assigned tags with the option to change them
Tracking: The treatment and reattack history
How to fix: The AI-generated custom guide to remediate the vulnerability

Description

In the Description section you can learn the definition of the type of vulnerability along with the security requirements that may have been violated, the impacts expected of vulnerability exploitation, the characteristics of the threat actor that may exploit it, and recommended actions to fix the code.

Severity

In the Severity section, you find the values in the CVSS Exploitability and Impact metrics calculated for the type of vulnerability.

Evidence

The Evidence section provides supporting evidence of the existence and exploitability of the specific type of vulnerability reported. The evidence can come in the form of images or videos.

Tracking

The detailed treatment history of the type of vulnerability is provided in the Tracking section, along with information on the number of vulnerabilities reported and remediated.

Records

In the Records section you find a table with sensitive information obtained by Fluid Attacks' hacking team after exploiting the vulnerability in your system. The data may be financial information (e.g., account numbers), personal information (e.g., phone numbers), and technical information (e.g., access tokens).

Consulting

The Consulting section is a forum-like section to communicate with Fluid Attacks about the reported vulnerabilities or to find out the outcome of reattacks.

Note: Consulting for vulnerabilities is available for users with the Essential plan in view mode.

Supply chain

The Supply chain section helps you keep track of the third-party dependencies in your software. In this section, you can find out which dependencies might mean trouble and where you are using them, enabling you to analyze and make informed decisions about their use.

Analytics (group-level)

Within the group-level Analytics section, you discover graphs and figures on the status and characteristics of reported vulnerabilities and your remediation practices related to that specific group. Among the group-specific analytics are those related to the status and executions of Fluid Attacks' CI agent.

DevSecOps

Fluid Attacks offers its CI agent that you can install in your CI pipelines to break the build when attempting to deploy software versions with vulnerabilities into production. Breaking the build, when enabled, follows the policies set by your organization. The DevSecOps section shows the details and results of recent CI agent executions.

You can select an execution to see the vulnerabilities detected in it or see the agent log. This is shown in a pop-up window with tabs corresponding to the two mentioned options.

View details of agent executions on the Fluid Attacks platform

Events

Fluid Attacks calls an "event" a situation that prevents testing of a part of the target of evaluation (ToE) or its entirety. Further, Fluid Attacks categorizes events into several types, for example, "credentials issues," when the information given for authentication is invalid. In the Events section, you can view the events that Fluid Attacks reports to you for your prompt action. Each reported event has sections dedicated to it, as shown in the following screenshot. The main features of these sections are summarized below on this page.

Description: What the situation is, what part of the ToE it refers to, and whether it prevents reattacks
Evidence: Images or videos that provide proof of the event
Consulting: Forum-like space to discuss the event

Members (group-level)

Role required: Vulnerability Manager or User Manager

In the Members section at the group level, according to your role on the platform, you can either only view or fully manage who has access to the group and what permissions they have to use platform functions.

Authors

By "authors" Fluid Attacks refers to the developers contributing to the code repository each month. The Authors section gives you a list of such users and informs you whether they have registered to Fluid Attacks' platform. If you have the User Manager role, you can invite authors not yet on the platform to register.

Surface

The Surface section gives information about the Target of Evaluation (ToE) specified in the Scope section in regards to the existent lines, inputs and ports, and used languages, each category having its own section.

Scope

In the Scope section you mainly define Fluid Attacks' Target of Evaluation (ToE). The following information is entered in this section to facilitate, or in some cases enable, security testing with Fluid Attacks' Continuous Hacking:

Roots: Git repositories where you version the application’s source code
Environments: URLs where applications are deployed
Files: Any documents (i.e., software documentation) that could help understand or use the system under evaluation
Portfolio: Keywords to build portfolios, thus getting information and analytics for groups that share the tag
Information: General information about your company, useful, for example, for generating complete security testing certificates
Policies: Group-specific policies on vulnerability acceptance and breaking the build
Group Settings: Specific configuration options for the group, i.e., group context, group disambiguation, DevSecOps agent token management, function for the user to unsubscribe from the group, and function to delete the group

Platform header items

The top part of Fluid Attacks' platform, like the collapsible menu, is always visible as you navigate the application. Its functions include providing you access to your tasks and user information and settings.

