Back to topus.sa

Product Overview

Topus — the Cyber Security Operations Portal — is an enterprise-grade, self-hosted platform that unifies the day-to-day workflows of a corporate security team into a single application.

From findings ingestion across pentests, scanners and bug bounty programs, through engagement planning, task tracking, strategic objectives, operations meetings and ticketing, all the way to executive PDF and Excel reports — Topus brings the entire operational lifecycle of a cyber security function under one bilingual (English / Arabic) roof.

7+integrated core modules
EN/ARbilingual, RTL ready
9built-in RBAC roles
100%self-hosted, air-gap capable

Why Topus?

  • Unified single source of truth. Findings, engagements, tasks, requests, meetings and reports live in one database with cross-linking and full audit history.
  • Bilingual by design. Every screen, report and PDF supports English and Arabic — including right-to-left layout and bilingual data fields.
  • Multi-source findings ingestion. Pentest reports, scanners, threat intelligence, bug bounty and manual entries — normalized into one workflow with severity and SLA enforcement.
  • SLA & escalation engine. Findings automatically track SLA percentage and escalate at configurable thresholds with owner notifications.
  • Role-based access. Nine pre-built roles with fine-grained permissions and group ownership.
  • Branded reporting. Server-side rendered PDF and Excel with custom templates, charts and optional AES-256 encryption.
  • On-prem & air-gapped first. Designed to live entirely inside your network — including fully isolated, internet-less environments.

Core modules

Findings Management

Capture every security weakness — regardless of source — into a single normalized backlog with severity classification, CVSS scoring, SLA calculation, ownership, escalation and a full lifecycle workflow (New → Triaged → Assigned → In Remediation → Pending Verification → Closed). Risk acceptance flows include reviewer, justification and audit trail, and internal-only findings can be excluded from PDF exports.

Engagement Management

Manage the full lifecycle of penetration tests and assessments — vendors, Rules of Engagement, scope and assets, milestones, deliverables and findings rollup — with one-click branded PDF or Excel export per engagement.

Task Tracking

Security-focused task management with group ownership, priorities, due dates and a personal kanban — tightly linked to findings, objectives, requests and engagements without heavyweight project-management overhead.

Objectives Management

Define yearly objectives, break them into quarterly milestones with deliverables and KPIs, auto-calculate progress, and present traffic-light status to leadership in branded strategic reports.

OPS Sync Hub

A digital home for your operations cadence: meetings, agendas, decisions, action items, initiatives and evidence — with follow-through tracking and exportable meeting minutes.

Ticketing (Requests)

Configurable request types with custom fields, multi-stage approval chains, SLA tracking, and gate policies that can block requests while linked findings remain open above a severity threshold.

Dashboards & Reporting

Tailored dashboards per role — Executive, General Manager, PT/VA Manager, Department and Read-Only — plus findings analytics, engagement reports and drop-in custom report templates.

Want the full picture? Request a live demo and we will walk your team through every module on real workflows — get in touch.

Microsoft Entra ID SSO Integration

Enable Single Sign-On with Microsoft Entra ID (formerly Azure Active Directory) so your users can sign in to Topus with their existing corporate Microsoft account — no separate password required.

SSO is optional. Topus continues to support local username + password login alongside SSO — you can enable both, or run SSO only. Setup takes about 15 minutes.

What you'll need

ItemDescription
Microsoft 365 / Entra ID tenantYour existing corporate Azure AD tenant
Global Administrator roleOr Application Administrator — required to register the app in Entra ID
Topus Administrator accountRequired to enter the SSO settings in Topus
Topus portal URLThe HTTPS URL your users access

1 Register the application in Entra ID

Sign in to the Microsoft Entra admin center as a Global Administrator, then navigate to Identity → Applications → App registrations → New registration and fill in:

NameTopus — Cyber Security Operations Portal
Supported account typesAccounts in this organizational directory only (single tenant, recommended)
Redirect URIPlatform Webhttps://<your-topus-domain>/api/v1/auth/sso/callback

The redirect URI must exactly match what you enter in Topus — same scheme, host and path. Trailing slashes matter.

2 Capture the Tenant ID and Client ID

From the app's Overview page, copy the Application (client) ID and the Directory (tenant) ID. You will paste both into Topus later.

3 Create a client secret

Open Certificates & secrets → Client secrets → New client secret. Set a description and an expiry (24 months recommended — set a calendar reminder to rotate before then), then copy the secret Value immediately — Microsoft shows it only once.

The client secret is sensitive — treat it like a password. Topus encrypts it at rest; it never appears in plaintext in the database or logs.

4 Grant API permissions

Under API permissions, ensure Microsoft Graph → User.Read is listed (added by default). If your tenant requires admin consent, click Grant admin consent. That is all Topus needs — it only reads the signed-in user's basic profile to provision their account. No mailbox, calendar, files or directory access.

5 Enable SSO in Topus

Sign in to Topus as an Administrator and open Administration → Settings → Authentication → SSO (Microsoft Entra ID) → Configure. Enable Microsoft SSO login, paste the Tenant ID, Client ID and secret Value, confirm the redirect URI matches step 1 exactly, and save. The change takes effect immediately — no restart required.

6 Verify it works

In a private browser window, open your Topus login page. You should see a Sign in with Microsoft button. Click it, sign in with a corporate account, and you will land on the Topus dashboard.

First sign-in (Just-In-Time provisioning)

  • Email matches an existing Topus account — the account is linked to the Microsoft identity; roles and permissions are preserved.
  • No account exists — one is created automatically from the Entra ID email and display name, starting with no roles. An administrator assigns roles before the user can access protected features.
  • SSO users skip the OTP step — Microsoft has already authenticated them, including any MFA or Conditional Access policies you enforce.

