AppSec and SDLC, on the same continuous platform
AppSec Insights extends the continuous operating model from external attack surface to internal applications. Application inventory, owner-driven assessment campaigns, threat modelling using STRIDE, a unified risk register, and SDLC integration that connects security activity to delivery pipelines.
The module is currently in private beta. General availability is scheduled for the second half of 2026. Existing customers and security teams running AppSec programmes can request beta access below.
Six surfaces, one operating model
Each surface is a distinct screen and workflow in the platform. They share the application inventory as their common reference: assessments, threat models, and risks all attach back to the application they belong to.
Application Inventory
A catalogue of internal applications with owner, environment, criticality, score, findings, and assessment metadata. The foundation: once an application is onboarded, every other AppSec workflow attaches to it.
Assessment Campaigns
Campaign manager for application security questionnaires and owner-driven attestations. Counters track total, in progress, completed, overdue, and rejected. Bulk reminders and recurring campaigns supported.
Questionnaire Library
Template library for AppSec questionnaires by standard and application type. Filters cover web, API, mobile, internal, desktop, and attestation use. Default templates cover the common standards out of the box.
Risk Register
Application risk register for findings sourced from questionnaires, pentest results, active vulnerability assessment, scanner output, manual review, and threat models. Severity counters split critical, high, medium, low, and pentest-originated findings. Push-to-Jira and CSV export supported.
Threat Modelling
Threat modelling workbench using STRIDE-style categorisation: spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege. Identifies design threats before they become production findings.
SDLC Integration
Pipeline security integration matrix across plan, code, build, test, release, deploy, operate, and monitor. Gates can be automated, manual, or missing. Connects security activity to delivery stages your engineering team already uses.
The same continuous model, applied to internal applications
ScruteX exists because security teams should not run a separate tool for every category of risk. AppSec is the most obvious extension. The same data model that scores external attack surface posture, third-party vendors, and brand exposure also tracks the security state of internal applications. The same prioritisation engine that ranks CVEs by exploitability also ranks application findings.
For AppSec leads and DevSecOps engineers, the value is consolidation. You stop running an inventory tool, a questionnaire tool, a threat modelling tool, and a separate risk register that nobody trusts. The module connects to your existing CI/CD pipelines through the SDLC Integration matrix, so security gates are visible where the rest of the engineering team already works.
For CISOs, the value is portfolio visibility. Application risk lands in the same dashboards as external attack surface posture and third-party risk. Reporting to the board no longer requires three separate exports stitched together by hand.
Request beta access
Beta access is currently limited to customers running AppSec programmes with at least three internal applications onboarded. Tell us about your programme, and we will be in touch within two business days.