Organization Administrators have access to a variety of configuration settings for operating and managing an organization, such as administering users and setting up password policy, integrations and server defaults. Go to the User menu* and choose Organization Settings** to see all of the functions available.

General Information

View basic information about your organization and configure high-level preferences including date and time formats in the Organization tab.


Use Organization groups to designate a user's organization and application role, which determines what users can see and do in Contrast. You can create, view, edit and delete groups at any time.


Manage users for an organization, by adding, editing or deleting them. You can also assign users to a default group (or role), designate them for API-only use and unlock their account.


Manage password policy and session timeouts, two-step verification and IP restrictions. You can also access an audit log, where you can search for past activity in your organization by keyword and date.


Single Sign-On (SSO) is an authentication service that allows access to multiple applications using one set of credentials. As a Super or Organization Administrator, you can configure Contrast to use this service for your organization.


Contrast APIs allow you to grant access to other services. You may have API keys emailed to you, and rotate keys as needed.


Contrast offers basic integrations with various tools including bugtrackers (JIRA, Bugzilla and Serena) and notification channels (Slack, Microsoft Teams, and generic Webhooks). Authorize and connect the tools you need to streamline workflows.


Server Settings provide default configurations for new servers (agents) that are being brought on board. You can customize these configurations for each environment.


Notifications provide a mechanism for Contrast to alert users in specific cases, such as the discovery of a vulnerability or an attack on an application. These notifications occur in Contrast and/or by email. Organization Administrators can set the default notification settings for all users in their organization.

Report Settings

Report Settings offer a centralized view of format options for hard-copy reports in your organization. Categories include:

  • Report Type
  • Vulnerability Status
  • Vulnerability Tag
  • Custom Footer

Score Settings

Score Settings allow you to customize how Contrast calculates Overall Score and Library Score, and determine what letter grade (or score) is assigned within Contrast.

API Credentials

How It Works

When you download the Contrast JVM plugin (also called "the agent"), it comes prefitted with a set of randomly generated credentials for your organization that don't involve the passwords of any users in the organization. When the plugin communicates with the Contrast application, it authenticates using these credentials.

Contrast added another layer of security through an organization API key that you can manage on your own. In the case of a security breach, an unauthorized user can't submit forged or malicious data to your organization because their organization API key is wrong. Authentication follows the process shown in the image below.

Manage Keys

Manage organization API keys as an Organization Administrator by going to the User Menu > Organization Settings > API tab. A System Administrator can also select an organization and manage API keys by going to the User Menu > System Settings > API tab.

In the REST API section, view your Organization Keys, including your Organization ID and API key, and your Agent Keys, such as your Agent Service key. Rotate your API or Agent Service keys by clicking the links provided for each. You can also click the button to Generate Sample API Request.

Learn More

For more information, read About the Contrast API.

To see more examples of API requests, go to the Contrast API documentation.

Server Defaults

Server Settings provide default configurations to new servers (agents) being brought on board. Organization administrators can customize these configurations and set specific defaults for each environment.

How It Works

Log levels

The Log Level field allows you to control which events are processed by server logging, and can help you more effectively capture events. Contrast generally recommends that you run in Error mode unless a problem occurs and you're asked to collect more metrics by support.

For more details on log levels, go to the article on Server Settings.

Automatic server cleanup

Automatic server cleanup enables a Contrast background task to run every five minutes to check if there is an organization with cleanup policies configured. For each organization with cleanup policies, Contrast checks if there are one or more servers with no activity received within the timeframe configured in the policy. Servers with no activity are disabled automatically and are no longer visible in the Servers grid. Contrast maintains information on vulnerabilities and attacks related to these servers, even after they're disabled.

Assess options

Assess mode provides detailed information on vulnerabilities discovered by Contrast so that you may track, share and receive remediation guidance. Turning Assess on allows you to enable sampling and designate how stacktraces are captured.

For more information on sampling and stacktraces, go to the Server Settings article.

Protect options

Protect mode provides monitoring of your servers and applications - identifying and blocking attacks in real time. Turning Protect on gives you the option to bot block, which allows Contrast to use simple signaturing to block traffic from scrapers, attack tools and other unwanted automation.

Protect mode also allows you to output events to Syslog for one or multiple servers. Contrast offers syslog message categories according to the Syslog RFC 3164 specification for severity. Read the article on Output to Syslog to learn more about enabling this feature.

Automatic licensing

Ensure that new servers receive full, immediate coverage from Contrast by automatically applying Protect licenses.

Note: Administrators receive emails each time a server is licensed. As servers go up and down frequently, you may want to setup an email filter for any unwanted traffic. Contrast is working on making this configurable in the future.

Set Up Defaults

Go to the User menu > Organization Settings > Servers tab to start setting up defaults.


  • Use the dropdown menu to choose the environment in which you want to apply the default. Check the box if you want to set this as the default environment for servers.

  • Use the dropdown menu to choose the Log Level. The default selection is Error.

  • Check the box to Enable automatic server cleanup.

