Resolute SecurityRESOLUTE
Sign inFree scan

Help center

Frequently asked questions

The same questions we get every week. If yours isn't here, email hello@resolute-security.com.

Type at least 2 characters. Searches FAQ titles, glossary terms, and explanations.

Getting started

What does Resolute Security do?
We pull data from the systems you already use (Microsoft 365, Google Workspace, GitHub, Cloudflare, AWS, Snyk, KnowBe4) and turn it into a single posture score, a findings board, and framework-ready evidence. No agents to install; you connect via OAuth or read-only API keys and we do the rest.
What's free vs. paid?
Free: every single-shot tool (email scan, DMARC / DKIM / SPF / BIMI / MTA-STS / TLS-RPT / CAA / security.txt / HSTS builders, TLS scanner, mixed-content scanner, open-redirect detector). Pro adds continuous monitoring, the integration syncs, the compliance assessments, the findings Kanban, and the executive PDFs. Full list on /pricing.
What should I do in the first week?
  1. Run an email scan on your domain.
  2. Sign up, connect Microsoft 365 (or Google Workspace) via OAuth.
  3. Set your industry on /app/profile so benchmarks light up.
  4. Walk through the CMMC Level 1 self-assessment — auto-fills from your integrations.
  5. Invite your IT lead or vCISO to the org.

Integrations

What permissions do the integrations need?
All integrations are read-only and least-privilege. Specific scopes per provider are listed in the OAuth consent screen at connect time — we never ask for write access. M365 uses application-level Graph permissions (User.Read.All, Directory.Read.All, Policy.Read.All, AuditLog.Read.All). Tokens are encrypted at rest with AES-256-GCM.
How often do integrations sync?
Hourly per provider, on a staggered schedule (M365 at :05, Cloudflare :10, KnowBe4 :15, AWS :20, Snyk :25, GitHub :30, Google :35). Owners can also click Sync now on any integration page — 5-minute cool-down enforced server-side.
How do I disconnect an integration?
Open /app/settings/integrations, find the integration card, click Disconnect. We revoke the OAuth token and stop syncing. Existing data stays until you delete the org.
M365 says connected but no data appears
Two common causes: (1) the first hourly tick hasn't fired yet — wait until the next :05 UTC, or click Sync now from the M365 page; (2) the OAuth scopes don't cover the data you're looking for. Reconnect and accept the consent screen again to grant any missing scopes.

Security & privacy

What data do you store?
Snapshots of your tenant's posture-relevant metadata: user list (no passwords), MFA enrollment, admin assignments, conditional access policies, device compliance, DNS records for monitored domains, cert chains. We don't copy email content, files, customer data, or anything not directly posture-related. Full sub-processor list at /security.
Are you SOC 2 certified?
Self-assessed today (we use our own product on ourselves). Type II audit scheduled for Q4 2026. Until then, we'll sign a DPA and share our internal control responses on request.
I found a vulnerability — how do I report it?
Email security@resolute-security.com. We'll acknowledge within 24h and triage. Good-faith research is welcome and protected; details on /security.

Billing

Is there a free trial?
Every single-shot tool is free forever, no signup. To evaluate the Pro features, message us at hello@resolute-security.com and we'll spin up a free 14-day eval account with seeded demo data.
Can I cancel anytime?
Yes. Stripe-managed; cancel from /app/settings/billing and you keep Pro access until the end of the period. We never charge after cancellation.
What happens to my data if I downgrade?
Data is retained. Pro-only features (continuous monitoring, findings board, integration syncs) pause. Re-upgrading resumes them where you left off. Export findings as CSV/JSON anytime from /app/findings before downgrading if you want a local copy.

Troubleshooting

"This page couldn't load" / blank screen
Hard-refresh (Cmd/Ctrl+Shift+R). If it persists, hit /healthz — if THAT returns 200, the app is up and you're seeing a per-page render error. Email us with the URL and a screenshot.
Lost my MFA / authenticator code
Use one of your one-time recovery codes (you saved them when you enabled MFA, right?). If you also lost those, email support@resolute-security.com from the email on your account and we'll verify and reset.
Slack / generic webhook never fires
(1) Verify the URL on /app/settings/integrations works — we include a test-fire button. (2) Check the webhook signing secret — see the docs. (3) Webhooks fire only on the events you've enabled in your notification preferences.

Glossary

Plain-English definitions for the acronyms and jargon used across the platform. The same content powers the ? tooltips next to terms in the app.

BIMI

Shows your verified logo next to your name in inboxes.

BIMI (Brand Indicators for Message Identification) lets your verified brand logo appear alongside your sender name in supporting email clients (Gmail, Yahoo, Apple Mail). It requires DMARC at p=quarantine or stronger plus, for most providers, a VMC certificate from a Mark Verifying Authority. Higher trust and open rates.

See also: dmarc

CMMC

DoD cybersecurity standard for defense-industrial-base companies.

Cybersecurity Maturity Model Certification — the US Department of Defense's standard for any company handling controlled unclassified information. Three levels: L1 (basic safeguards, 17 controls), L2 (NIST 800-171 alignment, 110 controls), L3 (advanced, 134 controls). Required to win new DoD contracts.