Organization menu

This drop-down menu allows you to change between your organizations on Fluid Attacks' platform, in case you have more than one.

Group search box

You can use the search box in the platform's header to type a group name within the organization and be directed to it upon tapping Enter.

To do

This item in the platform header takes you, upon click, to the To do section, which has a table showing general information about the vulnerabilities which you are responsible to remediate.

News

Clicking on this item opens a pop-up window that shows the headlines of Fluid Attacks' posts on new functions of the platform, enhancements to Fluid Attacks' scanners, and more. These preview texts link to the corresponding complete posts at Fluid Attacks' News page. The pop-up window also presents you with the options to subscribe to Fluid Attacks' News and request a new feature.

User menu

The option furthest to the right on the platform header is your user menu, which you can open by clicking on your name. Apart from your role, email, and phone number, the menu shows your individual user options.

API token

This option allows you to manage the API token used for retrieving or modifying data and triggering actions to build custom integrations.

Notifications

Clicking on this option directs you to the Notifications section, which displays and allows you to manage your preferences on the emails that you receive from Fluid Attacks informing you of activity such as newly reported vulnerabilities, reported events that impede testing, and more.

Trusted devices

The platform login process allows you to opt for trusting the device you are using so that you are not asked for a one-time password while using that device in the following 180 days. By clicking on the Trusted devices option in your user menu, you are directed to the section where you can see a list of the devices and information such as the date of the most recent login.

Mobile

Having your phone registered to the platform is very useful, as it enables the delivery of verification codes to your phone, thus allowing an option of two-factor authentication, the generation of reports and more.

Ethics Hotline

It is important for Fluid Attacks to allow reporting (anonymous or otherwise) of matters that concern ethics. Clicking on the Ethics Hotline option of the user menu, you are directed to an equally safe web application where you can report complaints on your behalf or other's. However, you can also use this option to send suggestions, questions or even thank-you messages.

Delete account

This option within the user menu allows you to safely delete your account, meaning that your information is completely erased with no option of anyone retrieving it.

Log out

This option within the user menu is pretty self-explanatory. Click it and, after confirmation, you are logged out of the platform.

Platform version

At the bottom of the user menu, you can see the commit hash ID (a commit's unique identifier) that corresponds to the Fluid Attacks platform's latest update, along with the update deployment date and time. You can click on the commit hash to see it on GitLab. By clicking it on GitLab, you can learn the specific lines of code that were changed, the developer who made the change, what was removed and added, and in what file.

Help options

Fluid Attacks has options that you can use when you need help regarding its AppSec solution, Continuous Hacking, or guidance in remediating vulnerabilities or using our platform. To access these options on the platform, click on Help, located at the bottom of the collapsible menu. This makes a bar appear on the right side of the screen.

These are the help options offered by Fluid Attacks within the menu:

Talk to a hacker: Use this Advanced-plan-exclusive feature to have a videoconference with one member of Fluid Attacks' hacking team about complex reported vulnerabilities. (You can view and use this option only while you are inside a group that is subscribed to the Advanced plan.)
Live chat: Use this option to send Fluid Attacks questions about any feature of the platform and its use that you have not found the answer to in the Help Center.
Learn how to use: Click on this option to find a link to the Fluid Attacks' certification tailored to your role that you can achieve in about one hour or to schedule a live demo.
Help Center: This should be your go-to option for any doubt you have. If Fluid Attacks' documentation does not help you, you can consider the other help options.
Contact support: You can click on this option to send an email to Fluid Attacks.

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

Platform sections and header items | Fluid Attacks Help