Lupasafe Security Platform

A product of Skopos Security Labs B.V.

Product description

Date November 2025

DOCUMENT Version

Date

Update

1.5

November 2025

Continuous phishing, Autotask integration, branding 

1.4

September 2025

Compliance reports & -roles, Google integration, reporting

1.3

April 2025

Dmarc report, multi-tenant

1.2

February 2025

Single Sign On

1.1

November 2024

E-learning

1.0

January 2024

Overall layout


 

 

Contents

H1 Breached data5

Objective5

Process5

Data5

Frequency5

Results5

Regulation5

H2 Domain & IP (router) scanning6

Objective6

Process6

Data6

Frequency6

Results6

Regulation6

H3 Employee Phishing7

Objective7

Process7

Data7

Frequency7

Results7

Regulation7

H4 Employee Awareness & Role Appointment (for Compliance) 9

Objective9

Process9

Data9

Results10

Compliance10

H5 Endpoint compliance11

Objective11

Process11

Data11

Frequency11

Results11

Regulation11

H6 Microsoft 365 Cloud Audit & CIS level 1 controls12

Objective12

Process12

Data12

Frequency12

Results12

Regulation12

H7 Network scanner13

Objective13

Process13

Data13

Frequency13

Results13

Regulation13

H8 Single Sign-On (SSO) 14

Objective14

Process14

Data14

Frequency14

Results14

Compliance14

H9 Dmarc reporting15

Objective15

Process15

Data15

Frequency15

Results15

Compliance15

H10 Compliance reporting (ISO27001/NIS-2) 16

Objective16

Process16

Data16

Frequency16

Results16

Compliance16

H11 Lupasafe Multi-Tenant Environment 17

Objective17

Process17

Data17

Frequency17

Results17

Compliance18

H12 Autotask Integration19

Objective19

Process19

Data19

Frequency19

Results19

Compliance19

H13 Whitelabeling and Branding21

Objective21

Process21

Data21

Frequency21

Results21

Compliance21

 

 



 

 

 


 

 

H1 Breached data

Objective

Lupasafe monitors on compromised data to alert companies. We do not inform employees directly. Our database contains over 20 billion records of breached data and is stored in Limburg (Germany). 

Process

We actively search the dark web, torrents, PasteBin, and Telegram groups to identify new breaches. You can expect Lupasafe to find and ingest the largest breach files available. The search on the dark web is based on the client domain name and their email addresses. 

Data

Data is sourced from two components: (1) Breached data and (2) Have I been P0wned. Using resources like "Have I Been Pwned" (HIBP) we check for any employee data breaches using your company domain and email address. HIBP is based in Australia but confirm they do not store any date (reference). Lupasafe does not store the full password for privacy and security reasons.   

Frequency

Tests are performed directly after a domain is added in the portal or when employees have been added, either manually or via import. After this the check is repeated every 7 weekdays

Results

On average Lupasafe find compromised data for about one-third of employees but for some this can be zero. The report includes password strength, a masked version of the exposed password, its length, exposure frequency and the affected employee. For HIBP we show the breach name, types of data breached, HIBP severity code and the year. No PII data is shown. This enables companies to notify affected employees, enforce password resets, and evaluate breach response strategies.  

Regulation

Lupasafe operates within GDPR regulations. Our legal team have formulated a legal basis for Lupasafe to responsibly hold this sensitive data within GDPR regulations. In the dashboard no personal identifiable information (PII) data is presented. PII data is only visible in the portal which is restricted by admin access and 2fa (for supervisors). Lupasafe does not buy data from criminals.

Read more about breached data.


 

 

H2 Domain & IP (router) scanning

Objective

Lupasafe conducts a set of scans on domains and IP addresses to uncover vulnerabilities and weaknesses, thereby safeguarding against automated scans searching for online vulnerabilities. The platform also tests for domain name abuse that could potentially indicate phishing attempts by bad actors.

Process

The scanning feature performs a list of tests against domains and IP-addresses. Domains allow different tests than an IP-address. On domains the platforms tests for web application vulnerabilities, email security, security headers and SSL security and domain squatting. For each domain the Host provider is shown and a screenshot is made. 

