What this page covers — and what it doesn’t
Webhook alerts — Slack & Microsoft Teams
Alerts post to a Slack incoming webhook URL or a Microsoft Teams incoming webhook URL. The same configuration model works for both — paste the URL in Settings → Integrations → Add channel, pick which event types you want, and ScanPosture starts posting.
Supported event types
- Scan completed — every completed scan, with new vs. resolved finding counts.
- New critical / high finding — fires the moment a critical or high-severity finding appears in a scan that wasn’t there in the previous scan.
- Score regression — fires when posture score drops by more than the configured threshold (default
5points). - Drift detected — fires when scan-change diff is non-empty (use sparingly; this is noisy on actively-administered tenants).
- Permission revoked — fires if ScanPosture detects its consent has been revoked or a required role removed.
Payload shape (Slack)
ScanPosture posts a Block Kit message — the rendered card includes the event title, posture score, the change since last scan, and a deep-link button back to the dashboard. Example summary:
- event
finding.created - severity
critical - tenant
acme.scanposture.com - check_id
ENTRA_ADMIN_NO_MFA - affected_count
2 - permalink
https://acme.scanposture.com/findings/…
Payload shape (Teams)
Teams receives an Adaptive Card with the same fields. The deep-link button opens the same dashboard URL as the Slack version.
Webhook URLs are secrets
AI helpers
ScanPosture uses Anthropic Claude to generate two on-demand artefacts. Both are optional and clearly labelled as AI-generatedwherever they’re shown. They never replace the underlying check output — they sit alongside it.
Per-scan executive summary
At the top of each completed scan, an AI-generated paragraph summarises the most important changes since the previous scan. Read by leadership and stakeholders who don’t want to wade through the full priority-actions list. The model only sees the structured scan output (counts, severities, control mappings) — it never sees raw tenant data.
Per-finding remediation explainer
On any open finding, the AI helper expands the structured remediation guide(which is hand-written by the ScanPosture team) into a longer plain-English explanation tailored to the finding’s severity, affected entity count, and the tenant’s posture context. Useful when handing a finding to a junior engineer to action.
AI output is always labelled
Public status Atom feed
ScanPosture publishes a public Atom feed of incident notifications at:
https://status.scanposture.com/feed.xml
Subscribe in any feed reader, or wire it into Slack via the Slack RSS app, to receive incident open / update / resolved notifications without depending on email. The feed contains the same incident timeline shown on the public status page.
What’s on the roadmap
- Public REST API — primarily for MSP automation.
- SSO via SAML / OIDC for enterprise customers (current login is email + TOTP MFA).
- SCIM provisioning for the same audience as SSO.
If one of these is blocking your adoption, tell us — partner workflows shape priority more than anything else.
Still got questions? Email hello@scanposture.com — UK working days, real human, same-day reply.