Product Overview
Topus — the Cyber Security Operations Portal — is an enterprise-grade, self-hosted platform that unifies the day-to-day workflows of a corporate security team into a single application.
From findings ingestion across pentests, scanners and bug bounty programs, through engagement planning, task tracking, strategic objectives, operations meetings and ticketing, all the way to executive PDF and Excel reports — Topus brings the entire operational lifecycle of a cyber security function under one bilingual (English / Arabic) roof.
7+integrated core modules
EN/ARbilingual, RTL ready
9built-in RBAC roles
100%self-hosted, air-gap capable
Why Topus?
- Unified single source of truth. Findings, engagements, tasks, requests, meetings and reports live in one database with cross-linking and full audit history.
- Bilingual by design. Every screen, report and PDF supports English and Arabic — including right-to-left layout and bilingual data fields.
- Multi-source findings ingestion. Pentest reports, scanners, threat intelligence, bug bounty and manual entries — normalized into one workflow with severity and SLA enforcement.
- SLA & escalation engine. Findings automatically track SLA percentage and escalate at configurable thresholds with owner notifications.
- Role-based access. Nine pre-built roles with fine-grained permissions and group ownership.
- Branded reporting. Server-side rendered PDF and Excel with custom templates, charts and optional AES-256 encryption.
- On-prem & air-gapped first. Designed to live entirely inside your network — including fully isolated, internet-less environments.
Core modules
Findings Management
Capture every security weakness — regardless of source — into a single normalized backlog with severity classification, CVSS scoring, SLA calculation, ownership, escalation and a full lifecycle workflow (New → Triaged → Assigned → In Remediation → Pending Verification → Closed). Risk acceptance flows include reviewer, justification and audit trail, and internal-only findings can be excluded from PDF exports.
Engagement Management
Manage the full lifecycle of penetration tests and assessments — vendors, Rules of Engagement, scope and assets, milestones, deliverables and findings rollup — with one-click branded PDF or Excel export per engagement.
Task Tracking
Security-focused task management with group ownership, priorities, due dates and a personal kanban — tightly linked to findings, objectives, requests and engagements without heavyweight project-management overhead.
Objectives Management
Define yearly objectives, break them into quarterly milestones with deliverables and KPIs, auto-calculate progress, and present traffic-light status to leadership in branded strategic reports.
OPS Sync Hub
A digital home for your operations cadence: meetings, agendas, decisions, action items, initiatives and evidence — with follow-through tracking and exportable meeting minutes.
Ticketing (Requests)
Configurable request types with custom fields, multi-stage approval chains, SLA tracking, and gate policies that can block requests while linked findings remain open above a severity threshold.
Dashboards & Reporting
Tailored dashboards per role — Executive, General Manager, PT/VA Manager, Department and Read-Only — plus findings analytics, engagement reports and drop-in custom report templates.
Want the full picture? Request a live demo and we will walk your team through every module on real workflows — get in touch.
Microsoft Entra ID SSO Integration
Enable Single Sign-On with Microsoft Entra ID (formerly Azure Active Directory) so your users can sign in to Topus with their existing corporate Microsoft account — no separate password required.
SSO is optional. Topus continues to support local username + password login alongside SSO — you can enable both, or run SSO only. Setup takes about 15 minutes.
What you'll need
| Item | Description |
| Microsoft 365 / Entra ID tenant | Your existing corporate Azure AD tenant |
| Global Administrator role | Or Application Administrator — required to register the app in Entra ID |
| Topus Administrator account | Required to enter the SSO settings in Topus |
| Topus portal URL | The HTTPS URL your users access |
1 Register the application in Entra ID
Sign in to the Microsoft Entra admin center as a Global Administrator, then navigate to Identity → Applications → App registrations → New registration and fill in:
| Name | Topus — Cyber Security Operations Portal |
| Supported account types | Accounts in this organizational directory only (single tenant, recommended) |
| Redirect URI | Platform Web — https://<your-topus-domain>/api/v1/auth/sso/callback |
The redirect URI must exactly match what you enter in Topus — same scheme, host and path. Trailing slashes matter.
2 Capture the Tenant ID and Client ID
From the app's Overview page, copy the Application (client) ID and the Directory (tenant) ID. You will paste both into Topus later.
3 Create a client secret
Open Certificates & secrets → Client secrets → New client secret. Set a description and an expiry (24 months recommended — set a calendar reminder to rotate before then), then copy the secret Value immediately — Microsoft shows it only once.
The client secret is sensitive — treat it like a password. Topus encrypts it at rest; it never appears in plaintext in the database or logs.
4 Grant API permissions
Under API permissions, ensure Microsoft Graph → User.Read is listed (added by default). If your tenant requires admin consent, click Grant admin consent. That is all Topus needs — it only reads the signed-in user's basic profile to provision their account. No mailbox, calendar, files or directory access.
5 Enable SSO in Topus
Sign in to Topus as an Administrator and open Administration → Settings → Authentication → SSO (Microsoft Entra ID) → Configure. Enable Microsoft SSO login, paste the Tenant ID, Client ID and secret Value, confirm the redirect URI matches step 1 exactly, and save. The change takes effect immediately — no restart required.
6 Verify it works
In a private browser window, open your Topus login page. You should see a Sign in with Microsoft button. Click it, sign in with a corporate account, and you will land on the Topus dashboard.
First sign-in (Just-In-Time provisioning)
- Email matches an existing Topus account — the account is linked to the Microsoft identity; roles and permissions are preserved.
- No account exists — one is created automatically from the Entra ID email and display name, starting with no roles. An administrator assigns roles before the user can access protected features.
