Get Up and Running in 10 Minutes
Create your account, understand organisations and roles, and run your first scan.
1What is Vulnios
Vulnios is a multi-tenant security scanning SaaS designed for both direct customers and Managed Service Providers (MSPs). It uses an MSP hierarchy (platform_msp → msp → customer), open-source scanning engines, and Model B billing — customers self-pay; MSPs manage operationally but never control billing.
Every piece of data is tenant-scoped by orgId. The backend enforces this at the Firestore rules layer, not just in application code.
2Quickstart (10 Minutes)
- 1
Sign up
Create an account at vulnio.web.app/sign-up using Google or email.
- 2
Org is created automatically
On first login, if you have no memberships, Vulnios provisions a customer org for you. The org switcher (top of sidebar) lets you switch between orgs you belong to.
- 3
Upload a target
Go to Scans → New Scan. Upload a file, archive, container image, or URL. Select engines.
- 4
View results
Open the scan page. Real-time step progress, logs path, and output artifacts appear as workers complete steps.
3Core Concepts
/orgs/{orgId}Canonical tenant with orgType, planId.
/orgs/{orgId}/members/{uid}Role-scoped access + mirror index in /users/{uid}/memberships.
/plans/{planId}Feature limits, seat caps, pricing IDs.
/orgBilling/{orgId}Private: payment refs, never readable by parent MSP.
/scans/{scanId}Job + steps model with retries and idempotency.
Worker nodeExecutes engines, uploads outputs, reports status.
4Environments (Prod vs Stg)
- Always use separate Firebase projects for prod and staging.
- Separate env vars — NEXT_PUBLIC_FIREBASE_PROJECT_ID must differ.
- Staging branch: deploy from staging. Main branch: deploy to prod.
- Never promote staging data to production.