Help Center

How to get the most from Hosting Security

35 step-by-step guides across 8 feature areas — from your first scan to assessor-ready evidence packs. Every guide walks the real product, button by button.

35 of 35 articles
01

Getting started

3 guides

How to sign in and run your first scan

Security is free and fully unlocked — your first scan runs the moment you open the dashboard.

  1. Go to security.hitthosting.com and click Sign in (or open /login directly).
  2. Enter the email and password for your Hitt Hosting account and click Sign in to Hitt Hosting Security.
  3. You land on the Security Center. A live scan of every product on your account runs automatically on each visit — no button to press.
  4. Review the Critical / Warning / Info tiles and the per-product sections below them. Each product heading shows its status: a count of findings to review, “no abnormalities”, or “source not connected”.
  5. Use the left sidebar to move between Security Center, All findings, Bank connections, and Settings.

Tip: “Source not connected” is never an all-clear — it means the scanner couldn't reach that product's tables yet, so treat it as unknown, not safe.

How scheduled scans keep your account monitored

Scans run on a schedule for every account, so your posture stays current even when nobody is signed in.

  1. Nothing to configure — scheduled scans are on for every account automatically.
  2. Each scheduled scan records what it found, emails you about new criticals (idempotently — never the same alert twice for the same finding), and delivers to any webhooks you've configured.
  3. Opening the Security Center also runs a fresh live scan, so what you see is never stale.
  4. To confirm your scheduled scans are firing, check the Scan history card on the Security Center — it lists every recent scan with its timestamp and finding counts.

Tip: A stalled cadence can't hide: if the “Last scan” timestamp in Scan history looks old, something is wrong — that's exactly what the card is for.

How to check which products and data sources are connected

Security scans only the products on your account — the Data sources list shows exactly what's being watched.

  1. Open Settings from the left sidebar.
  2. Scroll to the Data sources section at the bottom of the page.
  3. Each subscribed product (CRM, Books, HR, Desk, Sign, Field, SE, Hosting) is listed with its status: “connected” (green) or “not connected” (yellow).
  4. The Email delivery row near the top of Settings shows whether alert email sending is configured for your environment.

Tip: You don't connect products manually — anything subscribed on your Hitt Hosting account is picked up automatically by the scanner.

02

Posture & trends

4 guides

How to read your posture score and trend

One risk-weighted 0–100 number, captured daily, tells you whether you're getting safer week over week.

  1. Open the Security Center from the sidebar.
  2. Find the Posture over time card near the top. The big number is today's score (higher is safer), with a Green / Yellow / Red band indicator.
  3. Next to the score, the “this week” delta compares against your prior snapshot — green +N means improving, red −N means regressing.
  4. The small sparkline on the right shows the score's shape over time, oldest to newest.
  5. Below the score card, the three tiles count your open findings by severity: Critical, Warning, and Info. Open means not acknowledged, resolved, or muted.

Tip: Watch the slope, not the absolute — a 72 trending up is healthier than a 90 trending down. On your first day the card shows “Collecting” until a second snapshot exists.

How to see what changed since your last scan

Every posture movement has an itemized delta — exactly which findings appeared and which cleared.

  1. Open the Security Center and find the What changed since your last scan card.
  2. “Appeared” lists findings new since the prior scan; “Cleared” lists findings that went away, each carrying its last-seen severity so a cleared critical reads loud.
  3. Unchanged findings are shown as a count only, keeping the card focused on movement.
  4. Scheduled scans update the diff too — a returning user sees what moved while they were away, not just since their last visit.

Tip: Appeared/cleared events also land on each finding's audit trail and travel with the CSV and JSON evidence exports.

How to review your scan history

A read-only activity log of your most recent scans proves your scan cadence and shows how counts moved run over run.

  1. Open the Security Center and find the Scan history card.
  2. The prominent “Last scan” timestamp at the top shows when the most recent scan ran.
  3. Each row below is one scan, newest first, with its Critical / Warning / Info counts.
  4. Delta arrows on each row compare against the immediately-prior scan, so a jump or a drop is visible at a glance.

Tip: Where the posture score is one daily number and the last-scan diff covers only the two most recent runs, Scan history shows the full per-scan cadence.

How to view findings for a single product

Each product on your account has its own drill-down page scoped to just that product's findings.

