Quickstart process

Sign up

If your organization already has a Helm account, your Account owner will send you an invitation email with your organization-specific sign-in page URL and instructions for accessing your assigned workspace.

Your sign-in process depends on how your organization has configured authentication. When you visit your organization's sign-in page, you'll see either:

• If your organization isn't using Helm yet, contact us to get your account created.

• If your organization already has a Helm account, you can sign up directly from the sign in page of Helm. Your Account owner will need to send you your organization-specific sign in page URL.

  • Standard sign-in form: Email and password fields with optional "Sign up" link

  • Sign in with SSO: Sign in with SSO button to direct to your organization's Sign in page

If your organization already has a Helm account, you can sign up directly from the sign in page of Helm. Your Account owner will need to send you your organization-specific sign in page URL.

Option A: Sign up without SSO (email and password)

If your organization isn't using Helm yet, contact us to get your account created.

1. Check your email for the invitation from Medcrypt containing your new organization-specific URL.

2. Click the invitation link in the email to display the Sign in page.

3. Click the Sign up link??

4. Complete the sign up form, then click Sign up. You'll need to enter your email address and create a password, then specify your job role.

5. Verify your email account:

   1. Check your email for a verification message (check spam folder if needed).

   2. Click Verify account button in the email. This will direct you to the Sign in page.

   3. If you don't receive the email, contact us for assistance.

6. On the Sign in page, enter your email address and the password you created, then click Sign in.

7. Upon sign in, you'll be prompted to set up MFA (Multi-Factor Authentication):

   1. Install an authentication app on your smartphone (e.g., Google Authenticator, Authy)

   2. Scan the QR code or enter the setup key provided

   3. Save your recovery codes in a secure location

Option B: Sign up (organization has existing Helm account)

Use this process if your organization uses standard email and password authentication and your organization has an existing Helm account.

1. Check your email for the invitation from your Account owner containing your organization-specific URL.

2. Click the invitation link in the email. This will bring you to your organization's sign-in page.

3. Click the Sign up link on the sign in page to display the Sign up form.

4. Complete the sign up form, then click Sign up. You'll need to enter your email address and create a password, then specify your job role.

5. Verify your email account:

   1. Check your email for a verification message (check spam folder if needed).

   2. Click Verify account button in the email. This will direct you to the Sign in page.

   3. If you don't receive the email, contact us for assistance.

6. On the Sign in page, enter your email address and the password you created, then click Sign in.

7. Upon sign in, you'll be prompted to set up MFA (Multi-Factor Authentication):

   1. Install an authentication app on your smartphone (e.g., Google Authenticator, Authy)

   2. Scan the QR code or enter the setup key provided

   3. Save your recovery codes in a secure location

Option C: Sign in with SSO

Use this process if your organization uses Single Sign-On with an identity provider (like Azure AD, Okta, Google Workspace, etc.). Contact us to enable SSO for your account.

1. Check your email for the invitation from your Account owner containing your organization-specific URL.

2. Click the invitation link in the email. This will bring you to your organization's sign in page.

3. Click the Sign in with SSO button.

4. Authenticate with your identity provider:

   1. You'll be automatically redirected to your organization's identity provider sign in page

   2. Enter your company credentials (the same username/password you use for other work applications)

   3. Complete any additional authentication steps required by your organization. SSO users typically have MFA handled by their company's identity provider and will likely not see the step to configure MFA

5. Automatic account creation:

   1. Your Helm account will be created automatically using your SSO profile information

   2. You'll be redirected back to Helm and signed in immediately

   3. No separate password creation or email verification needed

Upon first sign in

When you successfully sign in for the first time:

• You'll land in your assigned workspace - Your Account owner will have assigned you to one or more workspaces

• Check your workspace access - You can see which workspace you're in via the Account drop-down and breadcrumb trail. If you have access to multiple workspaces, you can switch between them using these controls

• Choose a path on the Get started page that best suits your needs. You can always access this page from the Help > Get started item in the sidebar.

• API: Use our Helm API to automate many tasks, such as creating product versions, uploading SBOMs, returning all vulnerabilities and generating reports, as well as returning only unmatched components or only CISA KEV vulnerabilities.

• GitHub: Integrate our GitHub action your CI/CD process or use it independently to automate product version creation and SBOM uploads.

• Microsoft Azure DevOps extension: Use our Azure DevOps extension to seamlessly integrate Helm into your CI/CD workflows, automating the creation of product versions and uploading of SBOMs directly from your Azure pipelines.

Coming soon

• AWS integration: Configure Amazon Web Services to automate SBOM uploads from S3 buckets and incorporate vulnerability data into your existing AWS workflows.

• Jira integration: Connect Helm with Jira to auto create, track, and update tickets for critical vulnerabilities, streamlining your remediation workflow.

