Every security team I have worked with, whether delivering assessments to clients or managing risk internally, runs into the same operational bottleneck. Findings live in spreadsheets. Reports are assembled manually in Word documents. Remediation is tracked over email or in Jira tickets that were never designed for security workflows. Compliance evidence is scattered across SharePoint folders that nobody maintains. There is no single system connecting the full lifecycle from finding to fix to proof.
This is not a minor inconvenience. It is a structural failure that consumes hours of engineering time every week on work that should not require engineering time at all. I built SecPortal because the platform I needed did not exist.
Spreadsheets are the default tool for security data. Vulnerability findings go into Excel. Compliance controls go into Excel. Assessment results go into Excel. Risk registers go into Excel. This happens not because spreadsheets are good at any of these things, but because every alternative is either too expensive, too rigid, or too focused on a single domain.
The result is data that is fragile, disconnected, and impossible to operate on at scale. Sorting a spreadsheet of 500 findings by CVSS score is not vulnerability management. It is data entry. Copying findings from a spreadsheet into a Word template to produce a report is not report generation. It is manual labor that a machine should handle.
I have personally spent hundreds of hours doing this work. After the third time I rebuilt the same Excel-to-Word pipeline for a different client, I decided to build the system that eliminates it entirely.
SecPortal is a security workflow management platform that covers the full lifecycle: vulnerability management, compliance control tracking, incident response, security reviews, and assessments. The core workflow is: log findings (with auto-calculated CVSS 3.1 scores), generate reports, deliver them through branded portals, track remediation, and map everything to compliance frameworks like ISO 27001, SOC 2, and Cyber Essentials.
For consultancies, this means: conduct an assessment, log findings in SecPortal, generate a branded PDF report with one click, share it with the client through a white-labelled portal, and track remediation as the client fixes issues. The entire engagement lifecycle is managed in one place.
For internal security teams, this means: manage findings across segregated business units, track compliance controls, handle incidents, and generate evidence for audits without maintaining parallel spreadsheets for each domain.
The platform integrates with Nessus, Burp Suite, and CSV imports for finding ingestion, and includes 300+ pre-built finding and control templates so teams do not start from scratch.
SecPortal is built in TypeScript, full stack. The frontend, backend, and infrastructure automation all use the same language. This was a deliberate choice.
A single-language stack reduces context switching, simplifies hiring, and allows shared type definitions between frontend and backend. For a product that handles structured security data (findings with CVSS vectors, compliance controls with framework mappings, assessment timelines with remediation states), type safety across the entire stack catches entire categories of bugs at compile time that would otherwise surface as runtime errors in production.
Coming from C++ and Python, TypeScript felt like a natural middle ground: stronger type guarantees than Python, faster development iteration than C++, and first-class support for the async I/O patterns that a web application requires. The ecosystem for building SaaS products in TypeScript is mature, well-documented, and moves fast.
SecPortal uses AI for specific, bounded tasks where automation saves significant time: generating finding descriptions from scan data, drafting report sections from finding metadata, suggesting CVSS scores based on finding context, and building remediation roadmaps from compliance gap analysis. AI handles the repetitive analytical work. The security professional reviews, edits, and approves.
I deliberately avoided using AI as a marketing gimmick. There is no "AI security analyst" chatbot. There is no "autonomous assessment" feature. AI in SecPortal does exactly what it is good at (processing structured data and generating draft text) and stays out of decisions that require human judgment (severity overrides, risk acceptance, remediation prioritization in context).
Building SecPortal followed the same pattern as every other tool I have built in my career. In quantitative trading, when the execution platform did not do what I needed, I built custom order management and market-making systems in C++. In security, when the vulnerability triage process did not scale, I built an automated pipeline in C++ and Python. When the assessment and compliance workflow was drowning in spreadsheets, I built SecPortal in TypeScript.
The common thread is not the technology. It is the approach: identify an operational bottleneck that existing tools do not solve, then engineer a system that eliminates it. Security is full of these bottlenecks. Most of them persist not because they are technically hard, but because the people experiencing them do not have the engineering skills to build the solution, and the people with the engineering skills are not working in security.
I happen to sit at that intersection. SecPortal is what comes out of it.