All help topics

52 entries. Every tooltip in the UI pulls from this registry.

ai-governance-agents

AI agent registry

Every AI agent that holds platform credentials gets registered with an owner, allowed tools, and model + prompt version. Every MCP tool call ties back to the agent in the audit log.

Open related page →
ai-governance-keys

API key inventory

Tracks every API key with provider, owner, scopes, last-rotated, and last-seen. Never stores the secret — only the last four characters. A trust score from 0–100 surfaces orphans + stale keys.

Open related page →
approval-v2

Approval workflow v2

Multi-approver chains (N-of-M quorums), delegation rules for OOO, per-asset-class policies (firewall vs. switch vs. identity), and time-bound approval validity. Approvals expire after 24h by default.

automation-action

Action to take

What happens when the rule fires.

automation-rate-limit

Rate limit

Don't refire the rule for the same finding within this window. Default 1 hour. Prevents a noisy finding from spamming your Slack 100 times.

3600 (1 hour)
automation-when-kind

Match kind

Run this rule when a finding of this kind appears. Leave blank to match any kind (combined with severity threshold).

automation-when-severity

Severity threshold

The minimum severity that triggers the rule. 'medium+' fires for medium, high, and critical findings.

bidirectional-ticketing

Bidirectional ticketing

Tickets are no longer one-way: when Jira / ServiceNow / GitHub / Linear closes a ticket, the linked finding flips to resolved. Deduplicates by the upstream event ID so webhook replays are safe.

Open related page →
byo-ai

BYO-AI key

Set OPENAI_API_KEY, ANTHROPIC_API_KEY, or OLLAMA_HOST. Your key is read at runtime; it never leaves your machine. Without a key, AI features fall back to deterministic answers for common keyword queries.

compliance-score

Compliance score

Percent of policy controls that pass across your fleet. Computed continuously by the daemon from the latest evaluations. Trend is week-over-week. 80%+ is healthy; below 60% needs attention.

demo-data

Demo data

31 realistic fake assets + 3 NHIs designed to trip every detector — 13 Domain Admins without MFA, 1 stale NHI, 1 never-rotated, 1 orphan service account. Run `safecadence demo --clear` to remove.

drift-daemon

Drift monitor daemon

Polls the fleet on a schedule (default 5 minutes), computes the delta against the last-known-good baseline, and fires webhooks / tickets only when something changed and the severity is above the configured threshold. Honors maintenance windows.

exec-risk-brief

Executive Risk Brief preset

v12 flagship 5-minute board-ready report. Composes KPI summary, executive narrative, multi-dim Safe Score radar, weakest-link analysis, attack-path summary, compliance roll-up, risk economics, top-5 executive actions, and remediation roadmap.

Open related page →
finding-kind

Finding kind

What category the finding belongs to. Determines which remediation playbook applies.

finding-severity

Severity

How serious the finding is. critical and high warrant immediate action; medium can wait a sprint; low is hygiene.

ha-architecture-a

HA — shared stores (Architecture A)

Two SafeCadence nodes against shared Postgres + S3 + Redis. The active node holds the Redis lease and writes; the standby reads. Best for enterprise installs that already operate a Postgres cluster. Failover in ~60s on active death.

Open related page →
ha-architecture-b

HA — peer-to-peer (Architecture B)

Two SafeCadence nodes talk to each other over a single TCP socket. No Postgres, no Redis, no S3. Best for MSP pair-of-boxes deployments and air-gapped installs.

Open related page →
intelligence-anomaly

Anomaly detection

EWMA + z-score against each entity's own history. Requires at least 5 observations before flagging, to avoid thin-sample false positives. Cold-start cases seed from the relevant corpus baseline.

intelligence-corpus

Reference corpus

Blends the customer's own local history with per-vertical published industry baselines (NVD, KEV, DBIR, IBM Cost of a Data Breach, Mandiant M-Trends, Microsoft DDR, CyberArk, Qualys). The data_source_breakdown field shows exactly what fed each answer.

Open related page →
intelligence-forecasting

Predictive forecasting

OLS regression on the customer's own series with honest 90% confidence bands. Higher-is-better metrics (Safe Score, MFA coverage) interpret positive slope as 'improving'; lower-is-better metrics (open critical, patch lag) interpret it as 'worsening' — never mis-reports the direction.

inventory-columns

Custom columns

The default view shows the most common fields. Toggle additional columns to show CPU, memory, license tier, OSPF/BGP neighbor counts, open ports, AAA state, and more. Your selection persists in this browser via localStorage.

inventory-sources

How inventory gets populated

Three sources, all of which can run in parallel: (1) Auto-discovery scans your network — ARP, mDNS, SNMP, TLS/HTTP fingerprint. (2) CSV/config upload imports from a CMDB export or per-device running-configs. (3) Manual entry for crown-jewels you want tracked immediately. Adapters can also push assets in via REST.

jit-duration

Duration

How long the JIT grant stays active. After this, the daemon auto-revokes the access. Keep grants short — JIT is for exceptions, not steady-state access.

4h
jit-reason

Reason

Audit-trail justification. Required for SOX / SOC2 compliance when granting time-bounded access.

