👋 New here? Take the 5-step tour — fleet to live findings in under 5 min.
Start tour

🔔 Recent activity

Loading…

🧰 SafeCadence Tool Hub

Every capability, organized by what you're trying to do. Each tool tells you when it's the right one to reach for.

🔭 Discover & Inventory

📋 Inventory

Every device, identity, and NHI in one searchable list.
Use when: You want to see what's connected.
Open →

🗺️ Topology

9 named graph views — global, security-zone, lifecycle, risk heat, KEV, etc.
Use when: You need to see the network and identity graph visually.
Open →

🧭 Onboarding wizard

Guided path to add real assets — CSV, scan, cloud, manual.
Use when: You're starting from zero and need to load real data.
$ safecadence onboard
Open →

📥 CSV importer

Bulk-load assets or credentials from a spreadsheet.
Use when: You have a CMDB / asset list to import.
$ safecadence import-assets file.csv
Open →

📐 Policy & Compliance

🪄 Policy Builder (5-step wizard)

Build a policy from intent → controls → asset selection → approvals → schedule.
Use when: You want to define a new compliance / hardening policy.
$ safecadence policy create
Open →

✅ Compliance dashboard

Per-policy pass/fail, drift counts, top failures, executive-briefing card.
Use when: You need a fleet-wide compliance snapshot right now.
$ safecadence policy briefing
Open →

📉 Drift

Cross-system drift detector (17 detectors) + per-policy drift over time.
Use when: Two systems disagree, or compliance moved.
$ safecadence policy drift-cross-system
Open →

🔍 Per-device diff

Side-by-side: declared policy vs running config for any single device.
Use when: A device is failing a policy — show me exactly what's wrong.
Open →

📑 Evidence pack (compliance)

One-click PDF/CSV evidence for SOC 2 / ISO27001 / NIST 800-53.
Use when: Auditor asked for a compliance snapshot.
$ safecadence evidence-pack --framework soc2
Open →

🩹 Remediation export

Generate the per-vendor commands that fix a finding (Ansible / Terraform / raw / Markdown / PowerShell).
Use when: You want to hand a fix to the existing automation team.
Open →

🔐 Identity Intelligence

🧠 Identity translator (NL → IR)

Plain English → unified policy IR → preview → apply across Cisco ISE, ClearPass, AD, Entra, Okta.
Use when: You want to express a single intent and have it enforced across all 5 identity systems.
$ safecadence identity translate "..."
Open →

🔎 Effective-permission lookup (who-can)

Compose ALL connected identity systems and answer "can principal X do action Y on resource Z right now?"
Use when: You're investigating an incident or a permission question.
$ safecadence identity who-can ssh prod-db --as alice@x
Open →

🚩 Identity findings

Stale NHIs, no-MFA tenants, over-privileged principals, orphan service accounts.
Use when: You want to proactively clean up identity hygiene.
Open →

🎯 Identity attack paths

Human → group → SA → role → asset chains, ranked by reach.
Use when: You need to find "Alice → BuildBot → AdminRole → crown-jewel" type chains.
Open →

✂️ Identity remediation

Given an attack path, generate the IR that severs it.
Use when: You found an attack path and want the fix.
Open →

⏱️ JIT access grants

Time-bounded access grants with auto-revoke.
Use when: Someone needs prod-db read access for "the next 4 hours".
$ safecadence identity jit grant ...
Open →

⚖️ Conflict resolution policy

Configurable precedence — "AD wins over Okta on prod" — applied when systems disagree.
Use when: ISE and AD declare different things; you need a rule.
Open →

📊 Identity evidence pack

JSON / CSV / PDF: who has what, MFA %, JIT log, attack paths — mapped to SOC 2 CC6, ISO 27001 A.9, NIST AC-2.
Use when: Auditor asked for identity evidence specifically.
Open →

⚙️ Secure Execution

🤖 Command builder (AI-assisted)

Natural language → per-vendor commands, RBAC + risk classified, dry-runnable.
Use when: You want to build a network change job without writing vendor-specific CLI from scratch.
$ safecadence execute build "..."
Open →

🛡️ Approvals queue

Risk-tiered approval flow with TOTP + audit row.
Use when: Job is built and waiting for sign-off.
Open →

📋 Execution queue

Active jobs by stage — review, approved, scheduled, running.
Use when: You want a snapshot of what's about to change.
Open →

⏮️ Rollback manager

Generated-at-approval-time rollback plans, one-click revert.
Use when: A job ran and you want to undo it.
Open →

📒 Audit & Reports

📜 Audit trail

Immutable log of every change — policy, identity, execution, JIT — with full context.
Use when: You need to prove what happened, by whom, when.
Open →

📧 Email digest

Daily / weekly summary of findings, JIT, drift, approvals.
Use when: You don't want to babysit the dashboard.
$ safecadence digest --weekly
Open →

🔁 Continuous

🌀 Daemon

Continuous re-evaluation: policies, drift, attack paths, JIT auto-revoke.
Use when: You want the dashboard to stay current without you running CLI.
$ safecadence daemon --interval 1800
(no UI)

📣 Webhooks (Slack / Teams / PagerDuty)

HMAC-signed alerts on new critical findings.
Use when: You want to know when prod compliance breaks.
Open →

⏰ Scheduled re-eval

Per-policy cadence — hourly, daily, weekly.
Use when: Different policies run on different schedules.
Open →

⚙️ Settings & Tenancy

🔐 RBAC (6 roles)

Viewer / Auditor / Operator / Engineer / Security Admin / Super Admin.
Use when: You're delegating access to teammates.
Open →

🔑 TOTP MFA

Per-job step-up auth on Tier-3 commits.
Use when: Compliance requires MFA on production changes.
Open →

📜 License manager

Free local-first, optional Enterprise / MSP modes.
Use when: You're moving from local install to MSP control plane.
Open →