Package: Invicti AppSec Core (on-demand)
Organizational hierarchy
Invicti AppSec Core organizes your security work in a four-level hierarchy: collections contain products, and each product contains targets, projects, and APIs. This document explains what each level represents and how they relate to each other.
Why this matters
When your hierarchy reflects how your organization is built - by business unit, team, or application portfolio - scan results, vulnerabilities, and risk scores flow to the right level and the right people. Getting this structure right early saves reorganization later.
Hierarchy overview
- Collection - top-level grouping, found under Inventory in the left-side menu
- Product - groups all assets belonging to a single application
- Target - a live web application or API endpoint for DAST scanning
- Project - a source code repository for SAST, SCA, IaC, and secrets scanning
- APIs - endpoints tracked in your API catalog
- Product - groups all assets belonging to a single application
Collections
A collection is the top-level grouping in Invicti AppSec Core. Use collections to group products that belong together - for example, by business unit, team, or product line. To view your collections, select Inventory from the left-side menu.
Products
A product groups all the assets - targets, projects, and APIs - that make up a single application. Scan results, vulnerabilities, and risk data for those assets roll up to the product level, giving you a single view of the application's security posture.
If you're coming from Invicti Platform, a product in Invicti AppSec Core is the equivalent of an application in Invicti Platform.
For more information, refer to the Products overview document.
Targets, projects, and APIs
These are the three asset types that live inside a product. Each type supports different scanner types and represents a different part of your application.
Targets
A target represents a live web application or API endpoint registered for DAST (Dynamic Application Security Testing) scanning. Each target maps to a URL. For more information, refer to the Targets overview document.
Projects
A project represents a source code repository. Projects support SAST, SCA, IaC, and secrets scanning, as well as DAST.
APIs
APIs are the endpoints tracked in your API catalog. They're discovered through API sources such as API gateways, the Network Traffic Analyzer, or source code analysis. For more information, refer to the Configure a new API source document.
Troubleshooting
I can't find Collections in the left-side menu
Collections are listed under Inventory in the left-side menu. If you don't see Inventory, your account may not have the permissions required to view it. Contact your Invicti AppSec administrator to verify your role and access level.
My product isn't grouped under a collection
A product can exist without being assigned to a collection. To assign it, open the product and edit its settings to select a collection. If no collections exist yet, you need to create one first under Inventory.
Targets, projects, or APIs aren't showing under a product
Asset types only appear under a product once they've been created and linked to it. If a product shows no targets, projects, or APIs, add the relevant assets and associate them with the product. For targets, refer to the Targets overview document. For APIs, refer to the Configure a new API source document.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center