Troubleshooting

SymptomFix
"SSO is not enabled or fully configured"Re-open Configure in Topus and verify all four fields are populated, then save again.
"Invalid SSO state. Please try signing in again."Retry — and make sure third-party cookies are not aggressively blocked for your Topus domain.
AADSTS50011 — reply URL mismatchThe redirect URIs in Entra ID and Topus must be character-for-character identical.
AADSTS7000215 — invalid client secretGenerate a new secret in Entra ID and paste the new value into Topus.
AADSTS65001 — consent not grantedGrant admin consent for User.Read in your Entra ID app's API permissions.
User signs in but sees "no permission" pagesA new SSO user has no roles yet — assign them via Administration → Users.
Need to disable SSO temporarilyUncheck Enable Microsoft SSO login and save — local password login keeps working.

Rotating the client secret

Microsoft requires secrets to expire. Rotate without downtime: create a new secret in Entra ID while the old one is still active, paste the new value into Topus and save, verify sign-in works, then delete the old secret in Entra ID.

Security notes

  • The client secret is encrypted at rest inside your Topus database.
  • The OAuth state parameter is bound to the user's browser via a short-lived, http-only cookie — protecting against CSRF.
  • Sign-in tokens are passed back via the URL fragment so they never appear in server access logs.
  • Topus requests only the minimum User.Read permission needed to identify the signed-in user.
  • SSO-only mode (disabling local passwords entirely) is available — contact support to plan it safely so your admin team is never locked out.

Need help? Open a support request with the exact error message and the time it occurred. Never share your client secret in a ticket.

Email Integration (Microsoft Outlook)

Topus delivers notifications, scheduled digests and report emails through your own Microsoft 365 / Exchange Online tenant using the Microsoft Graph API — no third-party mail provider, no separate mail server to run.

Email is optional. Topus is fully functional without it — notifications simply stay in-portal. This connector requires outbound HTTPS access to Microsoft's cloud, so it applies to connected deployments, not fully air-gapped ones.

How it works

Topus authenticates to Microsoft Entra ID as an application (client-credentials flow) and sends mail from a mailbox you designate — typically a shared mailbox such as noreply@yourcompany.com. Messages originate from your own tenant, follow your compliance and retention policies, and appear in the sender mailbox's sent items like any corporate mail.

What you'll need

ItemDescription
Microsoft 365 / Entra ID tenantYour existing corporate tenant with Exchange Online
Global Administrator roleRequired to register the application and grant admin consent
Sender mailboxA shared mailbox or user account the emails will be sent from
Topus Administrator accountRequired to configure the integration in Topus

1 Register an application in Entra ID

In the Microsoft Entra admin center, go to Identity → Applications → App registrations → New registration and create an app named Topus — Mail (single tenant). No redirect URI is needed for this integration.

We recommend a separate registration from your SSO app — mail sending uses an application-level permission, and separating the two lets you rotate or revoke each independently.

2 Grant the Mail.Send application permission

Open API permissions → Add a permission → Microsoft Graph → Application permissions, select Mail.Send, then click Grant admin consent for your tenant.

Application-level Mail.Send can send as any mailbox by default. Ask your Exchange administrator to scope it to the sender mailbox only, using an Exchange Online Application Access Policy — this is the least-privilege setup and takes a few minutes.

3 Create a client secret

Under Certificates & secrets → New client secret, create a secret (24 months recommended) and copy the Value immediately — Microsoft shows it only once. Also note the Application (client) ID and Directory (tenant) ID from the app's Overview page.

4 Configure the integration in Topus

Sign in to Topus as an Administrator and open Administration → Integrations → Microsoft Outlook. Fill in:

Azure Tenant IDDirectory (tenant) ID from step 3
Application (client) IDFrom the app registration's Overview page
Client SecretThe secret Value — after saving it is stored encrypted and displayed only as ********
Sender MailboxThe shared mailbox or user the app is allowed to send from

5 Send a test email

Use the Send test email action on the integration page. If it arrives, you're done — notifications, scheduled digests and report emails will now flow through your tenant.

What Topus sends

  • Operational notices — for example SOC notices when a penetration test engagement is scheduled or ends (administrators can toggle these).
  • SLA escalations — notifications to owners as findings approach or breach their SLA thresholds.
  • Scheduled digests — recurring email summaries with configurable filters and recipients.
  • Report distribution — branded PDF reports delivered to stakeholders on schedule.

Troubleshooting

SymptomFix
Authentication fails (401)Verify the Tenant ID, Client ID and secret. If the secret expired, create a new one in Entra ID and update it in Topus.
Forbidden (403) on sendAdmin consent for the Mail.Send application permission is missing, or an Application Access Policy blocks the sender mailbox.
Sender mailbox rejectedThe mailbox must exist in Exchange Online and be within the scope the app is permitted to send as.
Test email never arrivesCheck the sender mailbox's sent items and your transport rules / quarantine — the message may be filtered internally.

Security notes

  • The client secret is stored encrypted in your Topus database and never shown again after saving.
  • Mail flows directly between your Topus server and Microsoft Graph over HTTPS — no intermediary service.
  • Scope the Mail.Send permission to the sender mailbox with an Application Access Policy for least privilege.
  • Rotate the client secret before it expires, the same way you rotate the SSO secret.

Need help? Open a support request — include the exact error from the integration page and the time it occurred. Never share your client secret in a ticket.