    • Use the multiselect field to choose the Environment in which to apply automatic cleanup. The default is All environments.
    • Use the number control and dropdown fields to set the amount of time that Contrast must wait to disable servers After Being Offline. The defaults are 12 and Hour(s).


  • Use the dropdown menu to choose which stacktraces Contrast captures. The default selection is ALL.

  • Check the box to Enable sampling for higher performance. Choose the numerical values for the following fields:

    • Baseline: The number of times that Contrast analyzes URLs to complete sampling. The default setting is 5.
    • Frequency: The number of times that Contrast analyzes URLs after the Baseline is achieved. The default setting is 10.
    • Window: The number of seconds that Contrast retains samples before reverting to the Baseline. The default setting is 180.


  • Check the box to Enable bot blocking.

  • Check the box to Enable output of Protect events to Syslog.

    • Enter the IP Address and Port in the given fields. Use the dropdown menu to chose the Facility.
    • Click on the event severity badges, and use the dropdown menu to choose a message Severity level for each one. The defaults are:
      • 1 - Alert for Exploited
      • 4 - Warning for Blocked
      • 5 - Notice for Probed

  • Check the box to Automatically apply Protect licenses to new servers.

Note: Turning Protect on by default requires that Protect licenses are automatically applied to servers.

Application Defaults

How It Works

Organization Admins can choose default settings for applications in their organization based on levels of importance, existing policies and Assess licensing. Go to the User menu > Organization Settings > Applications tab to get started.

Set Up Defaults


Use the dropdown menu to choose an Importance level for applications. The default selection is Medium.


Use the multiselect Policy field to choose which Remediation and Compliance Policies to apply automatically to applications. (You can still add applications to policies that aren't included in your default settings after you onboard them.)


Check the box to Automatically apply licenses to new applications in your organization. A status bar shows you how many licenses have been used. Click through to understand the breakdown of your organization's licenses.


Check the box if you want to Automatically apply licenses to newly onboarded applications. The thermometer chart below the checkbox shows you the number of licenses used out of the total number of licenses available in the organization. Click on the total number of licenses to go to the Licenses view of the Organization Statistics page.

Custom Fields

Use the Custom Fields section to configure custom metadata that should be provided for each of the applications in your organization. During agent onboarding, users are prompted to enter metadata for the fields you create, and add the information in their configuration files. The metadata is then displayed in the Applications page grid, where you can also use it to filter applications, and the application's Details page in the Contrast UI.

The following agent versions support custom metadata fields:

  • Java
  • .NET 18.10.35+
  • Node 1.35.0
  • Python 1.2.0
  • Ruby 2.0.8

Complete the following steps to create custom fields:

  • Use the dropdown menu to choose a field type of "Freeform", "Numeric" or "Point of Contact".
    (The type of field you choose may determine the type of validation that's required.)
  • Enter a name for the field.
  • Use the checkboxes to determine if the metadata provided should be Required and/or a Unique value for each application.
  • Click Add Field button to complete as many rows as you need.

Once you've defined each field, Contrast provides the formatted property that you can copy and paste into your agent configuration files. You must then complete the information for each key=value pair.

If you would like to fail applications that don't include all required fields, check the box to Restrict applications missing required fields. This may apply to new or new and existing applications in the organization.

Note: If you don't choose to restrict applications, any application missing a required field will be successfully onboarded but flagged in the UI. Contrast will also send an email alert to the designated Point of Contact, if provided.


How It Works

Notifications allow Contrast users to receive alerts in specific situations, such as the discovery of a vulnerability or an attack on an application. Organization Administrators can set default settings for Contrast notifications for all users in their organization. Individual users can then tailor these settings as needed.

There are two primary channels available for notifications: Email and In Contrast.

  • In Contrast: Notifications are available directly in the Contrast application. View your notifications by clicking the bell icon in the top menu bar.
  • Email: You must configure Contrast to communicate with an appropriate SMTP system to receive notifications by email.

User Notifications

Organization administrators can define default notification settings for all users in their organization by going to the User menu > Organization Settings > Notifications tab. Individual users can modify the default subscriptions that you set. However, integration notification settings affect which messages users receive from integrations that are set up in your organization, and are managed by Organization Administrators only. For more information on user settings, go to the account Notifications article.

Default user settings

Use the toggles in the Integrations, In Contrast and Email columns to enable or disable the following subscriptions. Use the dropdown menu to choose an integration that's configured in your organization, and adjust the default notification settings for each one.

  • Active Attack: There is an active attack on an application with Protect enabled.
  • New Vulnerability: Contrast has detected a new vulnerability. Click in the field to enable notifications for specific severity levels or "Library"; the default selection is "All".
  • Server Offline: Contrast can't reach a server.
  • New Comment: A team member commented on a finding.
  • New Asset: A new asset to which the user has access has been onboarded. Click in the field to set this notification for "Application" or "Server"; the default selection is "All".
  • Email Digest: A daily summary of Contrast activities. (Email only)

Custom notifications

Custom notifications allow users with Admin, Edit and Rules Admin roles in an organization to enable notifications for one or more users when a specific condition is observed in Contrast. These notifications execute and alert users by email at the time of the event, daily or weekly.