On all assets the platform performs port scans on all associated services from port 1 to 65535, finger printing is then performed to assess the software and version of service. Finally, the fingerprint data is fed to the risk engine to find vulnerabilities and exploits possible on this service. 

To help users identify their online assets, the platform offers a DNS Lookup function. The DNS suggest additional sub domains for scrutiny. this is not a complete list as subdomains could be hidden.

After the domain name has been submitted, the platform scouts and alerts users to instances where domains resembling theirs are registered online, which may be exploited for phishing and impersonation. The sensitivity can be set by the user.

Data

The platform reports per domain name the risk in terms DKIM, DMARC, SPF, Web application vulnerabilities, SSL/TLS and security header score. Users can drill down for details. Historical data is stored to make comparisons possible. Vulnerabilities are mentioned according to CVS.

Frequency

All scans are done directly after adding assets. After this initial action, domain scans are done once every week as they generate of traffic. All scans are done weekly.

Results

Based on user preferences email alerts are send directly when Lupasafe identifies a vulnerability. All findings can be reviewed in the dashboard and relevant Compliance and Report sections. The detailed information is available on the portal.

Regulation

Scanning of domains requires a user action for consent. Different countries have different policies, the user should have rights to perform the scans.

Read more about email security, security headers, websites.
 

H3 Employee Phishing

Objective

Lupasafe offers users to conducts targeted and standard phishing test on end-users. This can be done continuously or one-off. The objective is to help understand phishing risk and educate the end-user.

Process

The user adds employees to the platform and selects the type of test: custom or pre-defined. The platform offers a list of pre-defined phishing message, these are updated frequently and categorized under topic and language. Under custom phishing the user can craft their own message along with a landing page. The user can also import target website and use this, or a custom HTML page for credential harvesting. A final page can be shown an educational video or explanation text. Each phishing email can be previewed and tested before submission. Lupasafe provides advice on how to get to a 100% inbox delivery of messages. Victims are shown a training video directly after the phish in the language of the browser. The phishing results are stored and presented to the user.

Data

Users can be added manual, imported, or synced via the Azure Active Directory (AAD) or Google Workspace integration. For AAD / Google Workspace only users that match the domain added to Lupasafe are synced. Lupasafe only syncs active licenses to avoid contamination of the results. Per employee a track record is kept of basic phishing metrics: send, read, clicked. This allows for historical comparisons. Submissions to landing pages are not stored due to the custom nature of the work. Harvested credentials are not stored anywhere conform GDPR regulations. 

Frequency

This depends on the user needs. Continuous phishing can be automated for up to a year. Administrators can configure the frequency (monthly, quarterly, six-monthly, or annually), select email templates, define target groups, and set a schedule using a 5-step wizard. The system automatically executes the tests according to the set schedule and automatically adds new employees to subsequent testing rounds. After each phase, results can be analyzed to monitor security awareness within the organization. The campaign runs for a predetermined period and contributes to improving the human firewall against cyberthreats.

Results

This depends on the configuration of inbound messages, text of the phishing email, time and volume and expertise of the user. The results are visible at a high level on the dashboard. Detailed records are visible in the portal itself.

Regulation

The user is responsible for gaining approval for a phishing test. Lupasafe assists in performing phishing in a safe and transparent matter. This ensures end-user trust and learning effect. Before each phishing a checklist is shown covering elements like testing, management consent and transparency. All PII data handling is following GDPR laws. Lupasafe handles personal data securely and lawfully and ensures the data collection is only used for the purpose of providing a general overview of security risks among employees. In the dashboard no personal identifiable information (PII) data is presented. PII data is only visible in the portal which is restricted by admin access and 2fa (for supervisors).

Read more about Azure Active Directory, custom campaign, reports, delivery, whitelistening automation for 365.


 

 

H4 Employee Awareness & Role Appointment (for Compliance)

Objective
 Lupasafe offers users standard cyber awareness training on end-users and employees with specific roles for example data provide officer, security officer and incident manager.