  1. Open the Security Center from the sidebar.
  2. Scroll to the per-product sections — each heading is the product name followed by “›”.
  3. Click a product heading (for example “Books ›”) to open its dedicated page at /p/<product>.
  4. The product page shows only that product's findings, with the same acknowledge and resolve actions as the main dashboard.
03

Working with findings

8 guides

How to search, filter, and save finding views

Slice the findings list to what you actually work on, then save that slice as a one-click view.

  1. Open All findings from the sidebar.
  2. Use the search box (“Search title, detail, or subject…”) for free-text matching, or “Owner contains…” to filter by assignee.
  3. Click facet chips to narrow by Severity (Critical / Warning / Info), Product, Category, and State (Open / Resolved / Muted), or toggle “Overdue only” and “Unowned only”.
  4. The footer shows how many findings the current filter matches. Click Clear filters to reset.
  5. To keep a slice, click Save view, type a name (for example “My overdue criticals”), and press Enter. It appears as a chip in the Views row.
  6. Click any chip to reapply it — the built-in presets All open, Critical, Overdue, and Unowned work out of the box. Delete your own views with the × next to the chip.

Tip: Saved views are scoped to your account; the built-in presets can't be deleted.

How to resolve a finding with remediation evidence

Mark a finding fixed with a note that becomes part of your permanent evidence record — and get flagged if the fix didn't hold.

  1. On any open finding card, click Resolve.
  2. In the “Remediation note (optional)” box, describe what you did to fix it — the note is stored as evidence and appears in exports.
  3. Click Confirm resolve. The finding moves to the Resolved list on the page.
  4. If a later scan sees the same finding again, it automatically reopens with a red “Regression · reopened” badge — a failed fix can't masquerade as closed.
  5. To reopen a resolved finding manually, expand the Resolved section and click Reopen on its card.

Tip: Distinct from a regression, a finding that clears and returns on its own across scans gets an amber “Recurring · appeared N×” badge — an unstable control that flickers between scans can't hide.

How to acknowledge or mute a finding (accept risk)

Acknowledge clears a reviewed finding from your open queue; mute accepts its risk for a set period with a reason on the record.

  1. To acknowledge: click Acknowledge on the finding card. It leaves the open count immediately.
  2. To mute: click “Mute (accept risk)” on the card instead.
  3. Answer “Why are you accepting this risk?” — the reason is stored on the record.
  4. Pick a duration: 30 days, 90 days, or Indefinitely, then click Confirm mute.
  5. Muted findings drop out of the open count and stop triggering alerts, but stay visible in the Muted section and in evidence exports.
  6. When the timer expires the finding returns automatically; to bring one back early, click Un-mute on its card in the Muted section.

How to assign an owner to a finding

Name a person, email, or team on any finding so nothing sits in the “we saw it, nobody fixed it” gap.

  1. On an open finding card in All findings, click Assign owner.
  2. Type a name, email, or team (for example “ana@acme.com” or “Platform”) — it's an accountability label, not a user account.
  3. Click Save owner. The owner badge appears on the card and a dated “Owner assigned” entry lands on the finding's audit trail.
  4. To hand it off, click Reassign owner; to remove the owner, open the editor and click Unassign.

Tip: Filter by “Owner contains…” or the “Unowned only” chip on All findings to find work by assignee — assignments also travel with the CSV and JSON exports.

How to set a remediation due date

Give each finding its own target fix-by date so a 30-day vendor fix and a same-day patch don't share one clock.

  1. On an open finding card in All findings, click Set due date.
  2. Pick a date — it's your own remediation target, not an SLA.
  3. Click Save due date.
  4. The card now shows “Due in N days”, “Due today”, or — once the target slips — a red “Overdue by N days” badge, and overdue findings escalate ahead of the normal age threshold.
  5. To change it later click Edit due date; use Clear to remove the target entirely.

Tip: The “Overdue only” filter chip on All findings shows everything past its target in one click.

How to add working notes and read the audit trail

Keep the remediation conversation on the record without touching a finding's status.

  1. On any finding card, click Add note.
  2. Type your working note (for example “left a voicemail with the vendor — waiting on the maintenance window”).
  3. Click Add note to save. Notes are append-only, so they stay on the record.
  4. Scroll to the Audit trail section at the bottom of the card: every lifecycle event — Acknowledged, Resolved, Reopened, Muted, Owner assigned, Due date set, Comment, Appeared in scan, Cleared in scan — is listed with its timestamp, oldest first.

Tip: The full trail travels with the CSV and JSON evidence exports, so an auditor sees the same timeline you do.

How to update many findings at once (bulk actions)

Acknowledge, resolve, mute, assign, or set due dates across a whole filtered slice in one click.

