Skip to main content

User Flows — Admin Portal

S.E.T — Portal User Flows (Working Draft)

Status: Admin portal — complete. Customer portal — now detailed from the updated MVP code (zip dated 2026-05-25). Screens that are still genuine placeholders in the code are marked [PLANNED — not yet built] with their intended purpose. Written in plain language (no technical/function detail) for inclusion in the formal document.

How the two portals relate

S.E.T ships as two portals:

  • Admin portal — sold to MSSPs (managed security service providers). The MSSP's working environment, where their analysts run compliance and security work for many client organizations at once. Heavily AI-assisted: generators and analyzers do the heavy lifting; the admin reviews and approves.
  • Customer portal — used by the MSSP's clients. Mostly read-only: clients log in to provide the information they're asked for, upload documents, and view everything the MSSP has produced for them. Their only real inputs are filling assigned questionnaires, uploading documents/policies, building their org structure, managing their vendor list, and ticking off remediation steps.

ADMIN PORTAL

Overview

Dashboard

  • What it does: The MSSP's home screen — a one-look summary of the whole book of business across every client.
  • What the user can do: See headline counts (total clients, total systems, submitted policy documents, final reports), spot clients who need attention, and jump into common tasks.
  • How they do it: They land here after login. If clients have uploaded documents awaiting review, an orange banner appears — they click it to jump to the review screen. Charts below show systems per client, analysis status, and which clients are most active.
  • What happens: Counts and charts are pulled together live from across all the admin's clients. Clicking a Quick Action or the banner opens the relevant screen.

Analytics

  • What it does: Shows whether clients are responding to what they're sent, and how quickly.
  • What the user can do: Pick a time window and review questionnaire activity — total responses, completion rate, average completion time — per day, per questionnaire, and per client.
  • How they do it: They choose a date range at the top; the charts and numbers update to that window.
  • What happens: The platform tallies all questionnaire activity in the window and draws the trend charts, so the admin can spot stalled clients or weak questionnaires.

Activity Log

  • What it does: A searchable feed of actions taken in the platform, tagged with who did it and which client it relates to.
  • What the user can do: Browse newest activity, filter by user type (admin vs. customer) or client, and search by user, action, or detail.
  • How they do it: They scroll the list or type in the search box / pick a filter; each row shows time, person, action, detail, and client.
  • What happens: Matching entries appear instantly. (Target build: every change is recorded, making this a complete audit trail — the new architecture's audit logging supersedes the MVP's partial coverage.)

Clients & Org

Clients

  • What it does: The master list of every client organization the MSSP serves, and where each client's portal access ("license") is switched on or off.
  • What the user can do: Add, edit, delete, and re-order clients; search by name/email/industry; turn each client's portal access on/off; open a client to manage deeper settings including their vendors.
  • How they do it: They click "Add Client" and fill a short form (name, email, industry, notes). To change access, they flip the access toggle on the client's card. To reprioritize, they drag the cards.
  • What happens: A new client is created with access ON, so their people can log in immediately. Flipping access off blocks login. Any client older than one year is auto-switched to "no access," showing that client an "Annual License Expired" screen until renewed — the renewal lever.

Org Structure Admin

  • What it does: Builds and maintains a client's organizational chart — departments, roles, addresses — which feeds training scope, supply-chain mapping, and policy context.
  • What the user can do: Pick a client and edit its organization details: name, address, departments, and roles in each department (each tagged in-house / contractor / outsourced).
  • How they do it: They select the client, then type into the fields and add departments/roles.
  • What happens: Edits save automatically as they type, and the structure becomes available to the workflows that rely on it.

Questionnaires

A questionnaire begins as a reusable master template, then is assigned (copied) to a specific client, who fills in a response.

List Questionnaire

  • What it does: Manages standard question-and-answer questionnaires — the library of master templates and the copies assigned to clients.
  • What the user can do: Create questionnaires by hand or by uploading a file, edit or delete them, and assign a template to a client.
  • How they do it: They switch between "master templates" and "assigned" tabs, use the builder or uploader, and click "assign" to a chosen client.
  • What happens: An assigned questionnaire appears in that client's portal; answers come back under Responses.