The trainings aim to educate employees on a set of relevant topics, for example

  • What is cybersecurity? 
  • Phishing and social engineering, 
  • Passwords
  • Privacy and social media
  • Work from home
  • Incident response
  • GPR regulations

New topics are continually added to the programme. The objective is to help understand security risks among employees in general and educate the end-user with feedback.

Process

Supervisors can schedule the e-learning modules for the entire year through an Opt-In feature, and new employees are automatically included through AAD integration.

The tests are available in seven languages (Dutch, English, Spanish, German, Italian, Polish, and French). After the test is sent out, employees can select a language. Employees can choose to review the course material first or go directly to the quiz. Each quiz contains 5 questions on the topic. After each question, employees receive feedback, and upon completing the test, they receive a score. Employees with low scores are required to watch a video on the topic. Scores are also sent to their inbox.

New employees are immediately included in the process and also receive the e-learning. The dashboard provides insight into individual learning needs by topic and for the organization as a whole.

Portal users can appoint employees to certain roles. This can be customized to meet needs of the organisation. These appointed roles are used for Compliance reporting.

More information on defining roles can be found here: https://skoposlab.freshdesk.com/support/solutions/articles/47001279807-roles-in-lupasafe-for-compliance-iso27001-ens-nis2-

Data

The results of the awareness test are stored and presented to the user in the different reports. Each employee's track record is maintained, covering basic awareness metrics: sent, started, scored. This enables historical comparisons.

 Frequency
 This depends on the user needs. We recommend sending out a test once a month.

Results
 All findings can be reviewed in the dashboard. The detailed information is available on the portal. 

Compliance
 All PII data processing complies with GDPR regulations. Lupasafe handles personal data securely and lawfully, ensuring data collection is only used to provide an overview of employees' security risks. The dashboard does not present personally identifiable information (PII). PII data is only visible in the portal, restricted by administrator access and 2FA (for supervisors).

Read more about Azure Active Directory and employee template emails.

Read more about Azure Active Directory, employee template.
 

 


 

 

H5 Endpoint compliance

Objective

Identify vulnerable computers in an organisation. The platform performs an analysis of the software and vulnerabilities on MacOS, Linux, Windows and the presence of basic weak policies and patches on computers running Windows.

Process

The user deploys the endpoint manually or via central roll out. The deployment can be done via an MSI file or Executable and be executed via Intune, group policy (GPO) or manual installation. The end point connects over HTTPS via email address or API. After connection, the end point shares all available applications, for Windows also the policies and installed patches (KB files). The platform performs a risks assessment to identify vulnerable software based on CVEs and available exploits. Risks are reported via email and portal in CVSS and EPSS score. After first submission two assessments are done, a rapid risk assessment on top vulnerabilities and an extensive one based on all known vulnerabilities.

Data

External risk data is ingested from NVD, Microsoft, CISA and ExploitDB. The portal stores and shows all end points, ports & services, software & versions of the network segments. Software vulnerabilities are classified based on the CVSS score and the EPSS score. Historical data is stored to make comparisons possible. Vulnerabilities are mentioned according to CVS. For each host settings and asset prioritisation can be set, asset tagging and warning level can be applied.

Frequency

On average and active endpoint will submit a delta of changes every two hours. After 30 days of inactivity of the endpoint software an asset is set on ‘inactive’ in the portal. The timing can be configured or this functionality can be disabled.

Results

Based on user preferences email alerts are send directly when Lupasafe identifies a vulnerability. All findings can be reviewed in the dashboard. The detailed information is available on the portal.

Regulation

No PII data is collected but users can decide to link assets to employees. This is pending agreements between employer and employee. The data can show who is using what software or apps. Especially with assets not owned by the firm this should be carefully investigated.

Read more deploy endpoints.


 

 

H6 Microsoft 365 Cloud Audit & CIS level 1 controls

Objective

Provide users insight in several key security indicators the Microsoft 365 Cloud and relates this to the CIS level 1 controls.

Process

Users give consent to Lupasafe to connect to the Microsoft 365 Cloud API. Via a read only connection the key policies are stored in Lupasafe.  

Data

Lupasafe extracts data from the Microsoft 365 Cloud API via a read only connection. 

