Core Concepts
Understand the mental model that powers Plexicus: how your applications flow through our system, how findings are discovered and enriched, and how your organization maintains control through plans and entitlements.
Applications & Repositories
An application (or repository) is the unit of scanning in Plexicus. You register repositories from your source control systems (GitHub, GitLab, Bitbucket, Gitea, and others), cloud providers (AWS, Azure, GCP, OCI), or container registries.
Asset Types
Plexicus scans three primary asset categories:
- Repositories (SCM): Codebases stored in GitHub, GitLab, Bitbucket, Gitea, Forgejo, Azure DevOps, or TFVC. When you connect an SCM provider, Plexicus discovers branches and scans them on a schedule or on-demand.
- Cloud Infrastructure: Deployed resources across AWS, Azure, GCP, and OCI. Plexicus discovers cloud resources and evaluates them for misconfigurations, compliance violations, and entitlement risks.
- Container Registries: Container images in Docker registries, Amazon ECR, Azure Container Registry, Google Artifact Registry, or Harbor. Plexicus scans images for vulnerabilities in dependencies and embedded secrets.
Each asset is tracked as an application in your Plexicus dashboard, and you can tag, filter, and manage them by project, team, or compliance domain.
Sandbox Repositories
New to Plexicus? Use sandbox repositories to try a scan without connecting your own source control. The platform provides public sample repositories that you can scan in minutes to explore findings, triage workflows, and AI remediation without setup friction.
Scanner Bundles
Plexicus uses bundled security scanners to detect vulnerabilities, misconfigurations, secrets, and policy violations. Scanner bundles are branded Plexicus packages that combine industry-standard tools with Plexicus's own capabilities.
Core Bundles
These bundles are included in all plans (Free and above):
- SAST Bundle: Static Application Security Testing detects code-level vulnerabilities (SQL injection, XSS, insecure deserialization, etc.) across multiple programming languages.
- SCA Bundle: Software Composition Analysis identifies vulnerable, outdated, or non-compliant dependencies in your applications.
- IaC Bundle: Infrastructure-as-Code scanning checks Terraform, CloudFormation, Kubernetes manifests, and other declarative infrastructure for security and compliance violations.
- Secrets Bundle: Detects hardcoded secrets (API keys, credentials, tokens) before they reach production or public repositories.
Optional Bundles
Available on higher plans (Starter and above):
- DAST & AI Pentest Bundle: Dynamic Application Security Testing plus Plexicus AI Pentest for automated security assessment of live applications. Uses browser-based scanning and autonomous agent-driven penetration testing.
- Cloud Posture (CSPM) Bundle: Discovers cloud infrastructure misconfigurations, compliance violations, and over-privileged identities across AWS, Azure, GCP, and OCI.
- Container Workload Protection (CWPP): Protects containerized workloads with runtime vulnerability detection and policy enforcement.
Custom Scanners
Bring your own security tools or create custom scanners with the user connector framework. Custom scanners integrate into the Plexicus triage and remediation workflow like native bundles.
Findings Lifecycle
A finding is a security issue discovered in your applications. Each finding progresses through a well-defined lifecycle from discovery to resolution.
1. Discovered
When Plexicus scans an asset, scanner bundles return raw results. Each match is tagged with its severity (Critical, High, Medium, Low), type (e.g., SQL injection, hardcoded secret), and location (file, line, function). At this stage, findings are queued for AI enrichment.
2. AI-Enriched
Plexicus's AI pipeline automatically enriches every finding by:
- Classifying false positives: The AI determines whether this issue is a genuine vulnerability or a false alarm (e.g., a commented-out credential, a benign regex pattern). High-confidence false positives are labeled and filtered by default.
- Contextualizing risk: The AI examines the code context to assess whether a vulnerability is reachable, exploitable, or mitigated by upstream controls.
- Prioritizing impact: Findings are scored based on severity, exploitability, and business impact. A high-severity issue in dead code ranks lower than a critical vulnerability in frequently-called functions.
- Suggesting remediation: The AI generates actionable fix suggestions, including code samples, library updates, and configuration changes.
3. Triage States
After enrichment, security and development teams triage findings:
- Open (default): A finding that requires attention. Findings are open until explicitly marked as mitigated, false positive, or wont-fix.
- False Positive (FP): You verify that this is not a genuine security issue. Plexicus learns from FP markings to improve future scans and reduce noise.
- Mitigated: You confirm this vulnerability has been fixed or the risk is accepted. Plexicus tracks the time from discovery to mitigation (MTTR).
- Won't Fix: You acknowledge the risk but have accepted it due to business constraints. Document your reasoning for compliance audits.
4. Remediated
When a developer applies a fix (code change, library upgrade, configuration adjustment), Plexicus can verify remediation:
- If you enable AI Remediation, Plexicus generates pull requests with fixes. Developers review and merge.
- Plexicus re-scans the updated asset to confirm the finding no longer appears. If the vulnerability resurfaces, it is re-opened.
- Remediation metrics (time to fix, velocity) feed your organization's security dashboard and compliance reports.
Vulnerability Exchange (VEX)
For known vulnerabilities in dependencies, you can issue VEX (Vulnerability Exchange) statements to document mitigations without requiring a code change. VEX allows you to declare:
- Status: NOT_AFFECTED — This dependency version is not vulnerable (e.g., the vulnerable code path is not invoked).