Table Questionnaire

  • What it does: Manages questionnaires where the client fills in a table — each row a system, asset, vendor, or process. This data becomes the inventory that Systems Analysis and BCP build on.
  • What the user can do: Create a table by defining columns, or import from a spreadsheet (columns mapped automatically); preview, edit, delete, and assign.
  • How they do it: They click "Create New Table" to define columns, or "Create from CSV" and upload a spreadsheet; then assign to a client.
  • What happens: The client fills in rows in their portal; those rows become the client's system/process inventory used by later analysis screens.

Questionnaire Generator (AI)

  • What it does: Writes an entire questionnaire from a plain-language description.
  • What the user can do: Describe what they want (topic, industry, number of questions, complexity, language, question types) and have the AI produce a complete, ready-to-edit questionnaire.
  • How they do it: They fill a short spec form and click generate; they review and tweak in a preview tab.
  • What happens: The AI produces the full questionnaire as a draft; saving it makes it a master template ready to assign.
  • What the AI does: Writes the complete questionnaire — title, description, and a full set of correctly-typed questions — from the admin's short plain-language spec.

Responses

  • What it does: The inbox where the admin reviews everything clients have submitted.
  • What the user can do: Read answers and attachments, filter by status (draft vs. submitted), and re-open a submitted response so the client can fix and resubmit.
  • How they do it: They open a response to read it; to re-open it, they click "restore to draft."
  • What happens: Restoring puts the response back in the client's portal as editable, and the client can resubmit.

Compliance & Policies

Standards DB

  • What it does: The library of compliance standards/frameworks that powers questionnaires, policy writing, gap analysis, and reports. Each standard can be broken into clauses.
  • What the user can do: Add a standard, upload its source document, and have the AI extract its clauses and generate plain-language explanations and three "lenses" of requirements (general, IT-systems, supply-chain).
  • How they do it: They create the standard (title, category), upload the framework document, and trigger the AI extraction.
  • What happens: The AI reads the document and lists the clauses automatically; those feed the generators, risk mapping, and reports.
  • What the AI does: Reads the uploaded framework document and extracts its individual clauses, then writes plain-language explanations and the three requirement lenses (general, IT-systems, supply-chain).

Policy Generator (AI)

  • What it does: Drafts a complete, client-specific policy document end to end, then turns it into a publishable PDF once approved.
  • What the user can do: Pick a client and template, let the AI write the policy, refine sections by chatting with the AI, and approve the final document.
  • How they do it: They select client + template; the platform pulls in the client's org structure, systems, and standards; the AI drafts the section list and writes each section; the admin types refinement requests in a chat; then clicks Approve.
  • What happens: The AI generates annexes and assembles the formatted document. On approval it becomes a permanent Approved Policy the client can view/download; otherwise it's marked "needs revision."
  • What the AI does: Builds the policy's section outline, writes the content of each section, drafts the supporting annexes, assembles the final formatted document, and powers the refinement chat.

Compliance Documents

  • What it does: Where the admin reviews policy/compliance documents clients have uploaded and grades them against the standards.
  • What the user can do: Open an uploaded document, run an AI analysis against the standards, set a verdict, and produce a consolidated summary across several documents.
  • How they do it: They open a client's uploaded document (flagged on the Dashboard banner), run the AI analysis, then set "approved / needs revision / rejected."
  • What happens: The AI returns gaps, a score, and recommendations; the verdict and any required revisions become visible to the client.
  • What the AI does: Analyzes each uploaded document against the standards to produce identified gaps, a score, and recommendations — and a consolidated executive summary across multiple documents.

Checklists

  • What it does: Turns a standard into a trackable checklist of recurring compliance tasks assigned to a client.
  • What the user can do: Import checklist items from a standard, assign to a client, and monitor completion.
  • How they do it: They pick a standard and let the AI import the items (task, suggested owner, frequency, source clause), then assign to a client.
  • What happens: The client ticks items off and attaches evidence; the admin sees percent-complete, and incomplete items can flow into the Workplan.
  • What the AI does: Imports the checklist items from the chosen standard — each with a task, a suggested owner, a frequency, and the source clause.