  1. Open All findings and (optionally) filter to the slice you care about.
  2. Tick the checkbox on individual cards, or use “Select all (N open)” above the list.
  3. A sticky toolbar appears showing “N selected” with the actions: Acknowledge, Resolve, Assign owner, Set due date, and Mute.
  4. Acknowledge fires immediately; Resolve, Mute, Assign owner, and Set due date open a small panel for the shared note, reason, owner, or date first.
  5. Each finding still gets its own state change and its own dated audit-trail entry, so the per-finding evidence record stays exact.

Tip: A failure on one finding never aborts the batch — anything that failed stays selected so you can retry.

04

SLAs & remediation planning

4 guides

How to plan remediation milestones on a finding

Attach dated, staged remediation steps to a finding — they populate the POA&M “Milestones with Completion Dates” column your assessor expects.

  1. Open All findings and find the open finding you want to plan.
  2. Click “Plan steps” on the Remediation milestones bar of the card.
  3. Type the first step's description (for example “Rotate exposed key”), pick a target completion date, and click Add step.
  4. Repeat for each staged step of the fix.
  5. Tick a step's checkbox when it's done — the header shows progress like “(2/3 done)”. Use Remove to delete a step, or edit its date inline.

Tip: Milestones thread into the POA&M export and the JSON evidence pack per finding — a staged plan instead of a single lump due date. Your own remediation plan, not a certification.

How to set your own severity SLA thresholds

Set the escalation windows that match your own compliance commitments — your SLA, not ours.

  1. Open Settings from the sidebar and find the Escalation SLA card.
  2. Set the Critical escalation window in days (1–90; default 7).
  3. Set the Warning escalation window in days (1–90; default 14).
  4. Click Save thresholds.
  5. Findings open longer than their window are flagged as escalated, and the same windows drive the Approaching SLA breach panel and the SLA-breach rate in Remediation velocity.

Tip: These thresholds are your own targets — they only affect your account and have no bearing on any certification or external SLA.

How to see which findings are approaching SLA breach

See what's about to breach before it does — every open finding's age projected against your SLA window.

  1. Open the Security Center and find the Approaching SLA breach card.
  2. Findings closest to breaching are listed first, each showing the days remaining before it crosses your configured window.
  3. The header counts what's “due soon” and — in red — anything already “past window”.
  4. Click through to All findings to work the list; when nothing is at risk the card says so honestly.

Tip: This is pure computation over your own finding ages and your own configured windows — an early-warning system, not a guarantee.

How to track remediation velocity (MTTR and breach rate)

Prove your remediation process is actually getting faster — mean time-to-remediate and SLA-breach rate from your own history.

  1. Open the Security Center and find the Remediation velocity card.
  2. The table shows one row per severity with MTTR (mean days from first detected to resolved), the SLA breach rate, and how many findings closed in the window.
  3. The header shows the measurement window and total closed count, so the mean is honest about its sample size.
  4. Breaches are judged against the very SLA windows you configured in Settings → Escalation SLA.

Tip: Observed workflow metrics on your own data — not an SLA guarantee or attestation of compliance.

05

Compliance & evidence

6 guides

How to read your compliance control-area coverage

Your latest scan mapped to cross-framework control areas, so you can answer an assessor's “show me your access-control coverage”.

  1. Open the Security Center and find the Compliance coverage card.
  2. Each row is one control area — Access Control, Change Management & Audit Logging, Data Protection, Vendor & Supply-Chain, Account & Billing Integrity, and Identity & Credential Hygiene — with its framework references (CIS Controls v8 · OWASP · NIST CSF).
  3. Read each area's status: Clear (green), Findings open (yellow, with the open count), or Source not connected (grey).
  4. The header totals how many of the six control areas are covered by an active monitor on your subscribed products.

Tip: A deterministic self-assessment of your own scan — not a certification or audit. “Source not connected” is never an all-clear.

How to mark a control area reviewed or accept its risk

Put a dated, persistent sign-off on each control area — it travels into every export you hand an assessor.

  1. On the Compliance coverage card, find the control area you've reviewed.
  2. Optionally type a short note in the “Optional note” field (for example “quarterly review done”).
  3. Click Mark reviewed — or Accept risk if you're consciously accepting open findings in that area.
  4. A dated Reviewed or Accepted badge appears on the row and persists across refreshes and scans.
  5. Changed your mind? Click Clear mark to remove it.

Tip: Each mark carries its date and note into the JSON evidence pack, POA&M export, and branded posture report — a record of what you actually reviewed. Self-assessment, not a certification.