Create notifications

To create a custom notification, click the Create Notification button above the grid in the Custom Notifications panel. In the dialog that appears, fill out the following form fields.

  • Use the radio buttons to choose Vulnerability or Attack.
  • Choose a Name for the notification.
  • Use the dropdown menu to set the notification Interval as "Daily", "Weekly" or "On Event".
  • Enter a Description for the notification's purpose.
  • Click in the multiselect field to choose the Applications for which this notification applies.
  • Choose the Application Tags for which this notification applies.
  • Choose which organization Users should receive the notifications.
  • Use the dropdown menus to choose your Conditions, and complete the following fields in the row. Click the Add Condition link to add a row.

About conditions

Contrast supports six conditions for custom notifications: Category, Impact, Likelihood, URL, Class and Method.

Notification Types Condition Description
Category Is or Is Not Categories are high-level groupings of rule types such as Authentication, Injection, Cryptography, etc. There are 11 categories within Contrast rule types.
Impact Is, Is Lower Than, Is Higher Than Impact is measured in High, Medium and Low ratings based on how a rule type affects a given organization. Every rule type has a default impact configuration setting which can be customized.
Likelihood Is, Is Lower Than, Is Higher Than Likelihood is measured in High, Medium and Low ratings based on how frequent a rule type may occur. Every rule type has a default likelihood configuration setting that can be customized.
URL Is, Contains, Starts With A specific URL from an application.
Class Is, Contains, Starts With A specific Java or .NET class.
Method Is, Contains, Starts With A specific Java or .NET method.

Administrative Notifications

Administrators automatically receive the following notifications for high-level events in their organization in the Contrast application and by email.

  • Application Licensed: A new application was licensed in Contrast.
  • Application License Expiring: The license for an active application is expiring. (Contrast sends this notification two months, one month and one week prior to the expiration date).
  • Licenses Expiring: Existing license(s) with no associated applications is expiring. (Contrast sends this notification two months, one month and one week prior to the expiration date).

  • Remediation Policy Violation: A vulnerability is in violation of an existing remediation policy.
  • Library Policy Violation: A library is in violation of an existing library policy.
  • Compliance Policy Notification: An application is in violation of an existing compliance policy.

Admin and Rules Admin users at the application and the organization level must receive policy violation notifications. You can receive individual policy violation emails, or to minimize the number of notifications, you can choose to consolidate them into a single email.

To minimize the number of notifications and aggregate by type of policy, select Aggregate policy violation emails into separate daily email digests. Choose the policy types you want to aggregate.

Feature Notifications

For some features that require user notifications, Contrast automatically notifies the affected users in the Contrast UI when a Contrast administrator enables the feature. (You can't control these notifications in the Notifications page.) Contrast requires user and administrator notifications for features including vulnerability status approval and other Policy Management settings.

Report Settings

Contrast offers compliance reports for understanding an application's compliance status.

  • DISA ASD STIG: DISA's Application Security and Development STIG reports the security posture as it relates to policy requirements for security programs and best practices for Information Assurance (IA)-enabled applications.
  • OWASP 2013 Top 10: The Open Web Application Security Project reports the problems that are “worth fixing” or in the top ten list of flaws.
  • PCI DSS - 2.0 & 3.0: The Payment Card Industry Data Security Standard protects cardholder data in the event of a data breach. To achieve compliance, organizations must identify and remediate all critical vulnerabilities.

Report settings offer a single interface for organization administrators to define the template of hard-copy reports. Select Organization Settings in the user menu and Report Settings in the left navigation. This essentially involves defining the default values for reports created within the organization such as:

  • Report Type
  • Vulnerability Status
  • Vulnerability Tag
  • Inclusions: Whether to include status of vulnerabilities or notes on the vulnerabilities in the report
  • Custom Footer

When viewing the Application Details page, users can generate a PDF report to see how the application is doing as it relates to compliance requirements. The defaults will prepopulate the report generation dialog, but the user can still make any necessary changes.

Score Settings

Organization administrators can customize score settings for both overall score of applications and libraries by selecting Organization Settings in the user menu and Score Settings in the sidebar. Settings are separated into two sections: Overall Score and Library Score.

Overall Score

This determines how applications are scored in Contrast.

  • Default Scoring is the average of your application's library score and its custom code score
  • Custom Code-Only Scoring ignores library score when calculating the overall application score. You have the option to select specific languages, as shown.

Library Score

There are two methods for determining library scores in Contrast:

  • Default Scoring uses an algorithm that includes vulnerabilities as well as the age and versioning of a library.
  • Vulnerability-Only Scoring bases scoring solely on vulnerabilities present in the library.

You can also configure policy settings in Policy Management so that any library in violation automatically receives a failing score (F). Once these settings are chosen, you'll see an alert message in Score Settings. Clicking the policy link in the alert navigates you to Library Policy, where administrators may view and revise these settings.