Posture Shares
Prove your security posture to a third party without giving them portal access.
A Posture Share is a tokenized, password-protected, time-limited
snapshot of your WASViking® security posture, accessible at
posture.wasviking.com. The pattern is the same as the SBOM Evidence
Bundle: zero-knowledge share, bilateral audit log, revocable any time.
What recipients see
A Posture Share renders a curated, read-only subset of the portal:
- Cyber Risk dashboard for the window covered.
- KPIs: open findings by severity, Risk Score trend, SLA breach count.
- Compliance summary for the primary catalog.
- Asset inventory summary.
- Optional: SBOM Evidence Bundle link.
Recipients do not see:
- Targets they did not consent to view (operator chooses scope).
- Raw HTTP evidence (unless the share is configured to include it).
- Audit log of internal operator actions.
- Anything outside the snapshot's organization.
How sharing works
- Operator scopes the share. Pick which targets, which window, which sections to include.
- WASViking builds the snapshot. Point-in-time rebuild, signed.
- Operator gets share URL + password. Each delivered out of band.
- Recipient lands on
posture.wasviking.com/s/<code>. Password prompt before any data renders. - Bilateral audit log records every access.
Operator controls
| Action | Effect |
|---|---|
| Rebuild | Refresh the snapshot to a newer point in time, same share code. |
| Revoke | Immediately kill the share. Cannot be undone. |
| Extend | Push the expiry forward. |
| Re-issue | Generate a new password (and optionally a new code). |
All four actions emit audit events visible to both the operator and the share recipient.
When to use a Posture Share
- Sales motion. A prospect's security team asks "show us your posture." A Posture Share is faster than a SOC 2 report attempt and fresher than a stale PDF.
- Vendor due diligence. Same use case, opposite direction; respond to a vendor questionnaire with a live snapshot.
- Investor diligence. Demonstrate operational security maturity without exposing the operating console.
- Auditor handoff. Pair with the SBOM Evidence Bundle for the full-coverage audit package.
When NOT to use it
- For deep operator collaboration. Add the operator as a Read-only user in your org instead; they get the live portal, scoped by RBAC.
- For high-frequency status updates to a team you already trust. Use a webhook into their Slack instead.
API
| Method | Path | Scope |
|---|---|---|
POST |
/v1/posture/shares |
evidence.share |
GET |
/v1/posture/shares |
posture:read |
POST |
/v1/posture/shares/{id}/revoke |
evidence.share |
POST |
/v1/posture/shares/{id}/rebuild |
evidence.share |
GET |
/v1/posture/shares/{id}/audit |
audit_logs:read |
Issue a share:
curl -sS https://api.wasviking.com/v1/posture/shares \
-H "Authorization: ApiKey ${KEY}" \
-H "Content-Type: application/json" \
-d '{
"window_days": 30,
"scope": ["dashboard", "compliance"],
"expires_in_days": 14,
"description": "Customer XYZ Q2 due diligence"
}'
Response:
{
"id": "share_a91c",
"share_url": "https://posture.wasviking.com/s/a91c8e44",
"password": "T7HF-J9MP-2K3V-XYZ5",
"expires_at": "2026-06-05T00:00:00Z"
}
Security properties
- Tokenized. Share code is opaque, not enumerable.
- Password-gated. Independent secret; both required.
- Time-limited. Default expiry 14 days, configurable per share up to 90.
- Revocable. One-click revoke; effect is immediate.
- Bilateral audit. Both operator and recipient see who accessed what and when.
- Rate-limited at the edge. The public posture endpoint is gated by the Cloudflare edge against enumeration and credential stuffing, not by the application.
What the recipient gets in their email
WASViking does not auto-email the recipient. The operator delivers the URL and the password through whatever channel matches the sensitivity of the share (typically the URL by email and the password by phone or Signal). This is deliberate: no auto-email avoids a phishing training problem.