How to export your findings as CSV or a JSON evidence pack

Download every finding with its full lifecycle evidence the moment an auditor asks.

  1. Open All findings from the sidebar.
  2. In the Export row at the top right, click Download CSV for a spreadsheet, or Download JSON for the timestamped evidence pack.
  3. Both carry each finding's age, acknowledgement state, owner, notes, and full resolution evidence — resolved-on timestamp and the exact remediation note you typed.
  4. The JSON pack additionally includes the compliance control-area roll-up, your control-area sign-offs, per-finding milestones, recurrence counts, and a tamper-evident integrity block.

Tip: Exports are scoped to your own account and reflect the live scan at the moment you download.

How to export an assessor-ready POA&M

Turn every open finding into a Plan of Action & Milestones row in the canonical NIST/CMMC layout.

  1. Open All findings from the sidebar.
  2. In the Export row, click Download POA&M (CSV).
  3. Each open finding becomes one row with its control reference, owner, fix-by date, and status.
  4. The “Milestones with Completion Dates” column is populated from the dated milestones you planned on each finding — staged steps, not just a lump due date.
  5. The Remediation Plan / Comments column is auto-filled from the built-in remediation guidance, so a fresh finding never hands an auditor a blank corrective-action cell — your own resolution or accept-risk note takes precedence when you've written one.

Tip: A self-assessment aid that helps you populate your POA&M — not a certification.

How to verify an evidence pack's integrity checksum

Every export is tamper-evident — whoever receives your pack can confirm it's intact with nothing but standard tools.

  1. Download the JSON evidence pack from All findings → Download JSON.
  2. Open the pack and find the integrity block: the algorithm (always sha256), the checksum, and a manifest echoing what the pack covers.
  3. To verify: remove the integrity field from the JSON, canonicalize the remainder (recursively sort all object keys, preserve array order), and compute the SHA-256 of that string.
  4. Compare your computed hash with the embedded checksum — a match proves the artifact is exactly what the tool emitted; a truncated download or stray edit flips it to fail.
  5. Cross-checks: the same checksum is returned in the X-Evidence-Checksum response header on the download, and printed in the branded posture report's footer.

Tip: A content-integrity check over your own output — not a signature, certification, or third-party seal.

How to download the branded posture report

Hand your clients, insurers, and primes a real document — a one-click, print-ready posture report.

  1. Open All findings from the sidebar.
  2. In the Export row, click Download posture report.
  3. The single self-contained page composes your posture score and week-over-week trend, severity distribution and worst product, remediation velocity, compliance control-area coverage, and finding age with the oldest open critical called out.
  4. It's print-styled — open it in your browser and use Print → Save as PDF for a clean handoff document.

Tip: The report carries the standing self-assessment disclaimer and the evidence-pack integrity checksum in its footer. A deterministic summary of your own scan — not a certification or audit.

06

Trust page & badge

3 guides

How to publish a public trust page

Prove you're secure without emailing spreadsheets — a live, summary-only page at a shareable link.

  1. Open the Security Center and find the Public trust page & badge card.
  2. Optionally enter a Public display name (for example your company name) to head the page.
  3. Click Publish trust page. The card flips to Live and mints an unguessable public URL under /trust/.
  4. Click Copy next to the Public link to share it, or Open to preview what visitors see.
  5. Under Visible cards, tick exactly which summaries are public: Posture score, Severity distribution (counts), Compliance coverage %, and Last-scanned date.

Tip: Only aggregate summary data is ever exposed — no finding details, systems, or remediation steps leave your account. The page is clearly labeled self-attested, not a certification.

How to embed the posture badge on your website

Drop a live, self-attested posture badge on your own site that always reflects your latest scan.

  1. Publish your trust page first (Public trust page & badge card on the Security Center).
  2. In the Embeddable badge section of the card, preview the SVG badge.
  3. Click Copy embed to copy the ready-made HTML snippet.
  4. Paste the snippet into your site — the badge image is served live from your badge URL and links back to your trust page.

Tip: The badge updates with every scan automatically. If you rotate your trust link, update the embed snippet — the old badge URL stops working with the old token.

07

Alerts & integrations

3 guides

How to configure alert emails, recipients, and the severity floor

Route alerts to your security inbox and choose the severity that pages you — your account email is always included.

