Posture Shares
Share a read-only, password-protected view of your security posture with an auditor, a customer, or an investor. Create the link, choose how much detail the recipient sees, and keep the access log.
A customer security review, an investor's due diligence, an auditor who wants to see your posture rather than receive another PDF. These requests all end the same way: someone outside your company needs to look at your security numbers, and giving them portal access is out of the question.
A Posture Share solves this with a password-protected, read-only link to your aggregated posture: risk score, compliance summary, and asset coverage, rendered in the recipient's language. Each link is independent, with its own purpose, password, expiration, and access log. The recipient sees a curated report; they never touch your portal, your raw findings, or your evidence.
WASViking® cannot recover a link's token or password after creation (one-way hash with argon2id, by design). That is a feature: if the original leaks, whoever holds it without the password holds nothing, and you can re-emit a fresh URL at any time while the old one dies automatically.
Where this helps in the day to day
- A customer's vendor questionnaire. Instead of filling the same spreadsheet every quarter, send a link that answers the recurring questions with live numbers.
- A sales conversation gets serious. When the prospect's security team enters the room, a scoped link with minimal detail shows maturity without exposing recon-sensitive data.
- Investor or M&A diligence. A time-limited, view-capped link gives the data room what it needs and expires when the process ends.
- The auditor handoff. Pair a Posture Share (the live view) with an SBOM Evidence Bundle (the signed artifact) and the audit request is answered end to end.
What the recipient sees and, just as important, what they never see (raw HTTP evidence, other targets, your audit log) is detailed in Posture Shares.
Pre-requisites
| Requirement | Detail |
|---|---|
| Posture data | Completed scans on the domain you intend to share, so the report has numbers to show. |
| Portal access | A role that can manage Posture & Compliance, such as Admin. |
| A second channel to the recipient | Phone, SMS, or a separate mailbox for the password. The password never travels with the URL. |
Step 1: Open the Posture Shares page
In the portal, go to Posture & Compliance → Posture Shares
(/portal/posture/shares/).
The table lists every link with its purpose, who created it, when it expires, how many views it served, failed password attempts, and its status. You can search by purpose and filter by status, which matters once different teams start issuing links for different audiences.
Posture & Compliance → Posture Shares.
One rule to know before you start: if a recipient loses a link or the password, there is nothing to "recover". Open the link's Details page and use Re-emit to generate a fresh URL and password; the old link is revoked automatically in the same action.
Step 2: Create the share link
Click + New share link and fill the form:
| Field | What to enter |
|---|---|
| Domain scope | Whole organization (all domains) for a company-level view, or a specific domain to scope the report to one product. The report is restricted to that domain and its subdomains, and the scope is immutable after creation. |
| Purpose | An internal description, for example Enterprise customer vendor questionnaire, Q2 2026. Never shown to recipients; it is how you will find this link in the table a year from now. |
| Password + confirm | Minimum 12 characters with at least 3 of: lowercase, uppercase, digit, symbol. A passphrase with 4 or more distinct words also works. |
| Expiration | How long the link lives. 7 days is the recommended default; match it to the engagement, not longer. |
| Maximum views (optional) | A hard cap on total accesses. The link auto-revokes when reached. Useful for diligence processes with a known audience size. |
| Report language | Renders the share page and PDF in this language. Pick the recipient's language, not your own. |
| Auto-update with new snapshots (live mode) | Checked, the link always serves the latest published snapshot, so an ongoing customer or auditor relationship never needs a reissue. Unchecked, the link is pinned to the current snapshot version, which is what you want for time-stamped audit evidence. |
Then choose the exposure level, which controls how much detail the recipient sees:
| Level | Shows | Right for |
|---|---|---|
| Minimal | Score, compliance, and asset coverage only. | Cold prospects, when you do not want to expose severity counts. |
| Standard (recommended) | Adds severity counts and issue categories with open/closed counts and oldest open age. | Vendor security questionnaires, audit evidence, mid-relationship clients. Equivalent to mature SaaS Trust Center disclosures. |
| Detailed | Adds trends, MTTR, and SLA percentages. Charts populate after about 30 days of snapshots. | Ongoing customer relationships and post-incident communication. |
The optional alerts keep you informed without watching the table: notify on first view, on access from outside your country, on more than 10 accesses in 24 hours, and if the link auto-revokes after repeated wrong passwords (this last one comes enabled).
Click Generate link. The password is shown only once after creation; copy it before leaving the screen.
The password appears once, right after creation.
Step 3: Deliver the link and the password separately
Send the URL through your normal channel and the password through a different one: a call, SMS, or a separate mailbox. If the email carrying the link is ever forwarded beyond your contact, the link alone opens nothing.
The recipient lands on a minimal page that asks only for the password. After entering it, they get the read-only posture report in the language you chose. Nothing is cached on their device and there is nothing to download unless you shared the PDF rendering.
What your recipient sees: view only, nothing cached.
Step 4: Track, re-emit, revoke
Back on the table, each link tells its own story:
- Views counts successful accesses; Failed counts wrong password attempts. A failed count climbing on a link that should be private is your early signal, and the brute-force alert revokes and notifies on its own.
- Expires and the optional view cap end the link without any action from you.
- Re-emit (on the link's Details page) answers the "the auditor lost the email" case: new URL, new password, old link revoked, one action.
- Every access is logged on both sides, so when your own audit asks who saw your posture last year, the answer is in the table and in the audit log.
Treat one link per audience as the habit: the purpose field, the password, and the access log stay meaningful when a link maps to one relationship.
Automating it
Posture Shares are also manageable over the REST API (create, list, revoke, and audit endpoints), which suits teams that issue a link per customer as part of an onboarding or renewal workflow. The endpoints and payloads are documented in Posture Shares, and share access events are available as webhook events for your own systems.
Where next
- The signed counterpart for component-level evidence: SBOM Evidence Bundles.
- What feeds the compliance summary on the report: Framework mapping.
- The full recipient-visibility contract and operator controls: Posture Shares.