Frequency

Daily

Results

Key policies are analysed and shown via the Dashboard widget for deviations and in the Report and Compliance sections: the overall Secure Score in percentages from 0-100%, the implementation status of Admin MFA and User MFA. Insight in the availability of legacy controls like IMAP and POP3. Under Reports a list of important controls based on CIS level 1 can be downloaded and visualized.

Regulation

No PII data is requested.

Read more about Microsoft 365 Cloud audit.


 

 

H7 Network scanner

Objective

Regularly scanning of internal network segments for hosts and services to help identify vulnerabilities.

Process

User deploys the network scanner on a local computer in the target network. The network interface should have access to the local network segment and be able to send the data to Lupasafe server. The scanner will perform a daily scan using the co-installed Nmap software. The authorized scanner can be enabled and configured via the platform. After successful activation the scanner will identify hosts in the given range, excluding those marked for exclusion. On all hosts the scanner performs port scans on all associated services from port 1 to 65553, finger printing is then performed to assess the software and version of service. Finally, the complete set of is fed to the risk engine to find vulnerabilities and exploits possible on this service. 

Data

External risk data is ingested from NVD, Microsoft and CISA. The portal stores and shows all hosts, ports & services, software & versions of the network segments. Software vulnerabilities are classified based on the CVSS score and the EPSS score. Historical data is stored to make comparisons possible. Vulnerabilities are mentioned according to CVS. For each host settings and asset prioritisation can be set, asset tagging and warning level can be applied.

Frequency

The scanner runs every two hours.

Results

Based on user preferences email alerts are send directly when Lupasafe identifies a vulnerability. All findings can be reviewed in the dashboard and relevant Compliance and Report sections. The detailed information is available on the portal.

Regulation

The user should have permission from the owner of the network to scan.

Read more about the network scanner.

 

 

 

 

 

 

 

H8 Single Sign-On (SSO)


 Objective

Provide users with a secure and simple way to access the Lupasafe platform without managing multiple passwords.

Process

The user configures Single Sign-On through the Lupasafe portal. The platform supports integration with identity providers such as Microsoft Entra ID (formerly Azure AD) and Google Workspace. Once SSO is enabled, users can log in using their business accounts. This reduces the risk of password-related security issues and simplifies access management. Users can manage access rights through their existing identity management platform, including multi-factor authentication and group policies.

Data

Lupasafe does not store passwords for SSO users. Authentication and authorization are handled by the identity provider. Activities and login attempts are logged and can be reviewed via the security dashboard in the portal. Users can set session time limits and enforce mandatory re-authentication.

Frequency

Authentication occurs at the start of each new session or according to the identity provider’s configured policy.

Results

Users experience faster and more secure logins without managing passwords. They retain control over access rights and security.

Compliance

SSO integrations comply with standards such as SAML 2.0 and OpenID Connect. Organizations remain responsible for correctly managing their identity provider and access rights.


 

 

H9 Dmarc reporting 

Objective

Provide organizations with comprehensive visibility into email authentication to protect their domain from spoofing, improve deliverability, and maintain brand trust.

Process

Users configure DMARC reporting through the Lupasafe portal. After selecting their domain in the "Domains" section, they access the "DKIM/DMARC/SPF Scan" area. The platform generates custom DMARC DNS records with unique reporting addresses. Users add or update these TXT records with their domain hosting provider, then verify the configuration within Lupasafe. Once active, mail servers across the internet send aggregate and forensic reports to Lupasafe, which processes and displays this data in a digestible format.

Data

DMARC reports contain authentication results from receiving mail servers, including SPF and DKIM verification outcomes, sending IP addresses, message volumes, and disposition actions (deliver, quarantine, reject). Lupasafe parses these reports, identifying legitimate senders versus potential abusers. The platform displays authentication trends, failure rates, and geographic distribution of sending servers. No actual email content is included in these reports, preserving privacy.

Frequency

DMARC aggregate reports are typically generated daily or weekly by participating mail servers. Lupasafe continuously processes incoming reports and updates the dashboard as new data arrives. Users can configure alerts for suspicious activities or authentication failures.