  1. Open Settings from the sidebar and find the Alert notification preferences card.
  2. Your account email is shown read-only under “Account email (always included)” — it can never be removed.
  3. Under Additional recipients, enter extra addresses one per line (up to 10); they're CC'd on every alert.
  4. Pick the Alert severity floor: Critical only (default), or Warnings and above. Info-level findings never trigger emails.
  5. Click Save preferences.

Tip: Critical digests are idempotent — you never get the same alert twice for the same finding.

How to set quiet hours and manage the weekly posture report

Silence off-hours noise without losing alerts, and control the plain-English weekly recap email.

  1. Open Settings → Alert notification preferences.
  2. Tick “Enable quiet hours (UTC)” and set the start and end hours (0–23). The window spans midnight when start > end — e.g. 22 to 7 covers 10 pm–7 am UTC.
  3. Alerts arising inside the window are held, not dropped — the next scan outside the window sends them.
  4. The Weekly posture report checkbox controls the weekly recap email (your score and its 7-day change, what opened and closed, your oldest unresolved critical). It's on by default; uncheck it to opt out.
  5. Click Save preferences.

How to push findings to Slack, PagerDuty, or your own service with webhooks

Send a signed HTTP POST to any endpoint when new findings are detected — with automatic retries and a full delivery log.

  1. Open Settings from the sidebar and find the Outbound webhooks section.
  2. In the Add endpoint form, enter the Endpoint URL and a Signing secret you generate (you'll verify the X-Hitt-Signature header on your side).
  3. Choose the Severity floor for this endpoint: Criticals only, Warnings and above, or All severities.
  4. Click Add webhook, then click Test on the new entry to fire a test delivery and confirm your endpoint responds.
  5. Verify each delivery on your side: it's signed with HMAC-SHA-256 (X-Hitt-Signature: sha256=…) using your secret.
  6. Watch the Recent deliveries history under each endpoint — every attempt is logged with status, time, and attempt number.

Tip: Failed deliveries to still-active findings retry automatically on subsequent scans (up to 4 attempts, with backoff), so a broken endpoint never silently swallows a critical. Deliveries time out after 10 seconds.

08

Security tools

4 guides

How to score your password policy against NIST and CIS baselines

The Policy Checker grades your organisation's password policy 0–100 against NIST SP 800-63B and CIS Controls baselines.

  1. Open Settings from the sidebar and scroll to the Policy Checker card.
  2. Set your policy's Minimum password length and Max password age (NIST favors no forced rotation).
  3. Toggle the requirements you enforce: uppercase letters, digits, special characters, MFA for all accounts, and password-reuse prevention.
  4. The score and letter grade (A–F) update live as you adjust.
  5. Work through the numbered Recommendations list to raise the grade.

How to check whether a password appears in known breaches

Check any candidate password against the Have I Been Pwned corpus without the password ever leaving our server.

  1. Open Settings and find the Breached-password check card (below the Policy Checker).
  2. Enter the password in the “Password to check” field.
  3. Click Check.
  4. Read the result: found N times in known breaches (don't use it, and rotate it anywhere it's in use), not found in the corpus, or corpus unreachable — in which case no result is shown rather than a false all-clear.

Tip: The lookup uses k-anonymity: only the first 5 characters of the password's SHA-1 hash ever reach the breach corpus, and the password is never stored or logged.

How to connect a bank account for financial-security checks

Optionally link a bank via Plaid as a read-only fraud-watch data source — Security can never move money.

  1. Open Bank connections from the sidebar.
  2. Click Connect a bank.
  3. Complete the Plaid Link flow to authorize read-only access to the institution.
  4. The connection appears under Connected banks with the date it was linked.

Tip: Bank linking is currently in beta on Plaid's sandbox network — you can try the flow safely with Plaid's test credentials, and real institutions arrive when the production switch flips. Billing-integrity checks on your subscriptions run today regardless.

How to use the AI security briefing

A supporting analysis that reads across your products and turns patterns into plain-language context — dated, saved, and on the record.

  1. Open the Security Center; the AI Analysis panel sits at the top when there's something to say.
  2. Read the Overall risk line and summary, then the sections that apply: Connected signals, Pattern interpretation, Predicted emerging risks, Reprioritized by context, and Recommended actions.
  3. The “generated N ago” stamp shows when the briefing was produced — every briefing is dated and saved.
  4. Expand Previous analysis at the bottom of the panel to compare against the last stored briefing (no new analysis is run) and see how the risk read is trending.

Tip: The briefing is an aid, not the source of truth — your findings, scores, and exports are all deterministic and stand on their own. The latest briefing travels into the JSON evidence pack and posture report with its own self-assessment disclaimer.