Key concepts

What is Canopy?

Canopy is a business support tool for pentest and security assessment, and audit, teams. It is what the CRM is to the sales team. Canopy helps users - both technical and non-technical - by providing a system that supports the delivery of assessments from inception (i.e. opportunity) through to delivery (i.e. reporting). A managed process for assessment delivery can greatly improved efficiency, and ultimately help to increase the revenues of the company using it.

How is access control implemented?

Canopy implements a Role-Base Access Control (RBAC) solution to help provide global and granular permissions for user roles. This provides a great deal of flexibility in allowing Canopy to scale from < 5 person teams to large enterprises where security and non-security people need to access the data stored by Canopy. The default access control setup is relatively secure. Senior-level users are provided with significant access throughout the system, but lower level analysts are restricted to data in the system on an “as-needed” basis.

What is a client?

A client acts as a container for all data relating to that client. Such data might include:

  • Background information about the client

  • Client contact information (i.e. basic CRM functionality)

  • Opportunities relating to a client (including scopes, financial details and statements of work)

  • Projects relating to a client (including their findings, reports, etc.)

The client acts as a central view of all of the data relating to a given client.

What is an opportunity?

An opportunity is part of the pre-sales activities which many pentest and security assessment teams manage. The opportunity is used to capture the request for an assessment, and can be expanded on through the addition of one or more phase scopes. Phase scopes can in turn be used to generate statements of work - which are effectively the agreement between the pentest or assessment team and its clients.

What is a phase scope?

A phase scope is a simple form and Q&A based component for capturing information about a potential engagement. Questionnaire templates can be used to help drive the information gathering activities, and these can also be tailored on a per-engagement basis. Phase scopes can be used to build statements of work.

What is a statement of work?

A statement of work (SoW) is a document issued to clients that states the background and activities agreed for delivery purposes. It can also include financial information about projects, if required. Once an SoW has been approved, it can be used to provision a corresponding project. SoWs can be defined as flexibly as required by the user via SoW templates.

What are projects and phases?

A project is a container for one or more phases. The project acts as a top-level container for phases, findings, assets, examples and more. It can be used for once off engagements or as a way of tracking longer running engagements (e.g. regular test and iterative based testing).

The phase is where most of the actual work occurs, pre-report. Findings, assets and methodologies can all be worked on at the phase level. Once the phase, or phases, are complete, you can then create a report from the phases. A report can consist of one or multiple phases, which can also include re-test phases.

What is a finding?

Findings are where the majority of the test results are stored. This can include descriptions of the issue, evidence, recommendations and reference information. This is the core information stored by Canopy to help produce detailed reports. Findings can also be tracked by status (e.g. open, fixed), which can help with re-testing. Many other detailed fields are available on a finding, such as CVSS2 and CVSS3 fields, risk rating and many more. It is even possible to add custom fields via the administration interface. The extensive base finding structure and the custom fields help make findings a powerful way of dealing with many different types of assessments, ranging from a typical web application assessment to an ISO27001 gap analysis.

Additional details can be associated with findings, including:


An asset is a generic identifier, which can be a URL, IP, or even a file or binary reference ID. The asset relationship on a finding is used to track what asset a finding applies to. It’s possible to view findings per asset also, which can help show the distribution of findings across different targets.


These are used to capture one or more examples of evidence from the assessment. This can include request/response data from a typical attack proxy (e.g. Burp scanner data), images, long explanations of access control issues used, text and images and so on.

References and taxonomies

These are used for adding references to a finding. Taxonomies are special, reusable references. Canopy will include canned taxonomies within the 3.0 FINAL release (including ASVSv3).


It is possible to link a finding to a methodology item, which is useful for tracking progress on a methodology followed by your company (e.g. a web testing methodology, such as the OWASP Test Methodology).

Port scan data is associated with the asset. It is considered lower level information than the finding itself. In Canopy 3.0, port scan data is imported from nmap only.

What are methodologies?

Methodologies are advanced checklists used to aid testers in tracking progress against a defined standard. This is a typical approach used by teams to help ensure a minimum baseline of testing occurs. It is possible to link methodologies and the knowledge base, along with findings, to help users write reports from the methodology - or automatically complete the methodology from the findings.

What is the knowledge base?

The knowledge base (KB) is where common, reusable finding write-ups are stored. For example, a typical write up might relate to SQL injection. Once an entry exists for SQL injection and has been approved, other users of the system can use it on engagements. This provides a very quick way of adding quality content to a phase, saving the user time in writing up the standard SQL injection finding, leaving them time to focus on exploring the issue. KB findings can also be linked to methodologies and tool importers.

What is a report template?

A report template is the matching form inside of Canopy to the Word templates used to generate reports. The report template allows users to store canned content (e.g. a default executive summary write up). Again, the focus is on creating as much reusable content as possible, whilst providing a standard structure for users to follow - this helps prevent corruption of company document templates, by providing users with a web-based solution. Report templates have a corresponding Word document, which is mapped using CheckSec’s Template Builder. Once a report template has been created, it can be enabled and made accessible by other users.

What is a statement of work template?

A SoW template is a document-based form used to create a common structure and reusable content for SoWs created and generated from the system. The SoW template structure is then mapped to a corresponding Word template, and is used to create SoW documents for issuing to customers. Once a SoW template has been created, it can be enabled and made accessible to other users.

And the other templates?

The other templates in the system are:


For storing pricing information for use within SoWs.


For building custom taxonomies in order to reference specific information against findings. For example, one might use the ASVSv3 standard for reference purposes, or a customer’s secure coding standard; these could be used to pull stats from the system and (eventually) add those stats to pentest reports and periodic analytics reports.


For building methodologies (e.g. OWASP Testing Methodology v4).

What are tool importers?

The tool importers take data from a given source (e.g. Burp, Nessus, Qualys), parses it and imports it into a defined Canopy structure. This helps normalise the data from multiple tools into a common data structure. Tool importers are shipped with Canopy, although users are free to extend, overwrite or create importers for their own needs.

For information on supported tools see Supported tools.