DKIM

Cryptographic signature proving an email wasn't tampered with.

DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to outbound mail that receiving servers verify against a public key in your DNS. It proves the message came from your domain AND wasn't modified in transit. Required for any modern email-deliverability posture.

See also: dmarc, spf

DMARC

Tells mailbox providers what to do with mail that fails authentication.

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a DNS record that tells Gmail, Outlook, and Yahoo what to do when an email claiming to be from your domain fails SPF or DKIM checks: do nothing (p=none), quarantine to spam (p=quarantine), or reject outright (p=reject). Without DMARC anyone can spoof your domain. The end goal for most orgs is p=reject.

See also: spf, dkim, bimi

Finding

A specific gap or risk we detected and need to track to closure.

A finding is a single, actionable item — "DMARC is p=none on acme.com", "3 admins don't have MFA enabled", "TLS cert for portal.acme.com expires in 14 days". Findings are scored by severity (critical/high/medium/low), have an SLA, an owner, and a status (open/in-progress/resolved/won't-fix). The findings board is your operational queue.

See also: sla

MFA

Second factor (code, key, or biometric) on top of a password.

Multi-Factor Authentication requires something beyond a password — a TOTP code from an authenticator app, a hardware key (YubiKey), or a passkey (Touch ID / Windows Hello). Reduces account-takeover risk by ~99%. Every Resolute account should have MFA enrolled; admins enforce it across the org from Settings.

See also: totp, passkey

MTA-STS

Forces TLS encryption for incoming mail to your domain.

MTA-STS (Mail Transfer Agent Strict Transport Security) is a policy published via DNS + HTTPS that tells sending servers they MUST use TLS when delivering mail to your domain. Without it, mail can be silently delivered in cleartext. Pairs naturally with DMARC + DKIM.

See also: tls-rpt

NIST CSF

Cybersecurity framework: Govern · Identify · Protect · Detect · Respond · Recover.

NIST Cybersecurity Framework 2.0 is a US-government framework that organizes security controls into six functions: Govern, Identify, Protect, Detect, Respond, Recover. Less prescriptive than CMMC or SOC 2 — used as an org-wide maturity roadmap rather than a pass/fail audit. Free to adopt.

Passkey

Phishing-resistant credential bound to your device (Touch ID, etc.).

Passkeys (built on WebAuthn) replace passwords with a credential stored on your device and unlocked with biometrics or a PIN. Phishing-resistant because the credential is bound to the site's origin — a fake site can't trigger the prompt. Synced via iCloud Keychain, Google Password Manager, or 1Password.

See also: mfa, totp

SLA

Time you've committed to fix a finding based on its severity.

Service-Level Agreement — in Resolute, the maximum time we expect you to take to remediate a finding before flagging it as overdue. Defaults: critical 7 days, high 30 days, medium 90 days, low 180 days. Customizable per org. Findings approaching SLA breach get highlighted on the dashboard so they don't get missed.

SOC 2

Audit report customers ask for to prove you handle their data safely.

SOC 2 (Service Organization Control 2) is an AICPA framework with five Trust Service Criteria — Security (mandatory), Availability, Confidentiality, Processing Integrity, Privacy. Type I is a point-in-time snapshot; Type II covers a 6-12 month period. Required by most B2B prospects above ~50 employees.

SPF

Lists which servers are allowed to send mail from your domain.

SPF (Sender Policy Framework) is a DNS TXT record naming the mail servers and providers (Google, Microsoft, Mailchimp, etc.) authorized to send mail using your domain. Receiving servers check it before delivery. A misconfigured SPF causes legitimate mail to land in spam.

See also: dmarc, dkim

TLS-RPT

Asks sending servers to report TLS-delivery failures to you.

TLS-RPT (SMTP TLS Reporting) is a small DNS record asking sending mail servers to email you (usually a dedicated address like tlsrpt@yourdomain.com) when they fail to deliver via TLS. Useful diagnostic signal that pairs with MTA-STS.

See also: mta-sts

TOTP

Time-based one-time password from an authenticator app.

TOTP (Time-based One-Time Password) is the 6-digit code that rotates every 30 seconds in Authy, Google Authenticator, 1Password, etc. Open standard (RFC 6238). Stronger than SMS codes; not as phishing-resistant as a passkey.

See also: mfa, passkey

Trust page

Public page where prospects self-serve your security artifacts.

A trust page (popularized by Vanta and Drata) is a public URL like /trust/yourcompany where prospects, customers, and auditors can see your security posture, request your SOC 2 report, download policies, and read your sub-processor list. Replaces the email-back-and-forth most pre-sale security reviews currently are.

Verified domain

A domain you've proven you own by adding a DNS TXT record.

Resolute won't let you phishing-simulate or monitor a domain unless you've proven you own it. Verification is a one-time DNS TXT record (or auto-add via GoDaddy/Cloudflare if you've connected the integration). Subdomains inherit verification — verifying acme.com covers mail.acme.com automatically.

Still stuck?

Email hello@resolute-security.com with as much context as you can — screenshot of the page, what you were trying to do, the URL. We answer within one business day, usually much faster.

For security-sensitive reports use security@resolute-security.com.