User guide

If you’re new to Canopy, there are some concepts and basics that you should know in order to use the application.

Key concepts

In this article we’ll cover some key concepts to Canopy.

Getting started

This is a ~20 minute overview to help you get started on using Canopy as soon as possible.


Organising your delivery through clients, opportunities and projects

Canopy allows you to organise your data into a hierarchical model. At the top is the Client. Within a client we store opportunities, scopes, projects, phases, findings, assets reports and everything else relating to our assessments.

  • Clients: Clients is a top-level container where we store all of our projects, opportunities, findings, reports and so on relating to a single client.

  • Opportunities: The pre-sale phase of service delivery is very important. It’s where we capture the necessary scope and information for delivering our projects, defining the commercial agreements and confirming with our clients what is to be done (e.g. statement of work). Canopy’s Opportunity module allows us to manage this phase of the delivery workflow.

  • Phase scopes [TODO]

  • Statements of work [TODO]: A statement of work (SoW) is a document sent to a client to confirm to them the key details of a testing. This might include the technical scope, delivery dates and financial information.

  • Projects: Canopy organises its main delivery work into projects and phases. Here we explain the key concepts and why there we take this hierarchical approach.

  • Phases: Phases in Canopy are used to store the findings, assets, examples (evidence) and other data collected during the delivery. It provides a container for managing this information, which can then be used for reports.

Getting work done

Once you have our structure set up to organise your teams for delivery, it’s time to get work done. Fundamentally Canopy structures its data around…

  • Logging in: A short guide to logging in to Canopy. Most people should be familiar with such processes, but we think it’s good to cover the basics (and some of the other authentication options).

  • Dashboard: Your first interaction with Canopy, and what to do next.

  • Findings: Findings (or vulnerabilities in some companies) are a cornerstone of Canopy. Many of the types of projects delivered by teams that use Canopy centre around findings and the relationship of these findings to assets (be they servers, source code, physical buildings, etc.).

  • Assets: Assets are another key cornerstone of Canopy. Assets are used to bind Findings to Examples (evidence). Conceptually, if a finding is found, it will relate to a give asset (be that source code, a building, etc.).

  • Examples: Examples are additional data points used to show how a finding was identified. This can take the form of repeatable steps, screenshots, code or tool output and so on.

  • Methodologies [TODO]: Methodologies help to ensure work is delivered consistency across similar projects.

  • Reports [TODO]: The typical end delivery from a project is a report (or many reports). Learn more about how to generate reports for delivering to your clients.

  • Other concepts [TODO]: Canopy provides a number of other (optional) features to help improve your delivery and structure your information for reporting and analysis.

Reusing content with templates

A major benefit of Canopy is that it allows you to reuse content, where you believe its appropriate. You can have stock finding write ups through the Findings Knowledge Base. Base report templates and statement of work templates for getting a head start with writing documents. And more. This allows users of Canopy to reduce time spent rewriting the same content, and also to ensure consistency, where needed.

  • Findings Knowledge Base: The findings knowledge base (KB) acts as a repository for reusable write-ups for findings. The main point of reusable content is to ensure consistency, but only where it’s required. The existence of a KB shouldn’t mean clients receive generic content, but it does allow users to have a starting point for tailoring content, and to use common information where it makes sense.

  • Report templates [TODO]: Reports templates are used for building the end-user reports you want to send to your clients. These are built using a simple form builder inside of Canopy, and then mapped to Word documents. More information can be found in the Report templates section.

  • Statement of work templates [TODO]: Much like template reports, the statement of work (SoW) template is used to produce custom, client branded SoWs or proposals for issuing to your clients. The process is the same, although the data these document templates access is different.

  • Methodology templates: Methodologies are commonly used to establish best practices within service delivery organisations. The methodology template section is used to define such methodologies, which can then be used in for delivery as required.

  • Message templates: Message templates are used to build standard messages for user and client notification. Do you have a standard set of emails you send out before, during and after tests? This feature allows you to build those templates in Canopy.

  • Taxonomy templates [TODO]: Taxonomy templates provide a way of linking findings to external (e.g. CWE) and internal/client (e.g. client-specific secure development requirements) reference material, in a way that can then be included in reports or analytics.

  • Scoping questionnaires [TODO]: In order to scope projects, its typical to use questionnaires to capture mandatory and nice-to-have information for preparing for delivery. Reusable questionnaires help with consistency in this approach.

Other tasks

  • Working with Jira: How to work with Jira from Canopy to help share information between testers and development/ops teams.