this document is for:

Deployment: Invicti Platform on-premises

Installation

This document explains how to deploy Invicti Platform on-premises using Helm.

Before starting the installation, review the following documents to ensure your environment meets all requirements and that you have access to your Invicti license credentials:

• Architecture
• Prerequisites
• Pre-installation checklist

Step 1: Registry authentication

Authenticate to the registry with the following command:

helm registry login platform-registry.invicti.com --username <your email address>

• Replace <your email address> with your Invicti account email.
• When prompted for a password, enter your valid Invicti Platform license key.

Invicti Platform is deployed using Helm, with charts distributed through the private registry at platform-registry.invicti.com. Access to this registry requires authentication.

warning

The platform-registry.invicti.com registry follows the OCI standard and does not include a traditional Helm chart index. Charts must be pulled directly using OCI URLs.

Step 2: Prepare your values.yaml configuration

warning

Don't run any commands at this stage. This section focuses only on preparing your values.yaml file. Read through all configuration options in this section before creating your file.
After reviewing all sections, create your own values.yaml file and replace the placeholder values with your actual configuration. These configuration examples are provided at the end of this section:

• Minimal configuration (required settings only)
• Recommended configuration (includes SMTP)
• Full configuration (inlcudes SMTP and embedded TLS certificate)

The values.yaml file contains all the settings needed to deploy Invicti Platform. You'll create this file from scratch using the guidance in this section.

Mandatory settings

Every deployment requires these three settings:

• email_address - your Invicti Platform email.
• license_key - your valid Invicti Platform license key.
• web_application_host - domain name for the platform. For example invicti.example.com. Don't include the https:// protocol - use only the domain name.

global:
  email_address: your-email@example.com
  license_key: your-license-key-here

  app:
    web_application_host: invicti.example.com  # Your platform domain (no https://)

Email notifications (SMTP) settings

Invicti Platform can send email notifications such as DAST scan updates, user invitations, password resets, and other alerts. While the platform functions without SMTP, email-based features are going to be unavailable. It's strongly recommended to configure SMTP in production environments.

warning

Without SMTP configuration, features that rely on email, such as scan alerts, user invitations, and password resets, won't function. For example, you won't be able to use the "Forgot password" feature upon logging in.

To configure SMTP, include these settings in your values.yaml:

smtp:
  engine: "smtp"
  host: "smtp.example.com"           # SMTP server hostname
  port: 25                           # SMTP server port
  mail: "noreply@example.com"        # Sender email address
  displayname: "Invicti Security"    # Display name for outgoing email
  username: "smtp-username"          # SMTP authentication username
  password: "smtp-password"          # SMTP authentication password
  security: "ssl"                    # Use "ssl" or "non-ssl"

Field descriptions:

• global.smtp.engine - email engine: smtp or aws_ses
• global.smtp.host and global.smtp.port - SMTP server hostname and port
• global.smtp.mail - Sender email address used in the "From" field
• global.smtp.displayname - Display name for outgoing email
• global.smtp.username and global.smtp.password - SMTP authentication credentials
• global.smtp.security - Connection type (ssl or non-ssl)

For AWS SES: set engine: aws_ses. You can omit host and port, but the cluster must include IAM roles that allow email sending.

To skip email notifications: simply omit the entire smtp section from your values.yaml.

TLS connection settings

The platform is served over HTTPS and TLS is enabled by default with NGINX. You have three options for TLS certificates:

Option 1: Using command-line flags

Recommended for sensitive data.

Provide your certificate files using Helm's --set-file flags when running the install or upgrade command:

  --set-file global.app.ssl.fullchain=/path/to/cert.pem \
  --set-file global.app.ssl.privkey=/path/to/key.pem

You can update the certificate later via a Helm upgrade using the same flags.

Option 2: Embedding in values.yaml

Alternatively, you can embed the certificate and private key directly in your values.yaml file by adding this SSL block under global.app:

ssl:
  fullchain: |
    -----BEGIN CERTIFICATE-----
    <YOUR-CERTIFICATE-CONTENT>
    -----END CERTIFICATE-----

  privkey: |
    -----BEGIN PRIVATE KEY-----
    <YOUR-PRIVATE-KEY-CONTENT>
    -----END PRIVATE KEY-----

Important formatting notes

• Use | to create a literal block so the certificates are preserved exactly.
• Indentation matters: the certificate lines must be indented 8 spaces (aligned under fullchain:).
• Include the full PEM blocks with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers, and the same for the private key.

