Package: Invicti AppSec Core (on-demand)
Invicti AppSec Core pre-configuration
Invicti AppSec Core comes with a set of pre-configured features so you can start scanning and managing vulnerabilities right away. This page describes what's set up out of the box and what you can customize.
Built-in scanners
Six security scanners are automatically activated with your Core account. You don't need to install, configure, or enable them manually:
| Scanner | What it does |
|---|---|
| Invicti SAST | Analyzes source code to find vulnerabilities. Supports 27+ programming languages. |
| Invicti DAST/API | Tests running applications for runtime vulnerabilities. Covers REST, GraphQL, and SOAP APIs. |
| Invicti SCA | Identifies vulnerabilities and license risks in open-source dependencies. |
| Invicti Container Security | Scans container images for vulnerable packages, exposed secrets, and misconfigurations. |
| Invicti IaC | Checks Infrastructure as Code files (Terraform, CloudFormation, Kubernetes, and more) against security benchmarks. |
| Secrets Detection | Finds hardcoded credentials, API keys, tokens, and private keys in your codebase and Git history. |
When you add a scanner to a project, Invicti AppSec automatically creates a daily scan schedule. You can customize this schedule in your project settings.
Built-in roles
Six user roles are pre-configured with fixed permission structures:
| Role | Access level |
|---|---|
| Admin | Full system access with all permissions. |
| Manager | Manages business units and products. View-only access to projects. |
| Product Owner | Read-only access to dashboards, vulnerabilities, and SBOM. |
| Team Lead | Oversees projects assigned to their team. Product access if the team manages projects under that product. |
| Developer | View-only project access. Can submit but not approve suppression requests (false positive, risk accepted). |
| Pentester | Limited access for importing vulnerabilities. |
These roles have fixed permissions that can't be modified, deleted, or customized in the Core package. To manage roles and permissions, upgrade to Invicti AppSec Enterprise.
Default severity scoring
Invicti AppSec uses the following default severity scores for risk calculations:
| Severity | Default score |
|---|---|
| Critical | 10 |
| High | 9 |
| Medium | 4 |
| Low | 2 |
You can customize these values in your organization settings and reset them to defaults at any time.
Built-in labels
Eight labels are pre-configured to help you categorize your projects:
- Severity plus - Projects requiring enhanced severity handling
- Severity minus - Projects with reduced severity requirements
- Payment - Projects handling payment processing
- Secrets - Projects managing sensitive credentials
- Sensitive data - Projects handling confidential information
- GDPR - Projects subject to GDPR compliance
- Internal - Internal-facing projects
- DB access - Projects with database access
You can create additional custom labels with custom color codes.
Auto-labeling
Invicti AppSec also includes an auto-labeling system that automatically assigns labels to projects based on SBOM analysis. For example, projects using AWS dependencies get an Auto_AWS label, projects using database libraries get an Auto_Database label, and so on. This helps you automatically categorize projects based on their technology stack.
Default dashboard and metrics
Your global dashboard is ready to use and displays key metrics including:
- Total projects and their security posture
- Open vulnerabilities with known exploits highlighted
- Overdue vulnerabilities exceeding SLA
- Average risk score calculated from all findings
- WOE (Window of exposure) - average days since vulnerability discovery
- MTTR (Mean Time to Resolution) - average days to fix vulnerabilities
- CI/CD security criteria compliance status
- Issues created in your issue manager
Each project also has its own dashboard with branch comparisons, scanner comparisons, and per-scanner metrics.
Automation and policy framework
The following automation frameworks are ready to use, though you'll need to configure rules specific to your organization:
- Automation rules: Define global default rules that apply to all projects, or create project-level rules. Template rules are available for quick setup.
- SLA rules: Set remediation timeframes per severity level and associate them with labels for different risk profiles. A default SLA rule serves as a fallback for projects with conflicting labels.
- Security criteria: Define pass/fail criteria for CI/CD pipelines at the global or project level. Link criteria to labels for automatic project assignment.
- Alerts: Global default alert rules apply to all projects automatically. Invicti AppSec sends alerts for completed and failed scans by default. You can add project-level rules and configure recipients (team leads, all team members, or custom).
Organization structure
Your account includes a default organizational structure:
- Business units: Organize products into a custom hierarchy.
- Products: Group related projects together. A project can belong to multiple products.
- Teams: A default team is provided and can't be deleted. You can create additional teams.
- Business criticality: Assign criticality levels (Critical, High, Medium, Low, None) to projects. Invicti AppSec can automatically calculate this based on label risk values, or you can set it manually.
What you'll need to configure
While Invicti AppSec Core comes ready to scan, you'll want to set up the following for your organization:
- Source control integration to connect your repositories. See the integration guides for GitHub, GitLab, Azure DevOps Services, or Bitbucket.
- Projects for each application you want to scan. See Add a new project.
- Issue manager integration if you want to track vulnerabilities in your existing workflow. See Configure issue managers.
- SSO if you want single sign-on for your team. See the integration guides for Azure AD, Okta, or Google SSO.
- Automation rules tailored to your organization's security policies. See Automation rules overview.
- SLA rules to enforce your remediation timelines. See SLA rules.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center