Got an SBOM ready?

1. Upload your CycloneDX or SPDX SBOM file to Helm. During upload, you'll create or select a product or version within your current workspace.

   1. Helm also supports Yocto Linux SBOMs.

2. Your component list should automatically refresh as your SBOM is being processed.

3. If you don't see any components showing, check the SBOM file upload status.

Don’t have an SBOM yet?

• Contact us to use our SBOM generation tool.

• Generate a CycloneDX SBOM or SPDX SBOM using our open-source tool suggestions.

• Manually create your SBOM in Helm.

• If you’re still unsure how to get started, contact us so we can assist you.

Once you’ve uploaded your SBOM, Helm will try to match your components to the NVD (National Vulnerability Database). Only components that are matched to the NVD will show vulnerabilities. You can also use our API to return unmatched components.

Review match statuses

To view vulnerabilities for components that are Matched to NVD, click Vulnerabilities in the sidebar. This will display all vulnerabilities for these components.

To resolve other match statuses, click each status badge to start the resolution process.

1. Filter on matching statuses

2. Resolve Select match statuses

3. Resolve Fix version statuses

4. Resolve Contact us statuses

5. For components that have a Matched status with a package manager badge, but no NVD badge, this could indicate that there are no published vulnerabilities for those components. However, components can also be named differently in the NVD, so you should check the NVD to see if there actually is a match.

6. Handle unmatched components: Try to resolve any Not found statuses, as this indicates Helm was unable to find a match in the NVD.

7. When you determine the appropriate matches, create an alias for each component so that these will be auto-matched for all future SBOMs.

Automatic enrichment

• If we identify inaccurate CPEs or PURLs in your SBOM, Helm will automatically attempt to provide an enriched CPE or PURL that matches to the correct software. You can export this enriched SBOM or your original SBOM.

• Helm will automatically update vulnerabilities with severity, exploitability, and source information.

• Helm will automatically update components with source information.

• For Windows vulnerabilities, Helm provides Windows KB patch recommendations.

Manual enrichment

• Reload any component to automatically add missing licenses for any components that do not already have associated licenses. Helm does not overwrite existing licenses.

Set up notifications and tracking

1. Enable email notifications for new vulnerabilities. You can receive daily, weekly, and/or monthly updates.

2. Enable the Date updated column to keep track of updated vulnerabilities. You can filter on date range to view these updates.

Prioritize and rescore vulnerabilities

1. Bulk rescore all vulnerabilities across your selected product version. If desired, you can also rescore individual vulnerabilities.

2. Filter on most impactful vulnerabilities.

3. Refer to Identify and prioritize exploitable vulnerabilities for more info.

Get comprehensive recommendations

Select one or more vulnerabilities in your list, then click the Get AI guidance action to receive comprehensive mitigation strategies, upgrade recommendations, and actionable remediation steps with supporting sources.

Check affected tech stacks

Our AI automatically detects affected technology stacks for each vulnerability (e.g., Windows, Redhat, SQL, Git, GRPC, WordPress, and others), providing detailed recommendations for each stack, along with supporting sources.

1. Click the Columns link above the table to enable the tech stacks column to take advantage of these insights.

2. Click each of these tags to open the vulnerability details modal.

3. Scroll down to the AI recommendations section to access detailed information about affected tech stacks, upgrade recommendations, and short-term mitigations, all backed by source documentation.

You can remediate with CycloneDX and/or CycloneDX VEX statuses.

• Bulk remediate vulnerabilities within a product, across products, or target a particular component's vulnerabilities with the click of a button, enabling you to speed triage and ensure remediation consistency of particular vulnerabilities across your product portfolio.

• If desired, individually remediate vulnerabilities.

1. If you already know which Windows KBs to add to your digital product, you can bulk patch by adding these KBs to the product version.

2. To patch individual vulnerabilities, filter KB patch to Patch available. You can view these across all products or select a product version.

3. Patch individual vulnerabilities.

Quickly identify threats and track your progress on your Dashboard, accessible via the Home icon on the sidebar. Dashboard metrics reflect only your current workspace data.

• Quickly prioritize and remediate threats to your most impacted products and components

• Zero in on critical vulnerabilities

• Track progress on vulnerabilities you still need to remediate

You can export reports for a product version or select multiple product versions to get a consolidated report of products within your workspace.

1. Export your expert-crafted FDA SBOM to ensure a smooth FDA submission.

2. Export VEX and VDR reports.

3. Export enriched SBOM or original SBOM.

Check whether a particular vulnerability impacts products in your workspace, and if so, which products you'll need to focus on. Just enter the vulnerability ID in the global search bar at the top of any page.

Check whether any products in your workspace contain a particular component, and if so, which ones. Just enter the component name in the global search bar at the top of any page.