Onboarding

After your Nullify tenant is provisioned, complete the onboarding flow to connect your codebases, integrations, cloud accounts, and configure how Nullify understands your business context.

Onboarding Flow

The onboarding wizard guides you through configuration in 10 steps. Each section teaches Nullify about your environment so it can triage findings, validate exploitability, and route work to the right teams.

1. Welcome

Start the onboarding process. Onboarding takes less than an hour for most organizations.

2. Connect Codebases

Connect Nullify to your source control:

GitHub - Install the Nullify GitHub App
Bitbucket - Install the Nullify Bitbucket App
GitLab - Connect via OAuth

Nullify needs repository access to review code, open pull requests, and map ownership from CODEOWNERS files.

3. Connect Workflow Tools

Connect collaboration and assignment tools:

Jira - Auto-assign tickets, track remediation, create issues
Compass - Map services to teams for improved ownership
Slack - Send notifications, escalate findings, collaborate on triage
Microsoft Teams - Alternative to Slack for notifications

These integrations let Nullify work in tools your team already uses. No separate dashboard required.

4. Integrate Cloud (AWS Setup)

Configure cloud access for continuous audits. Nullify provides CloudFormation templates with least-privilege IAM roles.

Copy the External ID, Nullify Role ARN, S3 Bucket name, and KMS Key ARN to use in your AWS account.

5. Integrate Cloud (Add Accounts)

Add AWS account IDs (12 digits or comma-separated list) to enable cloud audits across your infrastructure.

Nullify continuously monitors deployed resources for misconfigurations and maps findings back to repositories.

6. Bug Bounty Program

Configure bug bounty program integration:

HackerOne - Import vulnerability disclosures
BugCrowd - Sync external findings
Website URL - Link to your bounty program
Document Based - Upload scope documents
No Program - Skip if not applicable

Nullify correlates external bug bounty findings with internal code reviews and pentests.

7. Configure Asset Scope

Define attack surface monitoring scope:

In-Scope Assets - Domains, IPs, and CIDR ranges Nullify should monitor
Excluded Assets - Assets to ignore (third-party services, partner networks)

Nullify uses this for attack surface discovery, continuous monitoring, and vulnerability assessment prioritization.

8. Configure Credentials

Add authentication credentials for deeper pentesting:

Test credentials for comprehensive authenticated testing
Service account credentials for API testing
Admin/user credentials for authorization testing

Nullify validates credentials are not leaked and uses them for authenticated vulnerability validation.

9. Configure Applications

Set up applications for continuous pentesting:

Add application names and URLs
Associate user credentials for authenticated testing
Define which apps receive continuous penetration testing

Nullify pentests these applications continuously, replaying authenticated flows and chaining exploits.

10. Set SLAs

Define remediation timelines by severity:

Urgent - Immediate attention (e.g., 7 days)
High - Critical issues (e.g., 21 days)
International - Compliance-driven timelines (e.g., 60 days)

Nullify uses these SLAs to prioritize work and escalate overdue findings.

11. Memory Vault

Upload organizational context documents:

Architecture diagrams
Incident reports
Penetration test reports
Vulnerability management documentation

Nullify learns from these documents to better understand your risk profile and prioritize findings.

12-17. Onboarding Questionnaire

Nullify asks about your organization to understand business context:

General Information (Screenshot)

Company name
Core products and services

Sensitive Data Types (Screenshot)

PII, PHI, Payment Information, Financial Information, Trade Secrets, Government Data
Custom data classifications

Compliance Requirements (Screenshot)

PCI DSS, HIPAA, SOC1, GDPR, CCPA, DORA, FISMA
Custom compliance frameworks

Impact Scenarios (Screenshot)

Sensitive Data Leaked, Data Loss/Deletion, Tampered Data, System Interruption
Compromised User Accounts, Unintended User Behavior

Threat Actors (Screenshot)

State Actors, Hacktivists, Insider Threats
Custom threat profiles

Additional Context (Screenshot)

Any other information Nullify should know about your application security posture

18. Review and Submit

Review all configuration before submitting. Once submitted, Nullify's AI agent begins processing your environment.

19. Onboarding Complete

Nullify is now learning your environment. The platform will:

Index repositories and build context
Map team ownership from CODEOWNERS and service metadata
Begin continuous code reviews on new commits
Start cloud audits of deployed resources
Initialize threat intelligence monitoring

You can edit the onboarding questionnaire anytime to refine Nullify's understanding.

What Happens Next

After onboarding, Nullify operates autonomously:

Context Collection - Nullify builds a knowledge graph of your services, dependencies, infrastructure, and teams
Continuous Assessment - Code reviews run on every commit, cloud audits monitor infrastructure changes, pentests validate findings
Triage & Validation - Findings are ranked by exploitability with evidence, not just theoretical risk
Remediation - Nullify drafts fixes, opens PRs, and merges when appropriate
Learning - Every interaction refines Nullify's understanding of your risk tolerance and business priorities

All work happens in GitHub, Bitbucket, Jira, Slack, and AWS. No separate dashboard required.

Need Help?

Reach out to your Nullify customer success manager
Email [email protected]
See Install for tenant provisioning details

PreviousInstall NextCode Reviews

Last updated 13 days ago

Was this helpful?