Results

Organizations gain visibility into all email traffic using their domain name. They can identify unauthorized senders, legitimate but misconfigured systems, and potential phishing attempts. This intelligence enables them to progressively strengthen their email security policy from monitoring to quarantine and finally to reject unauthorized messages, drastically reducing email-based fraud.

Compliance

DMARC implementation supports regulatory compliance requirements including GDPR, HIPAA, and financial regulations that mandate protection against email impersonation. The reporting function provides an audit trail demonstrating due diligence in securing the email channel. Organizations remain responsible for acting on the intelligence provided through DMARC reports.


 

 

H10 Compliance reporting (ISO27001/NIS-2)

Objective

Provide organizations with insight and evidence of their compliance status.

Process

In the menu under ‘Compliance’ are different compliance frameworks: NIS-2, ISO27001 and Cyber Essentials. The user can see the data visual or via Excel download. Items available are related to Appendix A of ISO27001, for example 5.9 Inventory of Assets, 5.11 Return of Assets, 6.3 Information Security Awareness and 8.1 User Endpoints.

Data

Data is generated directly based on the latest client data. The NIS-2 data is mapped based on the provided ISO27001 items and aligns with Quality Mark (as of September 2025 - the Netherlands standard).

Frequency

On request. 

Results

Organizations gain visibility into their compliance status on the relevant compliance items. They can for example identify exceptions, misconfigured systems, and appointed roles failing certain required training. This data enables them to progressively strengthen their compliance posture.

Compliance

Used for ISO27001, NIS-2, ENS, etc.

 

 


 

 

H11 Lupasafe Multi-Tenant Environment

Objective

Provide organizations with a unified security management platform that enables monitoring and administration of multiple clients or organizational units from a single dashboard while maintaining strict data segregation and customized security policies per tenant.

Process

Administrators access the multi-tenant environment through a centralized dashboard that displays key security metrics across all managed clients. The platform features a tenant selector dropdown that allows instant switching between client environments without requiring re-authentication.

Each tenant maintains seperated data and configurations while benefiting from the unified management interface. Administrators can view aggregated security metrics (like the "100 Total Users across 5 clients") or drill down into client-specific data (“Top 5 lowest secure scores on microsoft cloud).

Data

The multi-tenant architecture maintains data seperation between clients while allowing approved administrators to access cross-client analytics. Each tenant's data is logically separated with dedicated encryption and access controls.

The dashboard presents critical security metrics including:

  • User management (total users, access rights)
  • Security incidents (data leaks, phishing statistics)
  • Training compliance and completion rates
  • Asset inventory and risk status
  • Email security posture
  • MFA implementation status

As shown in the interface, administrators can quickly assess security posture through numerical indicators and color-coded status markers (red for risks, green for compliant elements).

Frequency

The multi-tenant dashboard updates in real-time as security events occur across all managed environments. Automated alerts notify administrators of critical issues regardless of which tenant view they are currently accessing.

Tenant switching is instantaneous, allowing administrators to rapidly respond to security events across multiple client environments without workflow disruption.

Results

Organizations benefit from:

  • Streamlined security management across multiple business units or clients
  • Consistent security policies with tenant-specific customizations
  • Reduced administrative overhead compared to managing separate instances
  • Comprehensive visibility across the entire security ecosystem
  • Efficient resource allocation based on cross-tenant analytics
  • Simplified billing and license management

The intuitive interface enables administrators to identify trends across the entire client base while maintaining the ability to address tenant-specific issues, as demonstrated by the detailed metrics for each security domain in the dashboard view.

Compliance

The multi-tenant environment maintains strict isolation between client data to satisfy regulatory requirements while enabling efficient administration. Access controls ensure administrators can only view and manage tenants they are explicitly authorized to access.

Audit logs track all cross-tenant activities for compliance reporting, and tenant-specific compliance requirements can be configured and monitored independently for each client.


 

 

H12 Autotask Integration

Objective Provide security professionals and MSPs with a seamless connection between Lupasafe security monitoring and Autotask PSA, automatically converting critical security alerts into actionable tickets within existing service desk workflows.

