Set up your organization
Configure the account boundary: business context, members and roles, compliance frameworks, billing, and the credits that fund every run.
The organization is your account. Everything you do on NullSquare — every scope, every run, every finding — lives inside one. Setting it up well is a one-time investment that makes every later assessment cleaner: the agent understands your business, the right people have the right access, and you know how credits and limits will behave as you scale.
Most teams complete this page in under fifteen minutes and never have to revisit it except to update context or invite new members.
What you will learn
- Business context. Give the agent a written understanding of what your company does.
- Members and roles. Invite teammates and grant the smallest set of permissions they need.
- Compliance frameworks. Select the frameworks that should shape readiness reporting.
- Credits and plan. Understand how runs consume credits, what your plan covers, and how to refill.
Related app areas
Create the organization
If you signed up the account, your organization already exists. Open Settings → Organization to fill in the details that the agent and your team need.
- 1Open Settings → Organization.
- 2Set the organization name (it appears on reports and in audit logs).
- 3Save changes before moving on.
Write the organization brief
The organization brief is a short written description of your company that the agent reads before every assessment. It is not marketing copy — it is operational context. A good brief tells the agent what your company does, which workflows are business-critical, which data types are sensitive, and where the agent should never go.
Two or three paragraphs is enough. Re-read it once a quarter to keep it current as the business changes.
- What the company does, and who its customers are.
- Which workflows are business critical (login, checkout, payment, identity, data export, and so on).
- Which sensitive data types exist (PII, PHI, payment data, source code, customer data).
- Where that data is expected to live.
- Organization-wide hard-no actions and escalation contacts.
Select compliance frameworks
Pick the frameworks your organization cares about — SOC 2, ISO 27001, PCI DSS, NIST CSF, and others as applicable. This selection shapes the compliance readiness module: which controls show up on the readiness matrix, what evidence the platform asks for, and what the readiness reports cover.
You can change this at any time, but each change can take a moment to recompute the matrix.
Invite members and assign roles
NullSquare uses four roles. Pick the smallest one that lets each person do their job.
- Owner — full control of the organization, including billing and ownership transfer. Reserved for the account owner.
- Admin — manages organization settings, members, integrations, runners, and billing. Right for platform owners and IT leads.
- Lead — manages scopes, runs, automations, repository mappings, and evidence review. Right for security operators.
- Member — triages assigned findings and reviews run outputs. Right for engineers and reviewers who do not need configuration access.
- 1Open Settings → Members.
- 2Click Invite.
- 3Enter the email and choose the role.
- 4Send the invite. The invitee accepts via email and joins the organization.
Pick least-privilege roles
Owner and Admin can change billing, integrations, and runners. Most teammates only need Lead or Member. You can upgrade a role any time.
Connect integrations
Integrations live at the organization level so every scope can use them. The big three are GitHub (white-box source context and PR review), Microsoft Entra (identity evidence), and Google Workspace (identity evidence). Connect what is relevant; you can always come back.
Credits — how runs are paid for
Every assessment consumes credits. Credits are the unit of work in NullSquare: think of them as effort tokens that the agent spends executing your goal. A short discovery on a small scope costs less than a deep authenticated assessment of a multi-tenant API.
You do not need to micromanage credits during a run. They are tracked automatically and shown on the run detail page. What matters for setup: you have a credit balance, runs draw from it, and the platform stops queuing new runs when the balance is exhausted.
- Credits are consumed per run, based on the work the agent does.
- The current balance lives in Settings → Billing.
- When credits run low, refill from the billing portal or wait for the next subscription cycle.
- Assistant chat, asset views, finding triage, and report viewing do not consume run credits.
Subscription and plan limits
Your subscription plan controls the entitlements that apply on top of credits. Different plans allow different concurrent run counts, scope counts, automation availability, and access to private runners.
- Concurrent runs — how many assessments can execute at the same time.
- Active scopes — how many scopes can exist in parallel before requiring a plan change.
- Automation availability — whether scheduled and event-driven runs are enabled.
- Private runner access — whether your plan includes the runner program.
- Refill flow — pay-as-you-go credit top-ups or scheduled subscription renewals.
Where to manage billing
All billing, invoices, refills, and plan changes live in Settings → Billing. Only Owner and Admin roles can change them.
Audit and governance
NullSquare records sensitive organization actions to an audit log: scope changes, credential changes, runner deployments, automation changes, integration changes, evidence review decisions, and member changes. Open Settings → Audit log to review them. Larger teams should make periodic review part of their security operations cadence.
Day-one checklist
- Organization brief written and saved.
- Compliance frameworks selected.
- GitHub, Entra, and Workspace integrations connected if applicable.
- Members invited with the smallest workable roles.
- Billing portal verified — credit balance and plan visible.
- A first scope created to start the discovery quickstart.