- SSO users skip the OTP step — Microsoft has already authenticated them, including any MFA or Conditional Access policies you enforce.
Troubleshooting
| Symptom | Fix |
| "SSO is not enabled or fully configured" | Re-open Configure in Topus and verify all four fields are populated, then save again. |
| "Invalid SSO state. Please try signing in again." | Retry — and make sure third-party cookies are not aggressively blocked for your Topus domain. |
| AADSTS50011 — reply URL mismatch | The redirect URIs in Entra ID and Topus must be character-for-character identical. |
| AADSTS7000215 — invalid client secret | Generate a new secret in Entra ID and paste the new value into Topus. |
| AADSTS65001 — consent not granted | Grant admin consent for User.Read in your Entra ID app's API permissions. |
| User signs in but sees "no permission" pages | A new SSO user has no roles yet — assign them via Administration → Users. |
| Need to disable SSO temporarily | Uncheck Enable Microsoft SSO login and save — local password login keeps working. |
Rotating the client secret
Microsoft requires secrets to expire. Rotate without downtime: create a new secret in Entra ID while the old one is still active, paste the new value into Topus and save, verify sign-in works, then delete the old secret in Entra ID.
Security notes
- The client secret is encrypted at rest inside your Topus database.
- The OAuth state parameter is bound to the user's browser via a short-lived, http-only cookie — protecting against CSRF.
- Sign-in tokens are passed back via the URL fragment so they never appear in server access logs.
- Topus requests only the minimum User.Read permission needed to identify the signed-in user.
- SSO-only mode (disabling local passwords entirely) is available — contact support to plan it safely so your admin team is never locked out.
Need help? Open a support request with the exact error message and the time it occurred. Never share your client secret in a ticket.
Email Integration (Microsoft Outlook)
Topus delivers notifications, scheduled digests and report emails through your own Microsoft 365 / Exchange Online tenant using the Microsoft Graph API — no third-party mail provider, no separate mail server to run.
Email is optional. Topus is fully functional without it — notifications simply stay in-portal. This connector requires outbound HTTPS access to Microsoft's cloud, so it applies to connected deployments, not fully air-gapped ones.
How it works
Topus authenticates to Microsoft Entra ID as an application (client-credentials flow) and sends mail from a mailbox you designate — typically a shared mailbox such as noreply@yourcompany.com. Messages originate from your own tenant, follow your compliance and retention policies, and appear in the sender mailbox's sent items like any corporate mail.
What you'll need
| Item | Description |
| Microsoft 365 / Entra ID tenant | Your existing corporate tenant with Exchange Online |
| Global Administrator role | Required to register the application and grant admin consent |
| Sender mailbox | A shared mailbox or user account the emails will be sent from |
| Topus Administrator account | Required to configure the integration in Topus |
1 Register an application in Entra ID
In the Microsoft Entra admin center, go to Identity → Applications → App registrations → New registration and create an app named Topus — Mail (single tenant). No redirect URI is needed for this integration.
We recommend a separate registration from your SSO app — mail sending uses an application-level permission, and separating the two lets you rotate or revoke each independently.
2 Grant the Mail.Send application permission
Open API permissions → Add a permission → Microsoft Graph → Application permissions, select Mail.Send, then click Grant admin consent for your tenant.
Application-level Mail.Send can send as any mailbox by default. Ask your Exchange administrator to scope it to the sender mailbox only, using an Exchange Online Application Access Policy — this is the least-privilege setup and takes a few minutes.
3 Create a client secret
Under Certificates & secrets → New client secret, create a secret (24 months recommended) and copy the Value immediately — Microsoft shows it only once. Also note the Application (client) ID and Directory (tenant) ID from the app's Overview page.
4 Configure the integration in Topus
Sign in to Topus as an Administrator and open Administration → Integrations → Microsoft Outlook. Fill in:
| Azure Tenant ID | Directory (tenant) ID from step 3 |
| Application (client) ID | From the app registration's Overview page |
| Client Secret | The secret Value — after saving it is stored encrypted and displayed only as ******** |
| Sender Mailbox | The shared mailbox or user the app is allowed to send from |
5 Send a test email
Use the Send test email action on the integration page. If it arrives, you're done — notifications, scheduled digests and report emails will now flow through your tenant.
What Topus sends
- Operational notices — for example SOC notices when a penetration test engagement is scheduled or ends (administrators can toggle these).
- SLA escalations — notifications to owners as findings approach or breach their SLA thresholds.
- Scheduled digests — recurring email summaries with configurable filters and recipients.
- Report distribution — branded PDF reports delivered to stakeholders on schedule.
Troubleshooting
| Symptom | Fix |
| Authentication fails (401) | Verify the Tenant ID, Client ID and secret. If the secret expired, create a new one in Entra ID and update it in Topus. |
| Forbidden (403) on send | Admin consent for the Mail.Send application permission is missing, or an Application Access Policy blocks the sender mailbox. |
| Sender mailbox rejected | The mailbox must exist in Exchange Online and be within the scope the app is permitted to send as. |
| Test email never arrives | Check the sender mailbox's sent items and your transport rules / quarantine — the message may be filtered internally. |
Security notes
- The client secret is stored encrypted in your Topus database and never shown again after saving.
- Mail flows directly between your Topus server and Microsoft Graph over HTTPS — no intermediary service.
- Scope the Mail.Send permission to the sender mailbox with an Application Access Policy for least privilege.
- Rotate the client secret before it expires, the same way you rotate the SSO secret.
Need help? Open a support request — include the exact error from the integration page and the time it occurred. Never share your client secret in a ticket.