Code Hunter Team · Evidence-led ASPM

Close the loop from product baseline to release decision.

Team embeds AI review into the engineering workflow: baseline a business service, ingest scanner evidence, analyze requirement and code-change impact, govern dependency risk, and turn every decision into tasks, CI evidence, accepted risk, or release gates.

View Team plan Download Team Team tutorial Enterprise Portal

Product baselineExternal evidenceRequirement impactSCA policy gate

Team operating system

Team baseline workspace — **Baseline posture**Versioned product posture, source scope, owners, open risk, and report evidence stay connected.

Owner remediation task — **Owner workflow**Security impact becomes assigned work with acceptance criteria, verification evidence, and closure state.

SCA release gate — **Policy gate**Dependency risk, policy result, CI evidence, and accepted risk converge into release readiness.

Team workspace

A complete ASPM workspace for one product team or business line.

Team is where security, AppSec, R&D leads, project owners, and remediation owners work from the same product baseline. It is not a narrower edition of Enterprise; Enterprise Portal adds a control plane for creating and governing multiple Team workspaces.

01Posture baseline

Know what version, source scope, open risk, and report evidence the team is operating from.

02Evidence fusion

Combine AI review, external SAST/SARIF, requirement sources, code changes, and SCA into one workflow.

03Accountable work

Convert reviewed security impact into owners, tasks, acceptance criteria, verification, and accepted risk.

04Release decision

Use policy state, CI evidence, open risk, and closure records to support pass, pass-with-risk, or block decisions.

Product baseline

Establish the product security baseline before the iteration starts.

Team keeps source scope, ownership, open findings, run history, and report evidence attached to a versioned product boundary, so every later change is measured against a defensible baseline.

Versioned project, service, or business-line workspace
AI-reviewed baseline findings and report snapshots
Run history for release comparison and audit review
Fresh baseline promotion after verified closure

Baseline turns the product into a measurable security surface.

Baseline closed loop

Team project baseline workspace — **Product workspace**Source scope, project ownership, service boundary, and current posture stay attached to one team-owned product surface.

Baseline run history — **Run history**Each baseline run preserves status, timing, and repeatable evidence for release comparison.

Baseline findings center — **Reviewed findings**Confirmed issues are promoted with severity, owner context, and evidence rather than left as raw scanner rows.

Baseline report preview — **Baseline report**The baseline produces a readable security record for leadership review, customer evidence, and future iteration comparison.

External evidence fusion

Bring external SAST and SARIF into the same governance lane.

Scanner output becomes governed evidence instead of a detached spreadsheet. Team normalizes imported findings, preserves source traceability, and routes reviewed risk into the same owner and remediation flow.

SAST, SARIF, and external report intake
Normalized findings with source traceability
AI-assisted review before owner handoff
Repeatable import without breaking baseline continuity

External tools become inputs to the ASPM system, not parallel processes.

External report closed loop

External report input materials — **Evidence intake**Imported reports become governed input material inside the same Team workspace.

External report results view — **Normalized results**External SAST and SARIF findings are normalized into reviewable findings with traceable source evidence.

External report import dialog — **Repeatable import**Additional reports can be added without breaking the baseline, owner, or remediation chain.

Requirement and code-change impact

Turn requirements and code changes into security work.

Iteration analysis connects requirement sources, change sets, control expectations, and AI review. The result is not a comment thread; it is owner-ready security work with acceptance criteria and verification evidence.

Requirement-to-control analysis from Jira, Confluence, MCP, or structured inputs
Delta code review grounded in patch and change-set evidence
Security tasks with owner, state, and acceptance criteria
Verification evidence carried back into the release record

Change impact becomes governed work before it becomes release risk.

Iteration closed loop

Iteration workbench inputs — **Iteration workbench**Requirements, code deltas, and supporting context are reviewed as one change-impact package.

Code change input — **Code-change impact**Patch and change-set evidence keeps AI review grounded in what actually changed.

Jira and Confluence mock sources — **Requirement sources**Jira, Confluence, MCP, and other requirement sources can feed control expectations into the review.

Findings filtered from requirement source — **Control impact**Findings can be filtered back to the requirement or source that introduced the security obligation.

Remediation task and verification evidence — **Owner task**Tasks carry ownership, acceptance criteria, remediation state, and verification evidence.

SCA policy and release gate

Govern dependency risk before the release gate.

Team brings dependency intelligence into the release workflow: OSV/CVE data, enterprise vulnerability APIs, custom MCP services, policy thresholds, VEX exceptions, CI status, and verification evidence all contribute to release readiness.

OSV/CVE intelligence plus enterprise API and custom MCP source support
Dependency snapshot scanning tied to product version and release context
Policy gates for severity, exploitability, exception, and verification state
Auditable VEX exceptions and verified remediation closure

Dependency risk moves through policy, exception, remediation, and release evidence.

SCA closed loop

SCA configuration — **Policy and sources**OSV/CVE intelligence, enterprise vulnerability APIs, and custom MCP services can feed dependency policy.

SCA closure run — **Dependency snapshot**SCA runs create dependency snapshots, findings, and remediation work inside the release workflow.

Temporary VEX exception — **VEX exception**Temporary exceptions remain explicit, scoped, auditable, and visible to release owners.

Verified SCA remediation task — **Verified closure**Verified remediation updates task state and preserves evidence for the next baseline.

Team capabilities

Built for security accountability inside the product team.

Workspace

Roles and ownership

Security reviewers, project owners, R&D leads, and remediation owners work from the same project state.

Review

AI-assisted decisions

Findings are accepted, rejected, downgraded, assigned, or held with explicit evidence and rationale.

Tasking

Remediation execution

Confirmed risk becomes scoped work with acceptance criteria, verification state, and closure evidence.

Release

Release readiness

Baseline posture, unresolved risk, SCA policy, CI status, and accepted-risk records inform release decisions.

Team is the complete ASPM workspace for one product team.

Use Team when a single product line needs baseline governance, requirement and change analysis, owner remediation, SCA policy gates, CI evidence, and release decisions. Use Enterprise Portal when the organization needs to create and govern multiple Team workspaces from one portal.

Choose Team plan Download installer Enterprise Portal