INC-4321 — incident triage on prod-db
jit-target

Target IdP

Which identity system enforces the grant. The IdP must have credentials configured (e.g. OKTA_API_TOKEN env var).

live-activity

Live activity feed

Last 8 events from the last 24 hours: audit log entries, JIT grants, comments, assignments, automation rule fires. Auto-refreshes every 60 seconds.

mcp-server

MCP server

Exposes SafeCadence as an Anthropic MCP server over JSON-RPC stdio with 7 tools: query_topology, retrieve_findings, query_compliance, fetch_evidence, inspect_identities, generate_report, evaluate_posture. RBAC + audit-log integration; never crashes the client.

safecadence mcp-server --org-id customer-a
Open related page →
multi-dim-safe-score

Multi-dim Safe Score

Six dimensions instead of one number: compliance health, identity health, drift stability, patch freshness, attack-path risk, and AI governance readiness. Each carries a confidence band and the top 1–3 findings driving it.

Open related page →
next-3-actions

Next 3 actions

Auto-prioritized: attack paths > critical findings > policy fails > drift > active JIT. Click any row to drill into remediation. Updated on every page load.

path-chain

Attack chain

Each → represents an edge in the identity graph. Common edge types: member_of (human → group), can_impersonate (principal → principal), can_assume_role (NHI → role), has_credential_to (group → asset).

path-risk

Risk score

Reach-weighted risk score: higher means more dangerous. Computed from path length, edge weights (impersonation > membership), and terminal asset criticality (crown-jewels score 3×).

policies-exception

Policy exceptions

Some assets legitimately can't comply (legacy gear, vendor limitations). Add an exception with a reason + expiry + compensating control. The asset still appears with a yellow exception pill so it stays visible without being a constant alarm.

policies-mixed-fleets

Mixed-vendor fleets

A policy stores ONE Unified Policy IR. Per-vendor translators (Cisco IOS, NX-OS, Arista, Palo Alto, Juniper, Aruba, …) generate the right syntax for each device type automatically. You author intent once; SafeCadence emits the right CLI for each device.

policies-on-asset

Policies that apply

Every saved policy whose targeting matches this asset. Empty targeting = fleet-wide. Tags + types compose. Click any policy to see its full IR, the per-vendor change preview, and the current pass/fail result.

Open related page →
policy-targeting

Policy targeting

How a policy decides which assets it applies to. Four layers, evaluated in order: tag, asset group, asset_type/vendor, individual asset. Most policies use tags or groups so they scale with the fleet. Vendor/type targets are for vendor-specific syntax. Individual asset targets are for one-off exceptions.

Open related page →
remediation-pr

AI-drafted remediation PRs

Given a finding + a vendor, drafts a config snippet with the inverse rollback pre-attached. Refuses to hallucinate: if neither the recipe table nor the BYO-AI provider can produce a valid snippet, returns 'needs_operator_input' instead.

risk-economics

Risk Economics

Translates technical findings into business numbers: estimated audit-failure exposure, remediation cost in $ + engineer-hours, risk-reduction ROI ranking, technical-debt score. Disclaimer: figures are order-of-magnitude estimates from public industry data.

Open related page →
share-scope

Share scope

What the recipient of the share URL can see. summary = top-line counts; compliance = policies + drift; identity = findings + paths; evidence = full SOC2/ISO/NIST view.

share-ttl

Token lifetime

How long the share URL is valid. After this, the token expires and the URL returns 403. Max 90 days.

simulator-input

Policy IR

Paste a Unified Policy IR (the JSON the translator emits). The simulator projects its impact against your live fleet without making any external HTTP/LDAP calls. Click 'Load demo IR' to fill the box automatically.

simulator-risk-delta

Risk delta

Net change in attack-path reach-weighted risk if the policy is applied. Negative numbers are good — they mean attack paths are severed by the change.

sse-dashboards

Live SSE dashboards

Server-Sent Events stream from the active node to every open dashboard tab. Drift detected on fw-01 shows up in every operator browser within seconds — no page refresh.

tier-3-totp

Tier-3 TOTP challenge

Per-job MFA required for high-risk command execution. Configure once via 'safecadence admin totp enroll', then every Tier-3 commit prompts for a 6-digit code.

translator-conditions

Conditions

Additional requirements that must hold for the rule to fire. Compose multiple conditions with AND.

translator-effect

Effect

What happens when the policy matches a request. deny blocks it, allow permits it, require_step_up forces MFA or a trusted device check before allowing.

deny
translator-intent

Intent

Plain-English description of the access policy you want enforced. Be specific about WHO the policy targets, WHAT action they're trying to do, and WHERE (which environments / asset types).

contractors without MFA cannot SSH to prod
Open related page →
translator-severity

Severity

How forcefully the rule is applied once committed. advisory just records the recommendation; warn shows a banner; enforce actually blocks the action when the rule fires.

enforce
translator-targets

Target systems

Which identity systems should enforce this policy. Pick the smallest set that covers the action — SSH typically maps to ['okta', 'ise']; admin portal access to ['entra', 'okta']. Use 'all' to apply to every connected system.

okta, ise
watchlist-entity-kind

What to watch

What kind of entity is being pinned. The daemon detects changes to the corresponding fields and reports them in your morning briefing.

who-can-action

Action

What the principal is trying to do.

ssh
who-can-principal

Principal

The user or non-human identity (NHI) you're evaluating. Use the email address for human users, or the NHI ID (e.g. 'nhi-build-bot') for service accounts.

alice.admin@acme.local
who-can-resource

Resource

The asset_id or hostname the principal is trying to access.

dc-01.acme.local