52 entries. Every tooltip in the UI pulls from this registry.
Every AI agent that holds platform credentials gets registered with an owner, allowed tools, and model + prompt version. Every MCP tool call ties back to the agent in the audit log.
Open related page →Tracks every API key with provider, owner, scopes, last-rotated, and last-seen. Never stores the secret — only the last four characters. A trust score from 0–100 surfaces orphans + stale keys.
Open related page →Multi-approver chains (N-of-M quorums), delegation rules for OOO, per-asset-class policies (firewall vs. switch vs. identity), and time-bound approval validity. Approvals expire after 24h by default.
What happens when the rule fires.
Don't refire the rule for the same finding within this window. Default 1 hour. Prevents a noisy finding from spamming your Slack 100 times.
Run this rule when a finding of this kind appears. Leave blank to match any kind (combined with severity threshold).
The minimum severity that triggers the rule. 'medium+' fires for medium, high, and critical findings.
Tickets are no longer one-way: when Jira / ServiceNow / GitHub / Linear closes a ticket, the linked finding flips to resolved. Deduplicates by the upstream event ID so webhook replays are safe.
Open related page →Set OPENAI_API_KEY, ANTHROPIC_API_KEY, or OLLAMA_HOST. Your key is read at runtime; it never leaves your machine. Without a key, AI features fall back to deterministic answers for common keyword queries.
Percent of policy controls that pass across your fleet. Computed continuously by the daemon from the latest evaluations. Trend is week-over-week. 80%+ is healthy; below 60% needs attention.
31 realistic fake assets + 3 NHIs designed to trip every detector — 13 Domain Admins without MFA, 1 stale NHI, 1 never-rotated, 1 orphan service account. Run `safecadence demo --clear` to remove.
Polls the fleet on a schedule (default 5 minutes), computes the delta against the last-known-good baseline, and fires webhooks / tickets only when something changed and the severity is above the configured threshold. Honors maintenance windows.
v12 flagship 5-minute board-ready report. Composes KPI summary, executive narrative, multi-dim Safe Score radar, weakest-link analysis, attack-path summary, compliance roll-up, risk economics, top-5 executive actions, and remediation roadmap.
Open related page →What category the finding belongs to. Determines which remediation playbook applies.
How serious the finding is. critical and high warrant immediate action; medium can wait a sprint; low is hygiene.
Two SafeCadence nodes against shared Postgres + S3 + Redis. The active node holds the Redis lease and writes; the standby reads. Best for enterprise installs that already operate a Postgres cluster. Failover in ~60s on active death.
Open related page →Two SafeCadence nodes talk to each other over a single TCP socket. No Postgres, no Redis, no S3. Best for MSP pair-of-boxes deployments and air-gapped installs.
Open related page →EWMA + z-score against each entity's own history. Requires at least 5 observations before flagging, to avoid thin-sample false positives. Cold-start cases seed from the relevant corpus baseline.
Blends the customer's own local history with per-vertical published industry baselines (NVD, KEV, DBIR, IBM Cost of a Data Breach, Mandiant M-Trends, Microsoft DDR, CyberArk, Qualys). The data_source_breakdown field shows exactly what fed each answer.
Open related page →OLS regression on the customer's own series with honest 90% confidence bands. Higher-is-better metrics (Safe Score, MFA coverage) interpret positive slope as 'improving'; lower-is-better metrics (open critical, patch lag) interpret it as 'worsening' — never mis-reports the direction.
The default view shows the most common fields. Toggle additional columns to show CPU, memory, license tier, OSPF/BGP neighbor counts, open ports, AAA state, and more. Your selection persists in this browser via localStorage.
Three sources, all of which can run in parallel: (1) Auto-discovery scans your network — ARP, mDNS, SNMP, TLS/HTTP fingerprint. (2) CSV/config upload imports from a CMDB export or per-device running-configs. (3) Manual entry for crown-jewels you want tracked immediately. Adapters can also push assets in via REST.
How long the JIT grant stays active. After this, the daemon auto-revokes the access. Keep grants short — JIT is for exceptions, not steady-state access.
Audit-trail justification. Required for SOX / SOC2 compliance when granting time-bounded access.
Which identity system enforces the grant. The IdP must have credentials configured (e.g. OKTA_API_TOKEN env var).
