Frequently Asked Questions

General Questions

What is SPEAR and who is it for?

SPEAR (Security Posture Evaluation And Response) is a comprehensive security assessment management platform designed for penetration testing firms, security consultants, and internal security teams. It streamlines the entire security assessment lifecycle from client engagement through final report delivery.

What makes SPEAR different from other security assessment platforms?

SPEAR provides an integrated workflow covering:

Sales & Scoping: Client management, scoping workbench, and public approval portals
Project Management: Scheduling, resource allocation, and status tracking
Operations: Asset management, vulnerability tracking, and physical security assessments
Reporting: Real-time collaborative editing, findings library, and branded PDF/DOCX export
Administration: RBAC, OAuth/SSO, branding customization, and audit logging

The platform is self-hosted, giving you complete control over your sensitive assessment data.

What are the system requirements?

Minimum Requirements:

Operating System: Linux, Windows 10+, or macOS 11+
Architecture: amd64 or arm64
RAM: 2GB minimum, 4GB recommended
Disk: 1GB for application, additional space for data storage
Network: Port 8090 (configurable)

Installation & Setup

How do I install SPEAR?

Download the latest release for your platform from the releases page
Extract the archive
Set the SPEAR_ENCRYPTION_KEY environment variable
Run ./spear serve

See the Downloads page for detailed platform-specific instructions.

What is the SPEAR_ENCRYPTION_KEY and how do I generate it?

The SPEAR_ENCRYPTION_KEY is a 32-character encryption key used to protect sensitive data stored in the database. Generate one using:

# Linux/macOS
openssl rand -base64 32 | head -c 32

# Or use any secure password generator

Store this key securely - losing it means losing access to encrypted data.

Can SPEAR run on Windows/macOS/Linux?

Yes, SPEAR provides pre-built binaries for:

Linux (amd64, arm64)
Windows (amd64, arm64)
macOS (amd64, arm64 - Apple Silicon)

How do I set up SSL with Traefik?

See the Traefik SSL deployment guide for step-by-step instructions on configuring automatic SSL certificates with Let’s Encrypt.

Features & Capabilities

What scanner formats can SPEAR import?

SPEAR supports importing findings from multiple security tools:

Burp Suite: XML export format
NodeZero: JSON export format
Nexpose/InsightVM: XML export format
BloodHound: JSON export format
Atlas: Native format migration

How does real-time collaboration work?

SPEAR uses Y.js-powered real-time collaboration that allows multiple team members to:

Edit report sections simultaneously
See each other’s cursors and selections
Resolve conflicts automatically
Work offline with automatic sync when reconnected

Can I customize report branding?

Yes, the Admin module provides comprehensive branding controls:

Logo upload (light and dark variants)
Color scheme customization
Font selection
Cover page templates
Header/footer configuration
Custom CSS for PDF exports

What AI features are available?

With OpenAI integration configured, SPEAR provides:

AI-assisted finding descriptions
Remediation recommendation generation
Executive summary drafting
Technical writing assistance

User Management

How do I create users and assign permissions?

Navigate to Admin > Users & Access
Click Create User
Fill in user details (name, email, password)
Assign the user to one or more Groups
Groups determine the user’s permissions through assigned Roles

What’s the difference between groups and roles?

Roles: Define permission sets (what actions can be performed)
Groups: Collections of users that share the same roles

This separation allows flexible permission management - you can create roles like “Report Editor” or “Project Manager” and assign them to groups like “Senior Consultants” or “Interns”.

Can SPEAR integrate with SSO/OAuth?

Yes, SPEAR supports OAuth2/OpenID Connect integration with providers including:

Google Workspace
Microsoft Azure AD / Entra ID
GitHub
GitLab
Okta
Custom OIDC providers

Configure these in Admin > Authentication.

Data & Security

Where is data stored?

SPEAR uses an embedded SQLite database stored locally. Default location:

Linux: ./pb_data/
Windows: .\pb_data\

Uploaded files (images, attachments) are stored in ./pb_data/storage/.

Is data encrypted?

At rest: Sensitive fields are encrypted using the SPEAR_ENCRYPTION_KEY
In transit: Use HTTPS in production (see Traefik SSL deployment)
Backups: Can be encrypted when using S3-compatible storage with server-side encryption

How do backups work?

SPEAR provides automated backup scheduling:

Configure backup settings in Admin > System > Backups
Set schedule (daily, weekly, custom cron)
Optionally configure S3-compatible storage destination
Backups include database and uploaded files

Manual backups can be triggered anytime from the admin interface.

What audit logging is available?

SPEAR logs security-relevant events including:

User authentication (login/logout/failures)
Permission changes
Record modifications
Export operations
Administrative actions

View logs in Admin > Security > Audit Log.

Integrations

What third-party services does SPEAR integrate with?

OpenAI: AI writing assistance
S3-Compatible Storage: Backups to AWS S3, MinIO, Backblaze B2, etc.
SMTP: Email notifications
OAuth Providers: SSO authentication

How do I configure OpenAI integration?

Navigate to Admin > Integrations
Enter your OpenAI API key
Select the model (GPT-4 recommended)
Configure rate limits if desired
Save and test the connection

Can I use S3-compatible storage for backups?

Yes, SPEAR supports any S3-compatible storage provider:

AWS S3
MinIO (self-hosted)
Backblaze B2
DigitalOcean Spaces
Cloudflare R2

Configure in Admin > System > Backups > Remote Storage.

Troubleshooting

How do I view application logs?

Console logs:

./spear serve 2>&1 | tee spear.log

Structured logs: Access the admin panel at /_/ and navigate to Logs.

What should I do if the service won’t start?

Check port availability: Ensure port 8090 isn’t in use

lsof -i :8090  # Linux/macOS
netstat -an | findstr 8090  # Windows

Verify encryption key: Ensure SPEAR_ENCRYPTION_KEY is set and 32 characters
Check permissions: Ensure write access to the pb_data directory
Review logs: Run with verbose output
Terminal window
```
./spear serve --debug
```

How do I reset the admin password?

Access the PocketBase admin panel directly:

Navigate to http://localhost:8090/_/
Click “Forgot Password” if configured with SMTP
Or access the database directly and update the password hash

For initial setup, create the first admin account at http://localhost:8090/_/.

Getting Help

If your question isn’t answered here:

Check the documentation
Search existing GitHub issues
Open a new issue with details about your problem
Contact support at [email protected]