Faction Setup Instructions

Below are the Faction Setup Instructions required to get you all set up and ready to start collaborating on assessments in just a few minutes.


Every company or user that creates an account will get their own single tenant instance. To create a new instance go to https://portal.factionsecurity.com and create an account.

Faction Single Tenant Site Creation

This will begin creating your instance of Faction. Wait until the spinner shows a green checkbox before you attempt access your site. You can then click the URL in site list to take you to your new Faction Instance.

Cloud Hosted Penetration Testing Platform


The first time you access faction you will be presented with a page to create your admin account. Here you need to enter basic information about the user and the option to create a team. Hacking Team is the default.

Sass Security Console


The Faction Default vulnerability database is what makes generating reports quick and painless for pen-testing teams. You can can upload your own templates or start with an open source list from https://github.com/vulndb/data.

To add the VulnDB data into Faction just navigate to Admin-> Default Vulnerabilities and click Update from VulnDB. This will import all of their vulnerabilities and set default Categories for the vulnerabilities.

Note this can call be edited or deleted later.

Custom Vulnerability Templates


By default Faction adds Critical, High, Medium, Low, Recommended, and Informational risk levels but you have up to 9 that can be set and the defaults can be changed to anything that works for your environment. For instance Critical can be changed to Priority 1.

Custom Security Risk Levels


Different Tiers allow enhanced features within Faction. The Teams Tier and above have verification and vulnerability tracking enabled. In Admin Settings you can set custom times to alert when the vulnerability needs to be remediated based on its risk setting. For instance you can set a reminder that a Critical vulnerability needs to be remediated 30 days after its reported and set a past due date of 60 days. This will trigger faction to alert the correct teams that important issues are close to being past due to ensure issues get closed on time and are never forgotten.

Notice the the following screenshot that we have Criticals and Highs set to warn at 30 and 60 days respectfully. These become paste due on 60 and 120 days respectfully.

Vulnerability Remediation and Tracking

Anything that is missing a date will not be tracked by Faction.


For some assessments you will want to add checklists to ensure all critical issues are tested. Below is an example of some potential checks that might need to happen on every assessment to ensure applications are tested consistently.

Security Checklists

Once the above is created it will be available in assessments where the assessor can pass/fail the checklist item and even add notes related to why it failed or why it’s not necessary for the application being tested.

Security Assessment Checklist


All assessments start with Assessment Scheduling. Faction keeps track of all projects your assessors are working on to prevent over-booking pen-tests or other consulting engagements. It keeps track of notes and other information relevant to the assessment so it’s easy to organize and share with the right people on the assessment.

SaaS Security Assessment Scheduling and Planning

You can add assessments manually or upload many from a CSV file.