Last 8 events from the last 24 hours: audit log entries, JIT grants, comments, assignments, automation rule fires. Auto-refreshes every 60 seconds.
Exposes SafeCadence as an Anthropic MCP server over JSON-RPC stdio with 7 tools: query_topology, retrieve_findings, query_compliance, fetch_evidence, inspect_identities, generate_report, evaluate_posture. RBAC + audit-log integration; never crashes the client.
Six dimensions instead of one number: compliance health, identity health, drift stability, patch freshness, attack-path risk, and AI governance readiness. Each carries a confidence band and the top 1–3 findings driving it.
Open related page →Auto-prioritized: attack paths > critical findings > policy fails > drift > active JIT. Click any row to drill into remediation. Updated on every page load.
Each → represents an edge in the identity graph. Common edge types: member_of (human → group), can_impersonate (principal → principal), can_assume_role (NHI → role), has_credential_to (group → asset).
Reach-weighted risk score: higher means more dangerous. Computed from path length, edge weights (impersonation > membership), and terminal asset criticality (crown-jewels score 3×).
Some assets legitimately can't comply (legacy gear, vendor limitations). Add an exception with a reason + expiry + compensating control. The asset still appears with a yellow exception pill so it stays visible without being a constant alarm.
A policy stores ONE Unified Policy IR. Per-vendor translators (Cisco IOS, NX-OS, Arista, Palo Alto, Juniper, Aruba, …) generate the right syntax for each device type automatically. You author intent once; SafeCadence emits the right CLI for each device.
Every saved policy whose targeting matches this asset. Empty targeting = fleet-wide. Tags + types compose. Click any policy to see its full IR, the per-vendor change preview, and the current pass/fail result.
Open related page →How a policy decides which assets it applies to. Four layers, evaluated in order: tag, asset group, asset_type/vendor, individual asset. Most policies use tags or groups so they scale with the fleet. Vendor/type targets are for vendor-specific syntax. Individual asset targets are for one-off exceptions.
Open related page →Given a finding + a vendor, drafts a config snippet with the inverse rollback pre-attached. Refuses to hallucinate: if neither the recipe table nor the BYO-AI provider can produce a valid snippet, returns 'needs_operator_input' instead.
Translates technical findings into business numbers: estimated audit-failure exposure, remediation cost in $ + engineer-hours, risk-reduction ROI ranking, technical-debt score. Disclaimer: figures are order-of-magnitude estimates from public industry data.
Open related page →What the recipient of the share URL can see. summary = top-line counts; compliance = policies + drift; identity = findings + paths; evidence = full SOC2/ISO/NIST view.
How long the share URL is valid. After this, the token expires and the URL returns 403. Max 90 days.
Paste a Unified Policy IR (the JSON the translator emits). The simulator projects its impact against your live fleet without making any external HTTP/LDAP calls. Click 'Load demo IR' to fill the box automatically.
Net change in attack-path reach-weighted risk if the policy is applied. Negative numbers are good — they mean attack paths are severed by the change.
Server-Sent Events stream from the active node to every open dashboard tab. Drift detected on fw-01 shows up in every operator browser within seconds — no page refresh.
Per-job MFA required for high-risk command execution. Configure once via 'safecadence admin totp enroll', then every Tier-3 commit prompts for a 6-digit code.
Additional requirements that must hold for the rule to fire. Compose multiple conditions with AND.
What happens when the policy matches a request. deny blocks it, allow permits it, require_step_up forces MFA or a trusted device check before allowing.
Plain-English description of the access policy you want enforced. Be specific about WHO the policy targets, WHAT action they're trying to do, and WHERE (which environments / asset types).
How forcefully the rule is applied once committed. advisory just records the recommendation; warn shows a banner; enforce actually blocks the action when the rule fires.
Which identity systems should enforce this policy. Pick the smallest set that covers the action — SSH typically maps to ['okta', 'ise']; admin portal access to ['entra', 'okta']. Use 'all' to apply to every connected system.
What kind of entity is being pinned. The daemon detects changes to the corresponding fields and reports them in your morning briefing.
What the principal is trying to do.
The user or non-human identity (NHI) you're evaluating. Use the email address for human users, or the NHI ID (e.g. 'nhi-build-bot') for service accounts.
The asset_id or hostname the principal is trying to access.