Security & Risk

Compliance Scans

  • What it does: Takes uploaded technical security reports and turns them into structured, explained findings with remediation guidance and a client-facing report. Covers general assessments, penetration tests, external attack-surface results, and code reviews.
  • What the user can do: Upload a report under one of the four categories, review extracted findings, get AI remediation guidance per finding, and compile a report.
  • How they do it: They choose a category, upload the file (PDF/JSON/image), click into any finding for AI guidance, and optionally add context or evidence.
  • What happens: The AI extracts each finding (severity, title, evidence) and writes remediation steps; the compiled report appears in the client's Security area, and findings can seed Workplan tasks.
  • What the AI does: Extracts the findings (severity, title, evidence) from the uploaded report, writes detailed remediation guidance for each, and compiles the client-facing report.

Cyber Security

  • What it does: Manages the client's security tools and the scan results they produce, tracking how well each tool is configured and how issues get mitigated over time.
  • What the user can do: Record tools, upload scan output, get an AI-written summary and mitigation steps, and move each issue through its lifecycle.
  • How they do it: They add a tool, upload its scan output, and work each issue from open → in progress → resolved using AI-recommended steps.
  • What happens: The AI parses the scan into structured results, writes an executive summary, and the summaries surface in the client's portal.
  • What the AI does: Parses the tool's scan output into structured findings, writes an executive summary, analyzes supporting evidence, and recommends mitigation steps.

Risk Management (AI)

  • What it does: The risk hub — gathers gaps found across the platform (training, cyber, supply chain, systems, processes) and maps them to recognized controls (NIST 800-53) to drive risk decisions.
  • What the user can do: Review aggregated gaps mapped to controls and make a risk decision per gap (accept / mitigate / transfer / avoid).
  • How they do it: They open the hub (gaps gathered automatically), review the mapping, and pick a decision for each.
  • What happens: The AI maps each gap to specific controls and produces a gap analysis; "mitigate" decisions generate Workplan tasks.
  • What the AI does: Maps each gathered gap to specific NIST 800-53 controls and produces the gap analysis.

Files Analysis

  • What it does: Scans a client's uploaded documents (Hebrew/English images, PDFs, forms) to identify what kinds of data the organization holds — feeding their privacy/data-mapping picture.
  • What the user can do: Select an uploaded file and have the AI identify the data types in it, with new/unexpected types flagged.
  • How they do it: They pick a file and run the analysis.
  • What happens: The AI extracts the data types; results roll up into a per-client consolidated data report linked to the relevant systems.
  • What the AI does: Reads the files (including Hebrew/English images, PDFs, and forms) and identifies the data types present, flagging any new or unexpected ones.

Systems & Continuity

Org Systems Analysis (AI)

  • What it does: Builds a full understanding of each client IT system — what it is, how data flows, how it measures against standards, and how risky it is. The system list is derived automatically from the client's table-questionnaire answers.
  • What the user can do: Pick a system and let the AI analyze it end to end; watch risk scores update as remediation happens.
  • How they do it: They select a system from the auto-built list and run the analysis.
  • What happens: The AI draws a data-flow diagram, writes documentation, checks the system against standards (met vs. gaps), scores its risk, and drops recommended fixes into the Workplan. As fixes land, a "mitigated score" updates, and everything appears in the client's Systems Analysis view.
  • What the AI does: Draws the system's data-flow diagram, writes its documentation, checks it against the standards (controls met vs. gaps), scores its risk, and emits the recommended remediation tasks.

BCP (AI)

  • What it does: Builds the client's business-continuity picture — which processes are critical, what downtime costs, and how to recover. Processes are derived from the client's table questionnaires.
  • What the user can do: Review each process's impact analysis, cost exposure, and recovery plan generated by the AI.
  • How they do it: They open a client's processes (extracted automatically) and run the BCP analysis.
  • What happens: Per process, the AI works out recovery time/point objectives and criticality, estimates downtime cost per hour and annual loss, drafts recovery steps, and draws a process flow diagram — surfaced in the client's BCP dashboard.
  • What the AI does: Runs each process's business-impact analysis (recovery objectives, criticality), estimates downtime cost and annual loss, drafts the recovery steps, and draws the process flow diagram.