- Status: AFFECTED + Justification — This dependency is vulnerable, but you have a compensating control (e.g., WAF, network segmentation).
- Status: FIXED — You have updated to a patched version.
Plexicus honors VEX statements in triage and compliance reporting, allowing you to manage risk without forcing unnecessary upgrades.
AI Pipeline
The Plexicus AI pipeline orchestrates enrichment, false positive filtering, prioritization, remediation, and fix verification.
Enrichment
After scanning, raw findings are enriched asynchronously:
- Semantic Analysis: The AI analyzes code context, data flow, and control flow to determine whether a vulnerability is exploitable.
- False Positive Detection: Distinguishes genuine issues from false alarms using code patterns and domain knowledge.
- Risk Scoring: Assigns a risk score (0–100) based on severity, exploitability, and business context.
- Metadata Extraction: Identifies affected files, functions, dependencies, and compliance controls.
FP Filtering
The AI filters out high-confidence false positives automatically to reduce triage burden. You control the FP confidence threshold (default: high confidence only). False positives are visible in the dashboard but hidden by default.
Prioritization
Findings are sorted by risk score and assigned to your team's attention based on:
- Severity (Critical > High > Medium > Low)
- Exploitability (Reachable > Unreachable > Unknown)
- Business context (Findings in frequently-updated or customer-facing code rank higher)
- Age (Older unfixed findings become higher priority)
Remediation
For open findings, Plexicus can generate AI remediation:
- You request a fix for one or more findings.
- Plexicus's AI analyzes the vulnerability and the codebase.
- AI generates a pull request with a fix proposal.
- Your development team reviews, edits, and merges the PR.
- Plexicus re-scans to verify the fix.
Each remediation request consumes AI Credits from your plan's monthly allowance (see your dashboard for current usage).
Fix Verification
After a fix is deployed:
- Plexicus re-scans the asset automatically (on your scan schedule) or on-demand.
- If the vulnerability no longer appears, the finding is marked as remediated.
- If the vulnerability reappears, Plexicus re-opens the finding and notifies your team.
This closed-loop approach ensures accountability and tracks your actual remediation velocity (MTTR).
Plans & Entitlements
Plexicus offers flexible plans designed for different team sizes and security needs. Your plan determines which features and scanner bundles you can use.
Plan Tiers
Plexicus offers four tiers tailored to team size and security maturity:
- Free: Core scanners (SAST, SCA, IaC, Secrets), up to 5 repositories, manual remediation only
- Starter: All core scanners + DAST & AI Pentest, unlimited repositories, 1,500 AI Credits/month, RBAC
- Scale: Starter + Cloud Posture (CSPM), 6,000 AI Credits/month, SAML/OIDC SSO, SCIM provisioning, custom scanners, advanced compliance frameworks
- Enterprise: Scale + CWPP, unlimited AI Credits, dedicated support, self-hosted option
Contact sales@plexicus.ai for Enterprise pricing and custom feature requests.
Feature Gates
Specific features are gated behind plan tiers:
- AI Remediation: Starter+
- CSPM: Scale+
- SSO & SCIM: Scale+
- Custom Roles: Scale+
- Audit Logs: Scale+
- CWPP: Enterprise
Attempting to use a gated feature shows a clear upgrade prompt so you can immediately activate it if needed.
AI Credits
AI Credits are a unified metric for API-intensive operations:
- Remediation: 10 credits per fix request
- FP Detection: 5 credits per deep false positive analysis
- Report Import: 15 credits to ingest external security reports
- Deep Enrichment: 20 credits for enhanced AI analysis on complex findings
Your plan renews AI Credits monthly on the renewal date. Unused credits do not roll over. If you exceed your monthly allowance, you can purchase credit packs (pay-as-you-go) to continue using AI features.
SaaS vs Self-Hosted
Plexicus is available as a cloud-hosted SaaS platform or as a self-hosted deployment in your own Kubernetes cluster.
Plexicus Cloud (SaaS)
Best for: Most organizations. Fast onboarding, automatic updates, no infrastructure management.
- Hosted on Plexicus infrastructure (EU data centers)
- Automatic updates and security patches
- Integrated analytics and support dashboards
- Email, Slack, and Teams integrations
- Billable monthly or annually
Self-Hosted
Best for: Enterprises with strict data residency, compliance, or network isolation requirements.
- Deploy to your own Kubernetes cluster (on-prem, private cloud, or isolated VPC)
- Complete control over data location and network boundaries
- Integration with your identity provider (SAML/OIDC)
- Enterprise SLA and priority support
- Licensed annually with usage-based pricing
Self-hosted deployments require a valid license key and supported Kubernetes version (1.24+). See Self-Hosted Deployment for setup and configuration.
Next Steps
- New to Plexicus? Start with Quickstart to scan your first repository in 10 minutes.
- Connect your source control? See GitHub Integration, GitLab, Bitbucket, or Gitea.
- Understand your findings? Read Findings & Triage for a detailed guide to triage and assignment workflows.
- Track security progress? See Dashboard Guide to understand ROI metrics and findings trends.
- Set up AI remediation? See AI Remediation for pull request generation and fix verification.
- Deploy self-hosted? Start with Self-Hosted Setup.