Skip to content

The 28 Atlassian security checks Black Cat runs

Black Cat SSPM evaluates 28 security policies against your Atlassian configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

mediumInactive User

Deactivate inactive Atlassian users who are no longer needed

mediumSuspended User With Access

Remove all product access and group memberships from suspended Atlassian users

mediumUser Dual Admin Role

Remove unnecessary admin role from Atlassian users with admin access to multiple products

mediumExternal User With Product Access

Review and remove unnecessary product access for external Atlassian users

highAPI Token Older Than 90 Days

Rotate Atlassian API tokens that are older than 90 days

mediumUser With Multiple API Tokens

Reduce Atlassian API tokens per user by revoking unnecessary tokens

highSSO Not Configured

Configure SAML SSO for Atlassian to centralize identity management

mediumSession Duration Excessive

Reduce Atlassian session timeout to 24 hours or less

mediumJira Project Permissive Default Roles

Remove anonymous browse access and restrict default role permissions in Jira projects

lowAPI Token No Label

Add a descriptive label to unlabeled Atlassian API tokens to enable auditing and attribution

highExternal Users Policy Disabled

Enable the external users policy to enforce controls on guest and external account access

mediumOrg Admin Product Access

Review and reduce org-admin product access to the minimum required set of users

mediumUser Account Closed

Remove or fully deprovision closed Atlassian user accounts from the organization directory

mediumAPI Token Generic Label

Replace generic-labeled API tokens older than 30 days with tokens bearing descriptive, purpose-specific labels

lowEmpty Group

Remove empty groups that have no members to reduce administrative overhead

criticalAdmin Without MFA

Require the admin user to enable two-step verification immediately

mediumProduct Access Admin

Review product-level admin access and reduce to the minimum required users

compliance

mediumData Residency Policy Disabled

Enable the data residency policy to pin data storage location for regulatory compliance

configuration

mediumMobile App Policy Disabled

Enable mobile app management policy to control mobile device access to organization data

data sharing

mediumJira Project Externally Shared

Review and disable external sharing on Jira projects that do not require outside access

mediumConfluence Space Externally Shared

Review and disable external sharing on Confluence spaces that do not require outside access

mfa

highUser Without MFA

Enforce two-step verification for all Atlassian users in authentication policies

highTwo-Step Verification Not Enforced

Enforce two-step verification for all users in Atlassian authentication policies

network

highIP Allowlist Policy Disabled

Enable IP allowlist policy to restrict access to trusted network ranges

sharing

highJira Project Public Access

Restrict Jira project visibility from public to private

highConfluence Space Anonymous Access

Disable anonymous access to Confluence spaces

mediumConfluence Space Public Links

Disable public link sharing for Confluence spaces

mediumArchived Confluence Space With Anonymous Access

Disable anonymous access on archived Confluence spaces to prevent unintended data exposure

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial