Skip to content

Frequently Asked Questions

Account and Authentication

How do I log in without a password?

BreachSpider uses magic link authentication. Enter your email on the login page, click "Send Login Link", and check your inbox for a one-time link. Click the link to log in. No password is needed. See Magic Link Authentication.

Links expire after 15 minutes. Return to the login page and request a new one. There is no penalty for expired links and no lockout.

Check your spam or junk folder first. If emails are not there, ask your IT team to allowlist [email protected]. Some corporate email gateways delay or block transactional emails from new senders. Wait 2 minutes before requesting another link.

No. BreachSpider is magic-link only. This design eliminates password-based attacks, credential reuse, and shared password risks -- all of which are common in OT environments.

How do I invite team members?

Navigate to Account > Team > Invite Member. Enter their email and select a role (Admin or Member). They receive a magic link to join. Available on Standard tier and above.

What is the difference between Admin and Member roles?

Admins have full access: environments, settings, integrations, billing, and team management. Members can access environments, findings, tickets, and reports but cannot modify billing, integrations, or team membership.

Environments and Assets

What is an environment?

An environment represents one physical or logical site: a water treatment plant, a substation, a manufacturing floor. It is the primary organizational unit in BreachSpider. All assets, findings, tickets, and reports belong to an environment. See What is an Environment.

How many environments can I create?

Free tier: none. Standard: 5. Professional, API, and Enterprise: unlimited.

Does BreachSpider scan my network?

No. BreachSpider does not scan, probe, or generate traffic on your network. You tell the platform what devices you operate (vendor, product, version), and the matching engine finds CVEs that affect those devices. This is an intelligence-based model, not a scanning model.

What information do I need to add an asset?

At minimum: a name, vendor, and product. Version is strongly recommended because it enables precise version-range matching. Without a version, matching is vendor-and-product-wide, which produces more findings but with lower precision. See Adding Assets Manually.

My vendor name is not matching. What should I use?

Use the canonical vendor name from the BreachSpider catalog. Common issues: "Rockwell" should be "Rockwell Automation". "Schneider" should be "Schneider Electric". "Allen-Bradley" should be "Rockwell Automation". Query the catalog at /api/v1/catalog/vendors for the correct names.

How long does it take for findings to appear after adding assets?

Findings begin appearing within a few minutes of asset creation. Large CSV imports with 50+ assets may take several minutes to fully process.

Can I delete an environment?

Yes, but deletion is permanent. All assets, findings, tickets, and sites within the environment are permanently removed. Export your audit log and reports before deleting. The deletion is logged in the audit trail.

CVE Intelligence

What is BCS and how is it different from CVSS?

CVSS measures severity -- how bad a vulnerability is. BCS (BreachSpider Confidence Score) measures urgency -- how soon you should act. BCS combines CVSS with EPSS (exploitation probability), KEV status (confirmed exploitation), exploit availability, and ICS relevance. A CVSS 7.5 with a confirmed exploit may have a higher BCS than a CVSS 9.8 with no known exploitation. See Understanding BCS.

What is EPSS?

EPSS (Exploit Prediction Scoring System) is a daily probability score from FIRST.org predicting the likelihood a CVE will be exploited in the next 30 days. It ranges from 0.0 (unlikely) to 1.0 (highly likely). BreachSpider updates EPSS data within 24 hours of publication. See Understanding EPSS.

What does the KEV badge mean?

KEV (Known Exploited Vulnerabilities) is a catalog of CVEs confirmed to be actively exploited in the wild. A KEV badge means this vulnerability is not theoretical -- attackers are using it right now. BreachSpider ingests KEV updates every 15 minutes. See The KEV Catalog.

How many CVEs does BreachSpider track?

354,000+ enriched CVEs as of June 2026, with 1,613+ KEV entries. New CVEs are ingested within 24 hours of NVD publication. KEV updates are ingested within 15 minutes.

What is SAGE?

SAGE (Sovereign AI Governance Engine) is BreachSpider's ICS/OT-specific AI reasoning engine. It provides vulnerability analysis tailored to control system operators -- not generic IT advice. SAGE understands PLC patching constraints, NERC CIP requirements, industrial protocols, and OT-specific compensating controls. See SAGE Analysis.