Option 3: Use auto-generated self-signed certificate

Not recommended for production.

If you don't provide a certificate using Option 1 or Option 2, the platform automatically generates a self-signed certificate.

warning

Self-signed certificates cause browser security warnings. This option is suitable for testing but should be replaced with a valid certificate for production use. You can replace it later using Option 1 or Option 2. If you choose not to use HTTPS, some features in the platform may not function correctly. HTTPS is required for complete platform capability.

note

If you use both Option 1 and Option 2, the --set-file flags (Option 1) take precedence and override any certificate specified in values.yaml.

Create your values.yaml file and examples

Now that you understand all the configuration options, create your values.yaml file with your actual settings.

tip

If you want to review the technical details of the chart, you can extract and inspect it locally before installation.

Minimal configuration

This is an example of the minimal configuration with the mandatory settings only.

global:
  email_address: your-email@example.com
  license_key: your-license-key-here

  app:
    web_application_host: invicti.example.com  # Your platform domain (no https://)

Minimal and SMTP configuration

This example includes the SMTP configuration.

global:
  email_address: your-email@example.com
  license_key: your-license-key-here

  app:
    web_application_host: invicti.example.com  # Your platform domain (no https://)

  smtp:
    engine: "smtp"
    host: "smtp.example.com"
    port: 25
    mail: "noreply@example.com"
    displayname: "Invicti Security"
    username: "smtp-username"
    password: "smtp-password"
    security: "ssl"

Full configuration

This example includes SMTP and embedded TLS certificate.

global:
  email_address: your-email@example.com
  license_key: your-license-key-here

  app:
    web_application_host: invicti.example.com  # Your platform domain (no https://)
    
    ssl:
      fullchain: |
        -----BEGIN CERTIFICATE-----
        <YOUR-CERTIFICATE-CONTENT>
        -----END CERTIFICATE-----

      privkey: |
        -----BEGIN PRIVATE KEY-----
        <YOUR-PRIVATE-KEY-CONTENT>
        -----END PRIVATE KEY-----

  smtp:
    engine: "smtp"
    host: "smtp.example.com"
    port: 25
    mail: "noreply@example.com"
    displayname: "Invicti Security"
    username: "smtp-username"
    password: "smtp-password"
    security: "ssl"

Inspect Invicti Helm chart (optional)

If you want to review the technical details of the chart, you can extract and inspect an Invicti prepared chart locally.

First, download the chart using this command:

helm pull oci://platform-registry.invicti.com/invicti-platform-helm-charts/onpremises

Once an archive file like onpremises-NN.NNN.NNNNNNNNNN.tgz is downloaded, extract it using this command:

tar xf onpremises-*.tgz

note

Keep this file in a secure location as it contains sensitive credentials including your license key and potentially SMTP passwords.

warning

After making any changes to your values.yaml file, you must apply them by running the helm upgrade command. This applies to all configuration updates, including changes to web_application_host, SMTP settings, or TLS certificates.

Step 3: Install the Helm chart

Now it's time to install the Helm chart you constomized in the previous section.

note

When you don't specify a version, Helm installs the latest available chart. To install a specific version, add --version 25.xxx.xxxxxxxxxxxx to the command.

To install the chart, run:

helm install invicti-platform oci://platform-registry.invicti.com/invicti-platform-helm-charts/onpremises \
  --namespace invicti \
  --create-namespace \
  --values ./values.yaml \
  --wait \
  --timeout 30m

• Release name: invicti-platform
• Namespace: invicti (created automatically if missing)
• Configuration: values.yaml provides the deployment settings

tip

Add --debug for more detailed output. This can help troubleshoot installation issues.

After the installation completes, continue with the post-installation steps to finalize your setup.

---

In this tutorial:

1. Architecture
2. Prerequisites
3. Kubernetes requirements
4. Pre-installation checklist
5. Installation
6. Post-installation
7. Troubleshooting
8. Uninstallation
9. Update

---

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center