Supply Chain

Supply Chain Management

  • What it does: Manages a client's third-party/vendor risk — sending vendors questionnaires and document requests, then scoring each vendor's risk from what comes back.
  • What the user can do: Assign questionnaires and required documents to a client's vendors, review the AI's risk analysis, and produce a consolidated supply-chain report.
  • How they do it: They assign questionnaires/documents to vendors; vendors respond (vendor surface — out of scope); the admin reviews the AI analysis.
  • What happens: The AI scores vendor responses against requirements, reviews uploaded documents, sets an overall risk level per vendor, and assembles a consolidated report; the client sees a vendor risk matrix and can drill into each vendor.
  • What the AI does: Scores each vendor's responses against the requirements, reviews their uploaded documents, sets an overall risk level per vendor, and assembles the consolidated report.

Training

Program

  • What it does: Plans and produces the client's security-awareness training — programs per department, generated content and instructor kits, scheduled sessions, and post-training competency scoring.
  • What the user can do: Define a training program, generate content and instructor materials, schedule sessions, issue a public link for employees to answer post-training questions, and review competency results.
  • How they do it: They define the program (department, modules, topics) and let the AI generate content, kits, scenarios, and a session plan; they schedule sessions; they generate a one-time, 24-hour public link for employees.
  • What happens: Employees answer through the public link without an account (employee surface — out of scope); the AI scores competency and produces a progress report; competency gaps flow into the Risk Management training lane.
  • What the AI does: Generates the training content per module, builds the instructor kits, creates custom scenarios and a session plan, and scores employee competency into a progress report.

Outputs

Workplans

  • What it does: The single place all remediation work converges — every gap found anywhere (systems, vendors, risk, BCP, training, security) drops a recommended task here.
  • What the user can do: Review accumulated and manual tasks, have the AI break complex tasks into sub-steps with effort/cost estimates, assign owners, and track progress.
  • How they do it: They pick a client, review the task list, and move tasks through draft → approved → in progress → completed; owners update percent-complete and flag blockers.
  • What happens: Tasks are tracked to completion and also surface to the client in their Workplans/Monitoring views.
  • What the AI does: Breaks complex tasks into sub-steps and estimates the effort and cost for each.

Reports

  • What it does: Produces the formal, polished compliance report — the deliverable the client pays for — built section by section and exported as a PDF. Generated in one selected language at a time (Hebrew by default; Hebrew, English, Arabic, Russian, or French), never mixed.
  • What the user can do: Pick a client and the sections to include, let the AI write each section, and produce the final PDF.
  • How they do it: They select the client and report sections and trigger generation.
  • What happens: The platform aggregates the client's data; the AI writes each section including a controls-assessment table and a remediation-plan table; the sections are composed into a downloadable PDF.
  • What the AI does: Writes each section of the report (executive summary, methodology, findings, etc.), including the controls-assessment table and the remediation-plan table.

AI Assistant

BNAI Agent

  • What it does: A conversational AI assistant the admin can ask compliance questions of, drawing on the platform's knowledge (standards, policies, and the user's organizational context).
  • What the user can do: Ask questions in a chat and get context-aware answers, with follow-ups remembered.
  • How they do it: They type a question into the chat window.
  • What happens: The assistant pulls in relevant context and streams back an answer; the conversation is kept so follow-ups stay on topic.
  • What the AI does: Retrieves the relevant context (standards, policies, the user's organizational context) and generates the conversational answer.

Note — two launcher links: The admin sidebar also includes Client Portal and Vendor Portal — external launcher links that simply open the customer and vendor login pages. They aren't admin screens, so they're not detailed above. (26 sidebar entries total: 24 working screens grouped above + these 2 launchers.)