Core Concepts

This page covers the key entities in Vulnsy and how they relate to each other. Understanding this data model will help you navigate the platform efficiently.

Organizations

Every Vulnsy account belongs to an organization. Organizations are multi-tenant workspaces — each one has its own clients, projects, findings, templates, and team members. Data is fully isolated between organizations.

If you work with multiple companies or teams, you can be a member of more than one organization and switch between them.

Clients

A client represents a company or entity you are performing security testing for. Clients sit at the top of your engagement hierarchy. Each client can have multiple projects under it, giving you a historical record of all testing performed for that organization.

Projects

A project is an individual pentest engagement. Projects belong to a client and define the scope and timeline of the work.

Each project includes:

• Start and end dates — the engagement window.
• Project type — categorizes the engagement. Supported types:

Findings

A finding is a single vulnerability or observation discovered during testing. Findings are the core unit of work in Vulnsy.

Each finding includes:

Findings can be created from scratch within a project, or pulled from your finding library — a reusable collection of common vulnerabilities that you maintain across engagements.

Reports

A report is the deliverable you send to the client. In Vulnsy, reports are composed of one or more tabs.

Report Tabs

Each tab represents a distinct section of the report — for example, "Web Application" and "Infrastructure" in a combined engagement. Each tab has:

• Its own set of assigned findings.
• Narrative sections — executive summary, scope, methodology, and other written content specific to that test area.

This structure lets you build a single report that covers multiple testing areas while keeping the content organized.

Export Tag Prefix

Each report tab has an export tag prefix (e.g., web, infra). This prefix scopes the template tags during export so that data from different tabs maps to the correct placeholders in your Word template.

For example, a tab with prefix web would populate tags like {{web.findings_table}}, while a tab with prefix infra populates {{infra.findings_table}}. This is what makes multi-tab exports work — each tab's data stays in its own lane.

Templates

Templates are Word documents (.docx) that define the layout and formatting of your exported reports. They contain placeholder tags that Vulnsy replaces with actual report data during export.

You can:

• Use Vulnsy's default templates to get started immediately.
• Upload custom templates with your own branding, formatting, and tag placement.
• Maintain multiple templates for different report types or client requirements.

For full details on building templates and the available tag syntax, see the Template Tag Reference.

How It All Fits Together

Organization
  └── Client
        └── Project (type, dates)
              ├── Findings (severity, description, impact, remediation, evidence)
              └── Report
                    ├── Tab 1 (prefix: "web")
                    │     ├── Assigned Findings
                    │     └── Narrative Sections
                    ├── Tab 2 (prefix: "infra")
                    │     ├── Assigned Findings
                    │     └── Narrative Sections
                    └── Export → Template (.docx) → Final Report

This hierarchy is the backbone of Vulnsy. Once you understand how these pieces connect, the rest of the platform is straightforward.