Findings and Triage

What does "match confidence HIGH" mean?

HIGH confidence means your asset's version falls within the confirmed affected version range for the CVE. The match is precise and reliable. MEDIUM means the product matches but version is unspecified or broad. LOW means only the vendor matched. See Working Through Findings.

What is the difference between Acknowledge and Dismiss?

Acknowledge creates a full audit trail with a reason and notes. Use it for almost everything. Dismiss removes a finding from your view without the detailed documentation. Use dismiss only for confirmed false matches you want removed. For compliance, acknowledge is always preferred. See Acknowledging a Finding.

What acknowledgment reasons are available?

Five reasons: not_applicable (CVE does not affect your configuration), compensating_control (you mitigated without patching), accepted_risk (you accept the risk), false_match (the match is incorrect), and escalated (referred to a vendor or team).

Does acknowledging a finding fix the vulnerability?

No. Acknowledging documents your evaluated position on the finding. It means you reviewed it and made a decision. To fix the vulnerability, apply the vendor patch and close the associated ticket. Acknowledgment and remediation are separate actions in the audit trail.

What is the Strike List?

The Strike List is a prioritized view of your top findings, sorted by BCS score. It shows you what to fix first across all environments. The top items are your highest-urgency vulnerabilities. Check it daily. See The Strike List.

Tickets and Integrations

Does BreachSpider replace Jira or ServiceNow?

No. BreachSpider creates tickets in Jira or ServiceNow. It is a bridge between vulnerability intelligence and your existing remediation workflow. BreachSpider tracks the vulnerability side; your ticketing system tracks the work side.

How do auto-ticket rules work?

You define conditions (e.g., "when a KEV entry matches my assets") and a destination (e.g., Jira project OT-SEC). When the condition is met, a ticket is created automatically. See Auto-Ticket Rules.

Can I send alerts to PagerDuty?

Yes, via email integration. PagerDuty supports email-based incident creation. Configure a BreachSpider email alert rule with your PagerDuty email address as the destination.

Which integrations are available?

Email (all tiers), Microsoft Teams (Standard+), Slack (Standard+), custom webhooks (Standard+), Jira (Professional+), and ServiceNow (Professional+).

Reports and Compliance

What report types are available?

Executive Summary (for management), Environment Risk Report (for technical teams), NERC CIP Evidence Package (for CIP audits), IEC 62443 Report (for IEC compliance), and Compliance Audit Export (audit log export).

Is BreachSpider NERC CIP compliant?

BreachSpider generates evidence that supports your NERC CIP compliance program. It documents patch identification (CIP-007 R2.1), patch assessment (R2.2), and remediation tracking (R2.3). It does not replace a qualified compliance officer or a registered entity compliance program. See NERC CIP Control Mapping.

How long are reports retained?

Professional and API tiers: 90 days. Enterprise: 1 year. Download and archive important reports before they expire.

How long is the audit log retained?

Standard: 30 days (in-app only). Professional: 90 days (with CSV export). Enterprise: 1 year (with CSV, PDF, and API access).

Billing and Plans

Is there a free trial?

The free tier is available permanently with no credit card required. It includes 50 CVE searches/day and 5 SAGE queries/month. Upgrade when you need environments, assets, and findings.

Can I downgrade my plan?

Yes. Downgrades take effect at the end of your current billing period. If you downgrade from Professional to Standard, environments beyond the 5-environment Standard limit become read-only.

How do I cancel?

Navigate to Account > Plan and Billing > Cancel Subscription. Cancellation takes effect at the end of the current billing period. No cancellation fees.

Security and Privacy

What data does BreachSpider collect?

Email address, organization name, your name, role, and timezone. Asset data you add (vendor, product, version -- no network traffic or device telemetry). Payment information is collected by Stripe when you upgrade. See the Privacy Policy.

Are my assets and findings visible to other organizations?

No. Each organization's data is isolated. Your assets, findings, environments, and audit log are visible only to your organization's members. MSSP client data is isolated per client.

Where is BreachSpider hosted?

The platform runs on a VPS at 15.204.242.67 with a PostgreSQL database. Traffic is served through Cloudflare.

Is the audit log tamper-proof?

The audit log is read-only. No user, including administrators, can edit or delete log entries. This immutability ensures the log is a reliable evidence record.