Process The integration continuously monitors three security domains and automatically generates Autotask tickets when deviations occur. Cloud Policies alerts about users without Multi-Factor Authentication, distinguishing between general users and admin accounts. Network Activity detects scanner assets that have been inactive for more than 6 days. DMARC Reports analyze email authentication issues and alert on failed SPF and DKIM validations. Each alert receives a priority score (0-89) based on severity and impact for immediate assessment by service desk personnel.

Data The integration processes the following security data into Autotask tickets:

  • MFA Security Status: Numbers and percentages of users without MFA registration (e.g., "11 out of 18 users")
  • Asset Activity: Identification of inactive scanner assets with day-level precision
  • DMARC Statistics: Failure percentages for SPF and DKIM authentication per domain (e.g., "27% SPF, 32% DKIM")
  • Priority Scores: Numerical values (0-89) that quantify urgency

All tickets contain contextual information that is directly actionable without access to the Lupasafe dashboard.

Frequency The integration operates in real-time and generates tickets as soon as security thresholds are exceeded. MFA checks are performed daily, Network Activity monitoring scans continuously and generates alerts at 6-day inactivity, and DMARC Reports are processed immediately upon new authentication statistics. Ticket frequency dynamically adapts based on security status.

Results Organizations benefit from:

  • Proactive security response: Automatic detection and escalation of security deficiencies
  • Reduced response time: Direct ticket creation without manual dashboard checks
  • Improved workflow integration: Security tasks within existing Autotask processes
  • Risk-based prioritization: Automatic scoring for critical issues first
  • Compliance documentation: All alerts and actions recorded for audit purposes
  • Increased MFA adoption: Systematic tracking leads to faster implementation
  • Email reputation preservation: Timely DMARC detection prevents blacklisting

Compliance The Autotask integration supports compliance with security standards through systematic documentation of MFA implementation (required under NIS2 and ISO 27001), email authentication according to DMARC specifications, and asset monitoring. All tickets serve as audit trail and demonstrate timely detection and communication. Priority scores facilitate demonstrable risk-based response, while automated workflow ensures no critical alerts are missed.

 


 

 

H13 Whitelabeling and Branding

Objective Enable MSPs and security providers to fully personalize Lupasafe with their own brand identity, ensuring client communication is presented professionally and consistently under their own corporate style.

Process Administrators configure the whitelabel environment via the 'Branding' menu in the dashboard. The process includes three steps: uploading the company logo (PNG/JPG/SVG, 300x100px, max 2MB), adding an optional tagline, and defining three brand colors via HEX codes (Primary Color for buttons, Secondary Color for backgrounds, Text Color for contrast compliance). Subsequently, the SMTP server is configured for sending from the organization's own domain, including host, port (default 587 with TLS/SSL), authentication credentials, from address, and reply-to address. The live preview function shows in real-time how emails and reports will appear before the configuration is activated.

Data The branding configuration processes:

  • Visual Identity: Company logo, optional tagline, and three HEX color codes
  • SMTP Configuration: Server name, SMTP host, port with encryption, authentication credentials, from address, and reply-to address
  • Color Scheme: Primary Color, Secondary Color, and auto-calculated Text Color that meets WCAG contrast compliance
  • Status: Active/Inactive toggle for activation

All brand data is stored encrypted and applied to email templates, HTML reports, and portal interfaces.

Frequency The branding configuration is a one-time setup that remains permanently active. Once activated, the brand identity is applied in real-time to all outgoing communications. Changes are implemented immediately and can be validated via live preview before publication.

Results Organizations benefit from:

  • Complete brand control: All client communication in own corporate style increases brand value and professionalism
  • Increased trust: Recognizable domain and familiar styling improve open and response rates
  • Consistent brand experience: Uniform application across all communication channels
  • Improved deliverability: Own domain sending facilitates SPF/DKIM/DMARC compliance
  • Efficiency: One-time configuration eliminates manual adjustments
  • Multi-tenant support: Separate branding per client with centralized management efficiency

Compliance The whitelabel functionality supports GDPR transparency through clear identification of the sending party. Automatic contrast compliance meets WCAG 2.1 accessibility guidelines. SMTP configuration with TLS/SSL encryption meets security standards and facilitates DMARC compliance. The toggle function enables fallback to neutral branding during audits. Audit logs record all configuration changes for compliance reporting